Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Ups And Brdr


  • Please log in to reply
3 replies to this topic

#1 theoasis

theoasis

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 19 November 2007 - 12:22 PM

Trying to remove pop-ups that happen every few minutes and brdr "end now" pop-up on shutdown.

Symptoms:
When shutting down or restarting getting brdr end now window.
Pop-ups look like they are from Think Adz
Spybot discovered and cleaned Rabio.SearchEnhancer, ZenoSearch, Virtumonde, Virtumonde.generic


Tools used:
Using Trend Micro CSM antivirus protection - (Log below)
Hijack this in and out of Safe Mode: (log below)
Ran ATFcleaner - did a select all and clean
Ran adaware - did not document what it found and cleaned
Ran Housecall - did not discover anything
Another user Installed Norton and did a scan (I know, I know.. don't run 2 AV programs... i am removing it): did not discover anything
Ran Smit Fraud Fix in Safe mode search and clean - (log below)
Ran Spybot in Safe mode (see above for what it found)



Logs: (NOTE: I replaced our domain name with mydomain.com)
Hijack This - Safe Mode

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:09 AM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\SYSTEM32\WISPTIS.EXE
D:\WINDOWS\System32\tabbtnu.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
C:\HJT\abc1.bat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - D:\WINDOWS\system32\awturqp.dll
O2 - BHO: {43bb3aae-3891-7c58-f5f4-114a1894ab34} - {43ba4981-a411-4f5f-85c7-1983eaa3bb34} - D:\WINDOWS\system32\vjqapsrm.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - D:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {834532E4-AA5E-494A-9D2F-E9014D02A937} - D:\WINDOWS\system32\pmkhg.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - D:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EZEJMNAP] D:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [IBMTBCTL] "C:\Program Files\ThinkPad\Tablet Shortcut\IBMTBCTL.EXE" /r
O4 - HKLM\..\Run: [TSMResident] "C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE" /r
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "D:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] D:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [MMReminderService] D:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 D:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 D:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPHOTKEY] D:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [eFax 4.3] "D:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [TabletTip] "D:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [TabletWizard] D:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] D:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NSWosCheck] "D:\Program Files\Norton SystemWorks Premier\osCheck.exe"
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [5e71617d] rundll32.exe "D:\WINDOWS\system32\nskaxhwe.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: eFax 4.3.lnk = D:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Mobile User VPN.lnk = D:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - D:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - D:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - D:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://gandalf:8059/officescan/console/Cli...ll/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://gandalf:8059/officescan/console/Cli...stall/setup.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://gandalf:8059/officescan/console/Cli.../RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179813697312
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179874996655
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/jin...indows-i586.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeeting.com/default/applets/g2mdlax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mydomain.com
O17 - HKLM\Software\..\Telephony: DomainName = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA44D14B-31BE-48F2-9AC3-FDF4B692234E}: NameServer = 192.168.129.246,192.168.129.235
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mydomain.com
O20 - AppInit_DLLs: d:\windows\system32\ldcore.dll
O20 - Winlogon Notify: awturqp - D:\WINDOWS\SYSTEM32\awturqp.dll
O23 - Service: Atheros Configuration Service (acs) - Atheros - D:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASR Service (ASRSVC) - Lenovo Group Limited - C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - D:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - D:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - D:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - D:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - D:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - D:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Symantec Core LC - Unknown owner - D:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TABLET Service (TabletSVC) - Lenovo Group Limited - C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - D:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - D:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - D:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 13087 bytes


Hijack This - Normal Mode
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:39 AM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\ibmpmsvc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\acs.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe
D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
D:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
D:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
D:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
D:\WINDOWS\SYSTEM32\WISPTIS.EXE
D:\Program Files\Lenovo\System Update\SUService.exe
D:\WINDOWS\System32\tabbtnu.exe
D:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe
D:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
D:\WINDOWS\System32\TPHDEXLG.exe
D:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
D:\WINDOWS\system32\tp4serv.exe
D:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
D:\WINDOWS\system32\rundll32.exe
D:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
D:\WINDOWS\system32\TpShocks.exe
C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE
D:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
D:\Program Files\Analog Devices\Core\smax4pnp.exe
D:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
D:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
D:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
D:\WINDOWS\system32\userinit.exe
D:\Program Files\Lenovo\Zoom\TpScrex.exe
D:\WINDOWS\system32\mshta.exe
D:\WINDOWS\TEMP\XJ1AB5.EXE
D:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\Program Files\Trend Micro\Client Server Security Agent\TSC.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
D:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe
C:\HJT\abc1.bat
D:\Program Files\iPod\bin\iPodService.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/hlidOffice...=EC010227221033
O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - D:\WINDOWS\system32\awturqp.dll
O2 - BHO: {43bb3aae-3891-7c58-f5f4-114a1894ab34} - {43ba4981-a411-4f5f-85c7-1983eaa3bb34} - D:\WINDOWS\system32\vjqapsrm.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - D:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - D:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C7F8502F-F537-4917-A03A-7C49CE95A530} - D:\WINDOWS\system32\pmkhg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EZEJMNAP] D:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [IBMTBCTL] "C:\Program Files\ThinkPad\Tablet Shortcut\IBMTBCTL.EXE" /r
O4 - HKLM\..\Run: [TSMResident] "C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE" /r
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "D:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] D:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [MMReminderService] D:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 D:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 D:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPHOTKEY] D:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [eFax 4.3] "D:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [TabletTip] "D:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [TabletWizard] D:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] D:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NSWosCheck] "D:\Program Files\Norton SystemWorks Premier\osCheck.exe"
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [5e71617d] rundll32.exe "D:\WINDOWS\system32\nskaxhwe.dll",b
O4 - HKCU\..\Run: [RoboForm] "D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: eFax 4.3.lnk = D:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Mobile User VPN.lnk = D:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - D:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - D:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - D:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://gandalf:8059/officescan/console/Cli...ll/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://gandalf:8059/officescan/console/Cli...stall/setup.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://gandalf:8059/officescan/console/Cli.../RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179813697312
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179874996655
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/jin...indows-i586.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeeting.com/default/applets/g2mdlax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mydomain.com
O17 - HKLM\Software\..\Telephony: DomainName = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA44D14B-31BE-48F2-9AC3-FDF4B692234E}: NameServer = 192.168.129.246,192.168.129.235
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mydomain.com
O20 - AppInit_DLLs: d:\windows\system32\ldcore.dll
O20 - Winlogon Notify: awturqp - D:\WINDOWS\SYSTEM32\awturqp.dll
O23 - Service: Atheros Configuration Service (acs) - Atheros - D:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASR Service (ASRSVC) - Lenovo Group Limited - C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - D:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - D:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - D:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - D:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - D:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - D:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Symantec Core LC - Unknown owner - D:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TABLET Service (TabletSVC) - Lenovo Group Limited - C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - D:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - D:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - D:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 15602 bytes





SmitFraudFix - Search
SmitFraudFix v2.253

Scan done at 10:01:19.17, Mon 11/19/2007
Run from D:\Documents and Settings\administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\SYSTEM32\WISPTIS.EXE
D:\WINDOWS\System32\tabbtnu.exe
D:\WINDOWS\system32\userinit.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\cmd.exe

hosts


D:\


D:\WINDOWS


D:\WINDOWS\system


D:\WINDOWS\Web


D:\WINDOWS\system32


D:\WINDOWS\system32\LogFiles


D:\Documents and Settings\administrator


D:\Documents and Settings\administrator\Application Data


Start Menu


D:\DOCUME~1\ADMINI~1\FAVORI~1


Desktop


D:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" d:\\windows\\system32\\ldcore.dll"


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Intel® PRO/1000 PL Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.129.246
DNS Server Search Order: 192.168.129.235

Description: Intel® PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.129.246
DNS Server Search Order: 192.168.129.235

HKLM\SYSTEM\CCS\Services\Tcpip\..\{33EDB748-3A7E-4495-9BA1-2A112750797F}: DhcpNameServer=192.168.129.246 192.168.129.235
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EA44D14B-31BE-48F2-9AC3-FDF4B692234E}: NameServer=192.168.129.246,192.168.129.235
HKLM\SYSTEM\CS1\Services\Tcpip\..\{33EDB748-3A7E-4495-9BA1-2A112750797F}: DhcpNameServer=192.168.129.246 192.168.129.235
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EA44D14B-31BE-48F2-9AC3-FDF4B692234E}: NameServer=192.168.129.246,192.168.129.235
HKLM\SYSTEM\CS2\Services\Tcpip\..\{33EDB748-3A7E-4495-9BA1-2A112750797F}: DhcpNameServer=192.168.129.246 192.168.129.235
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EA44D14B-31BE-48F2-9AC3-FDF4B692234E}: NameServer=192.168.129.246,192.168.129.235
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.129.246 192.168.129.235
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.129.246 192.168.129.235
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.129.246 192.168.129.235


Scanning for wininet.dll infection


End

SmitFraudFix - Clean
SmitFraudFix v2.253

Scan done at 9:40:48.54, Mon 11/19/2007
Run from D:\Documents and Settings\administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost



Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

Description: Intel® PRO/1000 PL Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.129.246
DNS Server Search Order: 192.168.129.235

Description: Intel® PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.129.246
DNS Server Search Order: 192.168.129.235

HKLM\SYSTEM\CCS\Services\Tcpip\..\{33EDB748-3A7E-4495-9BA1-2A112750797F}: DhcpNameServer=192.168.129.246 192.168.129.235
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EA44D14B-31BE-48F2-9AC3-FDF4B692234E}: NameServer=192.168.129.246,192.168.129.235
HKLM\SYSTEM\CS1\Services\Tcpip\..\{33EDB748-3A7E-4495-9BA1-2A112750797F}: DhcpNameServer=192.168.129.246 192.168.129.235
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EA44D14B-31BE-48F2-9AC3-FDF4B692234E}: NameServer=192.168.129.246,192.168.129.235
HKLM\SYSTEM\CS2\Services\Tcpip\..\{33EDB748-3A7E-4495-9BA1-2A112750797F}: DhcpNameServer=192.168.129.246 192.168.129.235
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EA44D14B-31BE-48F2-9AC3-FDF4B692234E}: NameServer=192.168.129.246,192.168.129.235
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.129.246 192.168.129.235
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.129.246 192.168.129.235
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.129.246 192.168.129.235


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

Trend Micro CSM -

11/14/2007 0:12:25 userCORE2XP TROJ_AGENT.POG win[1].exe D:\Documents and Settings\user1.mydomain\Local Settings\Temporary Internet Files\Content.IE5\VM17E9VS\ Real-time Scan Virus successfully detected, but infected file cannot be uploaded to the Security Server for quarantine.
11/14/2007 0:12:25 userCORE2XP TROJ_AGENT.POG win.exe D:\DOCUME~1\SPENSE~1.ACT\LOCALS~1\Temp\ Real-time Scan Virus successfully detected, but infected file cannot be uploaded to the Security Server for quarantine.
11/14/2007 0:12:15 userCORE2XP TROJ_VB.ESE loader[1].exe D:\Documents and Settings\user1.mydomain\Local Settings\Temporary Internet Files\Content.IE5\5UZ2XMHW\ Real-time Scan Virus successfully detected, but infected file cannot be uploaded to the Security Server for quarantine.
11/14/2007 0:12:15 userCORE2XP TROJ_VB.ESE loader.exe D:\DOCUME~1\SPENSE~1.ACT\LOCALS~1\Temp\ Real-time Scan Virus successfully detected, but infected file cannot be uploaded to the Security Server for quarantine.
11/14/2007 0:12:15 userCORE2XP TROJ_DLOADER.DTK MTE3MDk6ODoxNg[1].exe D:\Documents and Settings\user1.mydomain\Local Settings\Temporary Internet Files\Content.IE5\5UZ2XMHW\ Real-time Scan Virus successfully detected, but infected file cannot be uploaded to the Security Server for quarantine.
11/14/2007 0:12:15 userCORE2XP TROJ_DLOADER.DTK MTE3MDk6ODoxNg.exe D:\DOCUME~1\SPENSE~1.ACT\LOCALS~1\Temp\ Real-time Scan Virus successfully detected, but infected file cannot be uploaded to the Security Server for quarantine.
11/14/2007 0:12:15 userCORE2XP PAK_Generic.001 msiexec[1].exe D:\Documents and Settings\user1.mydomain\Local Settings\Temporary Internet Files\Content.IE5\5UZ2XMHW\ Real-time Scan Virus successfully detected, but infected file cannot be uploaded to the Security Server for quarantine.
11/14/2007 0:10:10 userCORE2XP TROJ_DLOADER.DTK dnslook11.exe D:\WINDOWS\system32\f1\ Real-time Scan Virus successfully detected, but infected file cannot be uploaded to the Security Server for quarantine.
11/14/2007 0:10:10 userCORE2XP TROJ_VUNDO.AVZ xxywxwt.dll D:\WINDOWS\system32\ Real-time Scan Virus successfully detected, but infected file cannot be uploaded to the Security Server for quarantine.

BC AdBot (Login to Remove)

 


m

#2 theoasis

theoasis
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 19 November 2007 - 03:55 PM

I ran SDfix and Combofix. Here are my hijackthis reports after running those. I can't get rid of awturqp.dll!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:47, on 2007-11-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\ibmpmsvc.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\acs.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe
D:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
D:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe
D:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
D:\WINDOWS\System32\TPHDEXLG.exe
D:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
D:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
D:\WINDOWS\SYSTEM32\WISPTIS.EXE
D:\WINDOWS\System32\tabbtnu.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\TEMP\COB665.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\tp4serv.exe
D:\WINDOWS\system32\rundll32.exe
D:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
D:\WINDOWS\system32\TpShocks.exe
C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE
D:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
D:\Program Files\Analog Devices\Core\smax4pnp.exe
D:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
D:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
D:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\WINDOWS\system32\igfxpers.exe
D:\Program Files\Lenovo\Zoom\TpScrex.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Documents and Settings\administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/hlidOffice...=EC010227221033
O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - D:\WINDOWS\system32\awturqp.dll
O2 - BHO: {43bb3aae-3891-7c58-f5f4-114a1894ab34} - {43ba4981-a411-4f5f-85c7-1983eaa3bb34} - D:\WINDOWS\system32\vjqapsrm.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - D:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EZEJMNAP] D:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [IBMTBCTL] "C:\Program Files\ThinkPad\Tablet Shortcut\IBMTBCTL.EXE" /r
O4 - HKLM\..\Run: [TSMResident] "C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE" /r
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "D:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] D:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [MMReminderService] D:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 D:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 D:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPHOTKEY] D:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [eFax 4.3] "D:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [TabletTip] "D:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [TabletWizard] D:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] D:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [5e71617d] rundll32.exe "D:\WINDOWS\system32\nskaxhwe.dll",b
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [RoboForm] "D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: eFax 4.3.lnk = D:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Mobile User VPN.lnk = D:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - D:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - D:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk (file missing)
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - D:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://gandalf:8059/officescan/console/Cli...ll/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://gandalf:8059/officescan/console/Cli...stall/setup.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://gandalf:8059/officescan/console/Cli.../RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179813697312
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179874996655
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/jin...indows-i586.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeeting.com/default/applets/g2mdlax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mydomain.com
O17 - HKLM\Software\..\Telephony: DomainName = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA44D14B-31BE-48F2-9AC3-FDF4B692234E}: NameServer = 192.168.129.246,192.168.129.235
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mydomain.com
O20 - Winlogon Notify: awturqp - D:\WINDOWS\SYSTEM32\awturqp.dll
O23 - Service: Atheros Configuration Service (acs) - Atheros - D:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASR Service (ASRSVC) - Lenovo Group Limited - C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - D:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - D:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - D:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - D:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - D:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - D:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: TABLET Service (TabletSVC) - Lenovo Group Limited - C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - D:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - D:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - D:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 13739 bytes

#3 theoasis

theoasis
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 20 November 2007 - 12:38 PM

Haven't heard from anyone yet regarding this.... Does it usually take this long? I am amazed that anyone gets a response since this forum is very, very busy.

In the meantime here are the SDfix and ComboFix logs:

SDFix:


SDFix: Version 1.115

Run by Administrator on 2007-11-19 at 14:15

Microsoft Windows XP [Version 5.1.2600]

Running From: D:\SDfix\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

D:\WINDOWS\17PHolmes1000106.exe - Deleted
D:\WINDOWS\17PHolmes1239.exe - Deleted
D:\WINDOWS\system32\ldinfo.ldr - Deleted
D:\WINDOWS\system32\pac.txt - Deleted




Removing Temp Files...

ADS Check:

D:\WINDOWS
No streams found.

D:\WINDOWS\system32
No streams found.

D:\WINDOWS\system32\svchost.exe
No streams found.

D:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-19 14:23:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197eed9e09]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00197eed9e09]

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"D:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="D:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"D:\\Program Files\\MSN Messenger\\livecall.exe"="D:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"D:\\Program Files\\iTunes\\iTunes.exe"="D:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"D:\\Program Files\\Windows Media Player\\wmplayer.exe"="D:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"D:\\Program Files\\Internet Explorer\\iexplore.exe"="D:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"D:\\WINDOWS\\system32\\rvqdoqta.exe"="D:\\WINDOWS\\system32\\rvq"
"D:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe"="D:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe:*:Enabled:IreIke"
"D:\\Program Files\\WatchGuard\\Mobile User VPN\\ViewLog.exe"="D:\\Program Files\\WatchGuard\\Mobile User VPN\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"D:\\Program Files\\WatchGuard\\Mobile User VPN\\CmonApp.exe"="D:\\Program Files\\WatchGuard\\Mobile User VPN\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"D:\\Program Files\\WatchGuard\\Mobile User VPN\\vpn.exe"="D:\\Program Files\\WatchGuard\\Mobile User VPN\\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="D:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"D:\\Program Files\\MSN Messenger\\livecall.exe"="D:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"D:\\Program Files\\iTunes\\iTunes.exe"="D:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"D:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe"="D:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe:*:Enabled:IreIke"
"D:\\Program Files\\WatchGuard\\Mobile User VPN\\ViewLog.exe"="D:\\Program Files\\WatchGuard\\Mobile User VPN\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"D:\\Program Files\\WatchGuard\\Mobile User VPN\\CmonApp.exe"="D:\\Program Files\\WatchGuard\\Mobile User VPN\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"D:\\Program Files\\WatchGuard\\Mobile User VPN\\vpn.exe"="D:\\Program Files\\WatchGuard\\Mobile User VPN\\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"

Remaining Files:
---------------

File Backups: - D:\SDfix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 13 Oct 2004 1,694,208 ..SH. --- "D:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "D:\Program Files\Outlook Express\msimn.exe"
Sun 14 Oct 2007 5,903,928 A..H. --- "D:\Program Files\Picasa2\setup.exe"
Sat 17 Nov 2007 20,810 ..SH. --- "D:\WINDOWS\system32\hdneqwym.dllbox"
Sun 15 Jul 2007 4,348 ..SH. --- "D:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 23 May 2007 0 A.SH. --- "D:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "D:\Documents and Settings\spenser.actifi\Local Settings\Temp\ico2A.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "D:\Documents and Settings\spenser.actifi\Local Settings\Temp\ico2B.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "D:\Documents and Settings\spenser.actifi\Local Settings\Temp\ico30.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "D:\Documents and Settings\spenser.actifi\Local Settings\Temp\ico31.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "D:\Documents and Settings\spenser.actifi\Local Settings\Temp\ico39.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "D:\Documents and Settings\spenser.actifi\Local Settings\Temp\ico3A.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "D:\Documents and Settings\spenser.actifi\Local Settings\Temp\ico3F.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "D:\Documents and Settings\spenser.actifi\Local Settings\Temp\ico40.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "D:\Documents and Settings\spenser.actifi\Local Settings\Temp\ico44.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "D:\Documents and Settings\spenser.actifi\Local Settings\Temp\ico45.tmp"
Sun 18 Nov 2007 70,431 ..SH. --- "D:\Documents and Settings\spenser.actifi\Local Settings\Temp\nqbdcvfe.exe"
Wed 6 Jun 2007 20,480 ...H. --- "D:\Documents and Settings\spenser.actifi\Local Settings\Application Data\Microsoft\Journal\Cache\NBD.tmp"

Finished!


ComboFix 07-11-08.3 - Administrator 2007-11-19 14:39:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1461 [GMT -6:00]
Running from: D:\Documents and Settings\administrator\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\DOCUME~1\ALLUSE~1\STARTM~1\Live Safety Center.lnk
D:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.lnk
D:\Documents and Settings\spenser.actifi\Desktop\Live Safety Center.lnk
D:\Documents and Settings\spenser.actifi\Desktop\Online Security Guide.lnk
D:\Documents and Settings\spenser.actifi\Favorites\Online Security Guide.lnk
D:\Documents and Settings\spenser.actifi\g2mdlhlpx.exe
D:\WINDOWS\cookies.ini
D:\WINDOWS\system32\f1
D:\WINDOWS\system32\ghkmp.ini
D:\WINDOWS\system32\ghkmp.ini2
D:\WINDOWS\system32\h2
D:\WINDOWS\system32\hdneqwym.dllbox
D:\WINDOWS\system32\pmkhg.dll
D:\WINDOWS\system32\r2
D:\WINDOWS\system32\x64

.
((((((((((((((((((((((((( Files Created from 2007-10-19 to 2007-11-19 )))))))))))))))))))))))))))))))
.

2007-11-19 14:14 <DIR> d-------- D:\WINDOWS\ERUNT
2007-11-19 14:08 <DIR> d-------- D:\cfix
2007-11-19 13:50 <DIR> d-------- D:\Program Files\Windows Defender
2007-11-19 13:42 51,200 --a------ D:\WINDOWS\NirCmd.exe
2007-11-19 09:41 5,090 --a------ D:\WINDOWS\system32\tmp.reg
2007-11-19 08:53 221,184 --a------ D:\WINDOWS\system32\wmpns.dll
2007-11-18 16:17 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-11-18 15:44 84,185 --a------ D:\WINDOWS\system32\nskaxhwe.dll
2007-11-18 15:42 79,424 --a------ D:\WINDOWS\system32\vjqapsrm.dll
2007-11-17 11:12 <DIR> d-------- D:\Program Files\Norton AntiVirus
2007-11-17 10:18 <DIR> d-------- D:\Documents and Settings\spenser.actifi\Application Data\Symantec
2007-11-17 09:48 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-11-17 09:47 <DIR> d-------- D:\Program Files\Common Files\Symantec Shared
2007-11-17 08:53 82,496 --a------ D:\WINDOWS\system32\nyiukfjh.dll
2007-11-16 13:55 <DIR> d-------- D:\Documents and Settings\administrator\.housecall6.6
2007-11-16 13:21 <DIR> d-------- D:\Program Files\Lavasoft
2007-11-16 13:07 <DIR> d-------- D:\WINDOWS\system32\ActiveScan
2007-11-16 09:12 102,664 --a------ D:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-15 08:47 38,912 --a------ D:\WINDOWS\system32\awturqp.dll
2007-11-14 13:45 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Rabio
2007-11-14 00:10 <DIR> d-------- D:\WINDOWS\system32\rMa17yy
2007-11-07 16:09 <DIR> d-------- D:\Program Files\iTunes
2007-11-07 16:09 <DIR> d-------- D:\Program Files\iPod
2007-11-07 16:08 <DIR> d-------- D:\Program Files\QuickTime
2007-10-26 13:15 <DIR> d-------- D:\Program Files\Common Files\SWF Studio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 19:24 --------- d-----w D:\Program Files\MSN Messenger
2007-11-16 19:24 --------- d-----w D:\Program Files\Microsoft ActiveSync
2007-11-16 19:24 --------- d-----w D:\Program Files\eFax Messenger 4.3
2007-11-16 19:20 --------- d-----w D:\Program Files\Windows Live Toolbar
2007-10-17 20:05 100,264 ----a-w D:\Documents and Settings\spenser.actifi\DimdimSetup.exe
2007-10-17 20:05 --------- d-----w D:\Program Files\Dimdim
2007-10-15 03:10 --------- d-----w D:\Program Files\MSECache
2007-10-15 02:21 --------- d-----w D:\Program Files\Picasa2
2007-10-15 02:10 --------- d-----w D:\Program Files\Google
2007-09-28 19:38 1,391,214 ----a-w D:\WINDOWS\ActiFi Screensaver v1.1.scr
2007-09-28 13:44 --------- d-----w D:\Program Files\Apple Software Update
2007-08-21 19:55 45,912 ----a-w D:\WINDOWS\system32\lmdimon.dll
2007-08-21 06:15 683,520 ----a-w D:\WINDOWS\system32\inetcomm.dll
2007-07-23 19:42 374 ----a-w D:\Documents and Settings\spenser.actifi\backup archive.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}]
2007-11-15 08:47 38912 --a------ D:\WINDOWS\system32\awturqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43ba4981-a411-4f5f-85c7-1983eaa3bb34}]
2007-11-18 15:42 79424 --a------ D:\WINDOWS\system32\vjqapsrm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4serv.exe" [2005-07-13 02:55 D:\WINDOWS\system32\tp4serv.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 D:\WINDOWS\system32\bthprops.cpl]
"EZEJMNAP"="D:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-29 01:32]
"TpShocks"="TpShocks.exe" [2007-03-29 17:40 D:\WINDOWS\system32\TpShocks.exe]
"IBMTBCTL"="C:\Program Files\ThinkPad\Tablet Shortcut\IBMTBCTL.exe" [2006-12-14 01:04]
"TSMResident"="C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.exe" [2006-12-14 01:04]
"OfficeScanNT Monitor"="D:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 07:10]
"SoundMAXPnP"="D:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 08:11]
"SoundMAX"="D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 14:06]
"MMReminderService"="D:\Program Files\Mindjet\MindManager 6\MMReminderService.exe" [2006-12-13 23:16]
"pdfSaver3"="" []
"PWRMGRTR"="D:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-06-18 00:16]
"BLOG"="D:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-06-18 00:16]
"TPHOTKEY"="D:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 13:49]
"eFax 4.3"="D:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 11:21]
"TabletTip"="D:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-25 21:10]
"TabletWizard"="D:\WINDOWS\help\SplshWrp.exe" [2004-08-03 23:56]
"TVT Scheduler Proxy"="D:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-12-10 18:36]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"IgfxTray"="D:\WINDOWS\system32\igfxtray.exe" [2007-02-26 17:34]
"HotKeysCmds"="D:\WINDOWS\system32\hkcmd.exe" [2007-02-26 17:34]
"Persistence"="D:\WINDOWS\system32\igfxpers.exe" [2007-02-26 17:33]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"5e71617d"="D:\WINDOWS\system32\nskaxhwe.dll" [2007-11-18 15:44]
"Windows Defender"="D:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-23 21:54]

D:\Documents and Settings\spenser.actifi\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 13:06:14]

D:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
eFax 4.3.lnk - D:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-05-23 09:30:26]
Mobile User VPN.lnk - D:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe [2007-05-22 15:48:30]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}"= D:\WINDOWS\system32\awturqp.dll [2007-11-15 08:47 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awturqp]
awturqp.dll 2007-11-15 08:47 38912 D:\WINDOWS\system32\awturqp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
D:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll 2002-08-29 02:41 58368 D:\Program Files\Common Files\Microsoft Shared\INK\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
TabBtnWL.dll 2002-08-29 02:41 11776 D:\WINDOWS\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
D:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 15:37 34344 D:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
tpgwlnot.dll 2002-08-29 02:41 25600 D:\WINDOWS\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
D:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 10:06 28672 D:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 D:\WINDOWS\system32\pmkhg.dll

R0 Shockprf;Shockprf;D:\WINDOWS\system32\DRIVERS\Apsx86.sys
R0 TPDIGIMN;TPDIGIMN;D:\WINDOWS\system32\DRIVERS\ApsHM86.sys
R1 TPPWRIF;TPPWRIF;D:\WINDOWS\system32\drivers\Tppwrif.sys
R1 TSMSMI;Lenovo System Interface Driver;D:\WINDOWS\system32\DRIVERS\TSMSMI32.SYS
R2 ASRSVC;ASR Service;C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe
R2 Crypto;Crypto;D:\WINDOWS\system32\drivers\Crypto.sys
R2 IPSECDRV;SafeNet IPSec Plugin;\??\D:\WINDOWS\system32\Drivers\IPSECDRV.sys
R2 TabletSVC;TABLET Service;C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe
R3 AEAudioService;AEAudio Service;D:\WINDOWS\system32\drivers\AEAudio.sys
R3 DniVap;SafeNet WAN Miniport (VA);D:\WINDOWS\system32\DRIVERS\vap.sys
R3 swmx01;Sierra Wireless USB MUX Driver (#01);D:\WINDOWS\system32\DRIVERS\swmx01.sys
R3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);D:\WINDOWS\system32\DRIVERS\SWNC5E01.sys
R3 Tp4Track;PS/2 TrackPoint Driver;D:\WINDOWS\system32\DRIVERS\tp4track.sys
R3 WacomPen;Wacom Serial Pen HID Driver;D:\WINDOWS\system32\DRIVERS\wacompen.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;D:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 SymIMMP;SymIMMP;D:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 tpflhlp;tpflhlp;\??\D:\Program Files\Lenovo\System Update\session\7juj07us\tpflhlp.sys
S3 USBAAPL;Apple Mobile USB Driver;D:\WINDOWS\system32\Drivers\usbaapl.sys
S3 WSIMD;wsimd Service;D:\WINDOWS\system32\DRIVERS\wsimd.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\fi360.exe

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-19 14:43:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-19 14:45:11 - machine was rebooted
.
--- E O F ---

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:05:43 AM

Posted 25 November 2007 - 01:36 PM

Hello theoasis and welcome to BleepingComputer!

Apollogies for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users