Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Task Manager Disabled + Loads Of Spyware


  • This topic is locked This topic is locked
17 replies to this topic

#1 lolwtfinternet

lolwtfinternet

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 05 May 2008 - 03:09 PM

Hello,
I am working with a laptop that has caught some nasty spyware, and I cannot seem to figure out how to rid the system of it. I have not found the name for it, but I am pretty sure all of the symptoms are correlated. The most notable thing about it is that the spyware has disabled the task manager and changed the background to say "Your computer has several fatal errors due to spyware activity." Here are the symptoms from what I have seen so far:

1. Background is changed to blue and yellow message saying that spyware threat has been detected, resets every restart.
2. Tray icon of yellow triangle with exclamation point, that pops up bubbles with several different messages.
3. Several pop ups from different companies.
4. Trouble browsing sites outside of google search engine. (maybe not related)
5. Task Manager disabled by "admin".
6. Fake windows security pop ups

Here are some screenshots of the bubble messages, background, and pop ups.
http://i29.photobucket.com/albums/c268/Lon...t/spyware21.jpg
http://i29.photobucket.com/albums/c268/Lon...t/spyware51.jpg

Here are the dss logs:

Deckard's System Scanner v20071014.68
Run by its_admin on 2008-05-05 13:32:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
34: 2008-05-05 19:32:47 UTC - RP248 - Deckard's System Scanner Restore Point
33: 2008-05-05 16:45:42 UTC - RP247 - Removed Update Agent
32: 2008-05-05 16:42:37 UTC - RP246 - Installed Ad-Aware 2007
31: 2008-05-04 20:36:32 UTC - RP245 - Last known good configuration
30: 2008-05-04 20:36:24 UTC - RP244 - System Checkpoint


-- First Restore Point --
1: 2008-05-04 20:36:13 UTC - RP215 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-05 13:33:58
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\novell\xtagent.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\winself.exe
C:\Program Files\Novell\ZENworks\NALNTSRV.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Novell\ZENworks\WM.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\nwtray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\iprntctl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Documents and Settings\its_admin.AHP-L3-EX359\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 165.134.234.135:3128
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {B08830ED-88CD-4E59-87C9-747944DC24A6} - C:\WINDOWS\system32\rqRLcASM.dll
O2 - BHO: (no name) - {B3102264-D09D-4322-B625-503FBF18DD7E} - C:\WINDOWS\system32\efcBsTMe.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [Novell Application Explorer] C:\Program Files\Novell\ZENworks\NalView.exe :
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [0445431a] rundll32.exe "C:\WINDOWS\system32\iqnsrgmc.dll",b
O4 - HKLM\..\Run: [BM07767086] Rundll32.exe "C:\WINDOWS\system32\mdsnadju.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.patch.slu.loc (HKLM)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} () - http://a1540.g.akamai.net/7/1540/52/200412...llInstaller.exe
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in 1.4.2_06) - http://java.sun.com/update/1.4.2/jinstall-...indows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: ACNotify - C:\WINDOWS\system32\ACNotify.dll (file missing)
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O20 - Winlogon Notify: efcBsTMe - C:\WINDOWS\system32\efcBsTMe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\NALNTSRV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\psasrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - Unknown owner - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\system32\TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\system32\novell\xtagent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\WM.EXE


--
End of file - 15604 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NICM (Novell InterService Communication Driver) - c:\windows\system32\drivers\nicm.sys <Not Verified; Novell, Inc.; Novell XTier for Windows>
R0 NWFILTER (Novell UNC Path Filter) - c:\windows\system32\netware\nwfilter.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R0 Shockprf - c:\windows\system32\drivers\shockprf.sys <Not Verified; Lenovo; ThinkVantage Active Protection System>
R1 ANC - c:\windows\system32\drivers\anc.sys <Not Verified; IBM Corp.; IBM Access Connections>
R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 nipplpt2 (Novell iCapture Lpt Redirector 2) - c:\windows\system32\drivers\nipplpt.sys
R1 ShockMgr - c:\windows\system32\drivers\shockmgr.sys <Not Verified; Lenovo.; ThinkVantage Active Protection System>
R1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
R1 TPPWRIF - c:\windows\system32\drivers\tppwrif.sys
R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.10.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.10.0>
R2 BlankScr (HBDevice) - c:\windows\system32\drivers\blankscr.sys <Not Verified; Novell Inc.; ZENworks Remote Management>
R2 NetwareWorkstation (Novell Client for Windows) - c:\windows\system32\netware\nwfs.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 PROCDD (IPS Helper Driver) - c:\windows\system32\drivers\procdd.sys <Not Verified; Lenovo Group Limited; Away Manager>
R2 RESMGR (Novell NetWare Resource Manager) - c:\windows\system32\netware\resmgr.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 smihlp (SMI helper driver) - c:\program files\thinkvantage fingerprint software\smihlp.sys <Not Verified; UPEK Inc.; ThinkVantage Fingerprint Software>
R2 SRVLOC (Novell Service Location) - c:\windows\system32\netware\srvloc.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 Darpan - c:\windows\system32\drivers\darpan.sys <Not Verified; Novell, Inc.; ZENworks Remote Management>
R3 NWDHCP (Novell DHCP Inform Client) - c:\windows\system32\netware\nwdhcp.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWDNS (Novell DNS Name Space Service Provider) - c:\windows\system32\netware\nwdns.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWHOST (Novell Host File Name Space Service Provider) - c:\windows\system32\netware\nwhost.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWSLP (Novell SLP Name Space Service Provider) - c:\windows\system32\netware\nwslp.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWSNS (Novell Simple Naming Services) - c:\windows\system32\netware\nwsns.sys <Not Verified; Novell, Inc.; Novell Client for Windows>

S2 NWSIPX32 (Novell NetWare IPX/SPX Transport Interface) - c:\windows\system32\netware\nwsipx32.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
S3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT®>
S3 NWSAP (Novell SAP Name Space Provider) - c:\windows\system32\netware\nwsap.sys
S3 psadd (IBM PSA Access Driver) - c:\windows\system32\drivers\psadd.sys <Not Verified; Lenovo; PSA Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 IPSSVC (IPS Core Service) - c:\windows\system32\ipssvc.exe <Not Verified; Lenovo Group Limited; Away Manager>
R2 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\winself.exe service
R2 NALNTSERVICE (Novell Application Launcher) - c:\program files\novell\zenworks\nalntsrv.exe <Not Verified; Novell, Inc.; >
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 Remote Management Agent (Novell ZENworks Remote Management Agent) - c:\program files\novell\zenworks\remotemanagement\rmagent\zenrem32.exe <Not Verified; Novell, Inc.; ZENworks Remote Management>
R2 SUService (System Update) - c:\program files\lenovo\system update\suservice.exe
R2 TPHDEXLGSVC (ThinkPad HDD APS Logging Service) - system32\tphdexlg.exe <Not Verified; Lenovo.; ThinkVantage Active Protection System>
R2 TVT Scheduler - "c:\program files\common files\lenovo\scheduler\tvtsched.exe" <Not Verified; Lenovo Group Limited; tvtsched Module>
R2 XTAgent (Novell XTier Agent Services) - c:\windows\system32\novell\xtagent.exe <Not Verified; Novell, Inc.; NetIdentity>
R2 ZFDWM (Workstation Manager) - c:\program files\novell\zenworks\wm.exe <Not Verified; Novell, Inc.; ZENworks Desktop Management>

S3 cusrvc (Client Update Service for Novell) - c:\windows\system32\cusrvc.exe <Not Verified; Novell, Inc.; Novell Client for Windows>
S3 PsaSrv (IBM PSA Access Driver Control) - c:\windows\system32\psasrv.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_17AA201B&REV_0900\4&33F32219&0&0102
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_17AA201B&REV_0900\4&33F32219&0&0102
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-05-05 13:22:36 308 --a------ C:\WINDOWS\Tasks\PMTask.job


-- Files created between 2008-04-05 and 2008-05-05 -----------------------------

2008-05-05 12:30:54 5784 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-05 11:27:55 96832 --a------ C:\WINDOWS\system32\iqnsrgmc.dll
2008-05-05 11:24:55 107584 --a------ C:\WINDOWS\system32\ryxkupux.dll
2008-05-05 11:18:55 104000 --a------ C:\WINDOWS\system32\mdsnadju.dll
2008-05-05 10:42:43 0 d-------- C:\Program Files\Lavasoft
2008-05-05 10:42:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-05 10:23:00 0 d-------- C:\Documents and Settings\its_admin.AHP-L3-EX359\Application Data\Talkback
2008-05-05 10:22:03 0 d-------- C:\Documents and Settings\its_admin.AHP-L3-EX359\Application Data\Mozilla
2008-05-05 10:16:38 30976 --a------ C:\WINDOWS\stcloader.exe
2008-05-05 10:16:37 19712 --a------ C:\WINDOWS\voiceip.dll
2008-05-05 10:16:37 22528 --a------ C:\WINDOWS\swin32.dll
2008-05-05 10:16:37 13568 --a------ C:\WINDOWS\mssvr.exe
2008-05-05 10:16:37 19968 --a------ C:\WINDOWS\cdsm32.dll
2008-05-05 10:16:37 15616 --a------ C:\WINDOWS\bokja.exe
2008-05-05 10:16:36 14592 --a------ C:\WINDOWS\mspphe.dll
2008-05-05 10:16:36 20480 --a------ C:\WINDOWS\bjam.dll
2008-05-05 10:16:36 20480 --a------ C:\WINDOWS\2020search2.dll
2008-05-05 10:16:36 20992 --a------ C:\WINDOWS\2020search.dll
2008-05-05 10:16:32 11008 --a------ C:\WINDOWS\saiemod.dll
2008-05-05 10:16:31 22272 --a------ C:\WINDOWS\msapasrc.dll
2008-05-05 10:16:31 29440 --a------ C:\WINDOWS\msa64chk.dll
2008-05-05 10:16:30 31744 --a------ C:\WINDOWS\shdocpl.dll
2008-05-05 10:16:29 23552 --a------ C:\WINDOWS\shdocpe.dll
2008-05-05 10:16:29 23296 --a------ C:\WINDOWS\ntnut.exe
2008-05-05 10:16:28 22528 --a------ C:\WINDOWS\winsb.dll
2008-05-05 10:16:28 23040 --a------ C:\WINDOWS\browserad.dll
2008-05-05 10:16:28 19200 --a------ C:\WINDOWS\aviwrap32.dll
2008-05-05 10:16:27 19712 --a------ C:\WINDOWS\avisynthex32.dll
2008-05-05 10:16:27 18944 --a------ C:\WINDOWS\avifile32.dll
2008-05-05 10:16:27 29952 --a------ C:\WINDOWS\autodisc32.dll
2008-05-05 10:16:27 30464 --a------ C:\WINDOWS\audiosrv32.dll
2008-05-05 10:16:26 31232 --a------ C:\WINDOWS\ati2dvag32.dll
2008-05-05 10:16:26 13824 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-05-05 10:16:26 32000 --a------ C:\WINDOWS\athprxy32.dll
2008-05-05 10:16:25 25344 --a------ C:\WINDOWS\changeurl_30.dll
2008-05-05 10:16:25 22272 --a------ C:\WINDOWS\asycfilt32.dll
2008-05-05 10:16:25 24576 --a------ C:\WINDOWS\asferror32.dll
2008-05-05 10:16:25 17408 --a------ C:\WINDOWS\apphelp32.dll
2008-05-04 15:30:42 0 d-------- C:\WINDOWS\system32\M?crosoft
2008-05-04 14:36:00 427343 --ahs---- C:\WINDOWS\system32\MSAcLRqr.ini2
2008-05-04 14:35:55 281088 --a------ C:\WINDOWS\system32\rqRLcASM.dll
2008-05-04 14:31:25 0 d-------- C:\Documents and Settings\reinking\Application Data\??pPatch
2008-05-04 14:31:21 37376 --a------ C:\WINDOWS\mrofinu72.exe
2008-05-04 14:31:15 0 d-------- C:\Program Files\Common Files\?dobe
2008-05-04 14:30:50 43520 --a------ C:\WINDOWS\system32\efcBsTMe.dll
2008-05-04 14:30:08 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-04 14:30:07 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-04 14:30:06 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-04 14:30:04 87979 --a------ C:\WINDOWS\system32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-05-04 14:30:04 87979 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-05-04 14:30:00 20992 --a------ C:\WINDOWS\winself.exe
2008-05-03 10:48:00 270709 --a------ C:\WINDOWS\system32\000060.exe
2008-05-02 13:45:08 229518 --a------ C:\WINDOWS\system32\000090.exe


-- Find3M Report ---------------------------------------------------------------

2008-05-05 13:21:09 0 d-------- C:\Program Files\Symantec AntiVirus
2008-05-05 12:10:04 0 d-------- C:\Documents and Settings\its_admin.AHP-L3-EX359\Application Data\Adobe
2008-05-05 10:41:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-04 14:45:05 0 d-------- C:\Program Files\Common Files\?dobe
2008-05-04 14:45:02 0 d-------- C:\Program Files\Common Files
2008-04-06 14:39:43 0 d-------- C:\Program Files\SPSS
2008-04-06 14:39:42 73 --a------ C:\WINDOWS\system32\ssprs.dll
2008-04-06 14:39:42 336 --a------ C:\WINDOWS\system32\lsprst7.dll
2008-03-24 07:48:57 0 d-------- C:\Program Files\Java
2008-03-10 08:42:16 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B08830ED-88CD-4E59-87C9-747944DC24A6}]
05/04/2008 02:35 PM 281088 --a------ C:\WINDOWS\system32\rqRLcASM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3102264-D09D-4322-B625-503FBF18DD7E}]
05/04/2008 02:30 PM 43520 --a------ C:\WINDOWS\system32\efcBsTMe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [03/12/2002 09:37 AM C:\WINDOWS\system32\nwtray.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [09/30/2004 01:41 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [09/30/2004 01:37 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/17/2004 11:44 AM]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/17/2002 11:28 AM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [01/02/2006 04:41 PM]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.0\masqform.exe" [12/03/2003 12:43 PM]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [01/12/2006 08:52 PM]
"@"="" []
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [05/25/2006 02:27 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02/14/2006 01:17 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [02/14/2006 01:16 PM]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [03/28/2006 03:01 AM]
"TpShocks"="TpShocks.exe" [11/07/2005 10:14 AM C:\WINDOWS\system32\TpShocks.exe]
"TPKBDLED"="C:\WINDOWS\system32\TpScrLk.exe" [10/08/2002 09:28 PM]
"TP4EX"="tp4ex.exe" [10/17/2005 12:11 AM C:\WINDOWS\system32\TP4EX.exe]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [04/17/2006 12:09 PM]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [04/17/2006 11:59 AM]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [05/26/2006 12:13 AM]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [05/26/2006 12:13 AM]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [07/05/2006 12:11 AM]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [06/19/2006 01:06 AM]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [07/05/2006 04:15 PM]
"PSQLLauncher"="C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" [04/25/2006 06:03 PM]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [02/24/2006 01:22 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [12/15/2005 03:19 PM]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [05/25/2006 02:27 PM]
"ZENRC Tray Icon"="C:\WINDOWS\system32\zentray.exe" [05/18/2005 05:04 PM]
"Novell Application Explorer"="C:\Program Files\Novell\ZENworks\NalView.exe" [06/13/2006 07:51 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 07:26 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 08:33 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"0445431a"="C:\WINDOWS\system32\iqnsrgmc.dll" [05/05/2008 11:27 AM]
"BM07767086"="C:\WINDOWS\system32\mdsnadju.dll" [05/05/2008 11:18 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [8/17/2006 9:07:21 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=1 (0x1)
"DisableCAD"=0 (0x0)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= C:\Program Files\Novell\ZENworks\NalShell.dll [06/28/2006 02:00 PM 446464]
"{B3102264-D09D-4322-B625-503FBF18DD7E}"= C:\WINDOWS\system32\efcBsTMe.dll [05/04/2008 02:30 PM 43520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="ziswin.exe"
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll 04/17/2006 12:01 PM 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
C:\Program Files\Lenovo\AwayTask\AwayNotify.dll 06/19/2006 01:06 AM 49152 C:\Program Files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcBsTMe]
efcBsTMe.dll 05/04/2008 02:30 PM 43520 C:\WINDOWS\system32\efcBsTMe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
C:\WINDOWS\system32\Novell\XtNotify.dll 05/02/2006 09:17 AM 24576 C:\WINDOWS\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 04/25/2006 06:20 PM 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 07/05/2005 10:45 PM 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 11/30/2005 07:16 PM 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0 C:\WINDOWS\system32\rqRLcASM
"Notification Packages"= scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-05-05 13:37:06 ------------

AND

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2500 @ 2.00GHz
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 1022.42 MiB / 436.44 MiB
Pagefile Memory (total/avail): 2459.73 MiB / 1933.43 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.45 MiB

C: is Fixed (NTFS) - 37.27 GiB total, 26.52 GiB free.
D: is CDROM (CDFS)
E: is Removable (FAT)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2080BH - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.27 GiB - C:

\\.\PHYSICALDRIVE1 - SanDisk Cruzer Micro USB Device - 243.17 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 251 MiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.
AntivirusOverride is set.

AV: Symantec AntiVirus Corporate Edition v10.1.5.5000 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\reinking\\Application Data\\U3\\0000060409033449\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\Skype.exe"="C:\\Documents and Settings\\reinking\\Application Data\\U3\\0000060409033449\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\its_admin.AHP-L3-EX359\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AHP-L3-EX359
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\
LOGONSERVER=\\AHP-L3-EX359
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\system32\nls;C:\WINDOWS\system32\nls\ENGLISH;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\ThinkPad\ConnectUtilities;C:\Program Files\Intel\Wireless\Bin\;C:\Program Files\Novell\ZENworks\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ITS_AD~1.AHP\LOCALS~1\Temp
TMP=C:\DOCUME~1\ITS_AD~1.AHP\LOCALS~1\Temp
USERDOMAIN=AHP-L3-EX359
USERNAME=its_admin
USERPROFILE=C:\Documents and Settings\its_admin.AHP-L3-EX359
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

(admin)
(new local)
(new local, admin)
(admin)
(admin)
(new local)
(new local)
zentwo (admin)
(new local, admin)
jgrubb_admin (admin)
reinking (admin)
its_admin.AHP-L3-EX359 (admin)
ahpptwstudy (admin)
salsichg (admin)
its_admin (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 7.0.9 Professional --> msiexec /I {AC76BA86-1033-0000-7760-100000000002}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{47A2A6D7-C198-4E57-A383-3D56315C53AD}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Coffee Cup Zip --> MsiExec.exe /I{2B08EAB6-B8B7-49BF-8059-7AA8991F817F}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
E-Term32-v3 --> MsiExec.exe /X{44CBF1ED-34B9-4C8F-8A01-B453EF26BD98}
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
EndNote --> C:\PROGRA~1\EndNote\UNWISE.EXE C:\PROGRA~1\EndNote\INSTALL.LOG
Help Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{986F64DC-FF15-449D-998F-EE3BCEC6666A}\setup.exe" -l0x9 -AddRemove
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
ICS Viewer --> MsiExec.exe /I{5DFDB43B-2008-4D8B-A78D-52301C8677A3}
Intel® PRO Network Connections Drivers --> Prounstl.exe
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
ISI ResearchSoft - Export Helper --> C:\PROGRA~1\COMMON~1\Risxtd\_UNINST.EXE
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java 2 Runtime Environment, SE v1.4.2_06 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142060}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
Microsoft XML 4.0 SP 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D6E92BCC-717B-4B2A-A82E-8368D4B5F45F}\setup.exe" -l0x9
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (1.0) --> C:\WINDOWS\UninstallFirefox.exe /ua "1.0 (en-US)"
Mozilla Thunderbird (1.0) --> C:\WINDOWS\UninstallThunderbird.exe /ua "1.0 (en)"
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
MyODBC --> MsiExec.exe /X{29042B1C-0713-4575-B7CA-5C8E7B0899D4}
Netscape (7.2) --> C:\WINDOWS\NSUninst.exe /ua "7.2 (en)"
Netscape Communicator 4.7 --> C:\WINDOWS\cd32.exe 4.7 (en)
NICI (Shared) U.S./Worldwide (128 bit) (2.7.3-1) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F02DBC5D-33E3-45E9-B0F8-B7745229ED1C}\Setup.exe" -uninst
NMAS Challenge Response Method --> MsiExec.exe /X{B9A5A789-D491-49FB-958C-BFEC2C11BB1D}
NMAS Client --> MsiExec.exe /I{9B427732-573E-4E78-B6FA-AC3E5A218BA2}
Novell Client for Windows --> %SystemRoot%\system32\rundll32 nwsetup.dll NWUninstallClient
Novell iPrint Client v04.20.00 --> C:\WINDOWS\system32\iprint\setupipp.exe /uninstall
Oracle JInitiator --> MsiExec.exe /I{7A3EF7B1-C15A-4355-BBA1-87640C6906EB}
Oracle JInitiator 1.3.1.9 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Oracle\JInitiator 1.3.1.9\Uninst.isu"
PatchLink Update Agent --> MsiExec.exe /X{576E06AE-5375-4BBD-B0D8-E27DA4DE7E32}
People+Content IP --> MsiExec.exe /I{1955D3BE-EFB2-4B88-BBAA-66B78EF69410}
Primal Pictures Interactive Foot and Ankle 2 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Primal Pictures\Interactive Foot and Ankle 2\Uninst.isu"
Primal Pictures Interactive Hip --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Primal Pictures\Interactive Hip\Uninst.isu"
Primal Pictures Interactive Knee 1.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Primal Pictures\Interactive Knee 1.1\Uninst.isu"
Primal Pictures Interactive Shoulder --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Primal Pictures\Interactive Shoulder\Uninst.isu"
Primal Pictures Interactive Spine --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Primal Pictures\Interactive Spine\Uninst.isu"
Productivity Center Supplement for ThinkPad --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D728E945-256D-4477-B377-6BBA693714AC}\setup.exe" -l0x9 -AddRemove
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer G2 --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Scroll Lock Indicator Utility --> RunDll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\system32\TpScrLk.inf
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SPSS 13.0 for Windows --> MsiExec.exe /X{DB8CEC42-30B1-4F49-BD06-9393EB81CCF7}
Spybot Search & Destroy --> MsiExec.exe /I{8D6FF424-C49F-457D-9ABC-60FF8F4860F1}
System Update --> MsiExec.exe /X{8675339C-128C-44DD-83BF-0A5D6ABD8297}
ThinkPad EasyEject Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1297C681-92D7-40EF-93BF-03F66EC5105C}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad FullScreen Magnifier --> RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.inf
ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,Uninstall
ThinkPad Power Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad Presentation Director --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ThinkPad\Utilities\UNNPDR.isu" -c"C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll"
ThinkPad UltraNav Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
ThinkPad UltraNav Wizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}\SETUP.EXE" -l0x9 UNINSTALL
ThinkVantage Access Connections --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7EB114D8-207F-45AE-BABD-1669715F2630}\setup.exe" -l0x9 anything
ThinkVantage Active Protection System --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72806716-7088-41B2-8FA6-717A2A164DAB}\setup.exe" -l0x9 anything
ThinkVantage Away Manager --> Rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\AWAYTASK.INF
ThinkVantage Productivity Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}\setup.exe" -l0x9 -AddRemove
TrackPoint Accessibility Features --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA664480-3844-11D5-8C25-444553540000}\SETUP.EXE"
Update Agent --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F060A75A-9D6E-46F5-A9E6-7B513F4F44FB}\setup.exe" -l0x9
ZENworks Desktop Management Agent --> MsiExec.exe /I{7878B1D4-B2CB-4EA8-9A0A-7E0575D23B96}


-- Application Event Log -------------------------------------------------------

Event Record #/Type54505 / Error
Event Submitted/Written: 05/05/2008 01:29:53 PM
Event ID/Source: 1085 / Userenv
Event Description:
The Group Policy client-side extension Scripts failed to execute. Please look for any errors reported earlier by that extension.

Event Record #/Type54500 / Error
Event Submitted/Written: 05/05/2008 01:20:52 PM
Event ID/Source: 1085 / Userenv
Event Description:
The Group Policy client-side extension Microsoft Disk Quota failed to execute. Please look for any errors reported earlier by that extension.

Event Record #/Type54490 / Error
Event Submitted/Written: 05/05/2008 00:43:31 PM
Event ID/Source: 1085 / Userenv
Event Description:
The Group Policy client-side extension Scripts failed to execute. Please look for any errors reported earlier by that extension.

Event Record #/Type54487 / Error
Event Submitted/Written: 05/05/2008 00:42:45 PM
Event ID/Source: 1085 / Userenv
Event Description:
The Group Policy client-side extension Scripts failed to execute. Please look for any errors reported earlier by that extension.

Event Record #/Type54485 / Error
Event Submitted/Written: 05/05/2008 00:42:09 PM
Event ID/Source: 1085 / Userenv
Event Description:
The Group Policy client-side extension Scripts failed to execute. Please look for any errors reported earlier by that extension.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type45911 / Error
Event Submitted/Written: 05/05/2008 01:32:06 PM
Event ID/Source: 111 / Removable Storage Service
Event Description:
RSM could not load media in drive Drive 0 of library SanDisk Cruzer Micro USB Device.

Event Record #/Type45891 / Error
Event Submitted/Written: 05/05/2008 01:20:51 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Parallel port driver service failed to start due to the following error:
%%1058

Event Record #/Type45886 / Error
Event Submitted/Written: 05/05/2008 01:08:50 PM
Event ID/Source: 32003 / ipnathlp
Event Description:
The Network Address Translator (NAT) was unable to request an operation
of the kernel-mode translation module.
This may indicate misconfiguration, insufficient resources, or
an internal error.
The data is the error code.

Event Record #/Type45884 / Warning
Event Submitted/Written: 05/05/2008 01:08:46 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001302997216. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type45877 / Warning
Event Submitted/Written: 05/05/2008 01:07:03 PM
Event ID/Source: 27 / e1express
Event Description:
Intel® PRO/1000 PL Network Connection
Link has been disconnected.



-- End of Deckard's System Scanner: finished at 2008-05-05 13:37:06 ------------

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:47 PM

Posted 10 May 2008 - 09:25 PM

Hello lolwtfinternet,

I am SifuMike and I will be helping you. :thumbsup:

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your Symantec/Norton Antivirus before running ComboFix, as it will prevent it from running.

To disable Norton Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.




Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions please install the Windows XP Recovery Console if you are using XP. <== IMPORTANT It is a simple procedure that will only take a few moments of your time.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Disconnect from the Internet.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 10 May 2008 - 09:26 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 lolwtfinternet

lolwtfinternet
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 14 May 2008 - 11:55 AM

Hello again, sorry for the delay and thank you for your response.
I did everything exactly as the tutorial instructed, everything went smoothly, however for some reason it didnt install the windows restore point (it said it would install automatically by dragging it over combofix icon). Anyway, Im glad I didnt have to use it.

It seems all of the spyware is gone now, the only thing that is messed up now is the faded out task manager button in ctrl+alt+delete. Do you know how I can get this working again? Here is the Combofix log:

ComboFix 08-05-12.1 - its_admin 2008-05-14 11:24:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.529 [GMT -5:00]
Running from: C:\Documents and Settings\its_admin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\lachh\Application Data\ASKS~1
C:\Documents and Settings\lachh\Application Data\DOBE~1
C:\Documents and Settings\lachh\Application Data\SKS~1
C:\Documents and Settings\lachh\My Documents\CURITY~1
C:\Documents and Settings\lachh\My Documents\DOBE~1
C:\Documents and Settings\lachh\My Documents\DOBE~1\mmc.exe
C:\Documents and Settings\lachh\My Documents\ECURIT~1
C:\Documents and Settings\lachh\My Documents\SMBOLS~1
C:\Program Files\Common Files\{04454~1
C:\Program Files\Common Files\{34454~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\smbols~1
C:\Program Files\curity~1
C:\Program Files\ssembl~1
C:\Program Files\sstem3~1
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\ntnut.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\chmod.exe
C:\WINDOWS\system32\dc.exe
C:\WINDOWS\system32\dd.exe
C:\WINDOWS\system32\ENnpsBeg.ini
C:\WINDOWS\system32\ENnpsBeg.ini2
C:\WINDOWS\system32\gunzip.exe
C:\WINDOWS\system32\head.exe
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\kTBJQXyb.ini
C:\WINDOWS\system32\kTBJQXyb.ini2
C:\WINDOWS\system32\ln.exe
C:\WINDOWS\system32\ofkcfpnb.ini
C:\WINDOWS\system32\OooUtBeg.ini
C:\WINDOWS\system32\OooUtBeg.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\pppatc~2
C:\WINDOWS\system32\pr.exe
C:\WINDOWS\system32\setup.ini
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\tar.exe
C:\WINDOWS\system32\test.exe
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\wintsu.exe
C:\WINDOWS\system32\ymante~1
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll
C:\WINDOWS\wnsxs~1

----- BITS: Possible infected sites -----

hxxp://80.93.48.89
hxxp://jdl.sun.com
.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-14 11:12 . 2008-05-14 11:12 98,928 --a------ C:\WINDOWS\system32\ntssumad.dll
2008-05-14 11:07 . 2008-05-14 11:07 90,208 --a------ C:\WINDOWS\system32\syevlhns.dll
2008-05-13 17:02 . 2008-05-13 17:02 <DIR> d-------- C:\Documents and Settings\its_admin\Application Data\HP
2008-05-13 16:24 . 2008-05-13 16:24 90,304 --a------ C:\WINDOWS\system32\gwqvgbdf.dll
2008-05-13 16:23 . 2008-05-13 16:23 314,480 --a------ C:\WINDOWS\system32\geBtUooO.dll
2008-05-12 02:50 . 2008-05-14 11:04 109,816 --a------ C:\WINDOWS\BM07767086.xml
2008-05-11 14:47 . 2008-05-11 14:47 316,464 --a------ C:\WINDOWS\system32\geBspnNE.dll
2008-05-11 11:11 . 2008-05-11 11:11 316,464 --a------ C:\WINDOWS\system32\byXQJBTk.dll
2008-05-11 11:06 . 2008-05-11 11:06 <DIR> d-------- C:\WINDOWS\system32\dFrnx06
2008-05-11 11:06 . 2008-05-11 11:06 <DIR> d-------- C:\temp\tmpvc14
2008-05-11 11:06 . 2008-05-11 11:06 578 --a------ C:\WINDOWS\index.html

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 16:31 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-11 03:27 --------- d-----w C:\Documents and Settings\lachh\Application Data\AdobeUM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A306CEB-F24B-4FD1-8DF6-5A3DF2B4F1CA}]
2008-05-11 14:47 316464 --a------ C:\WINDOWS\system32\geBspnNE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 10:37 28672 C:\WINDOWS\system32\nwtray.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-29 13:02 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-29 13:02 77824]
"ZENRC Tray Icon"="C:\WINDOWS\system32\zentray.exe" [2004-05-17 12:24 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-29 13:02 114688]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2005-10-24 12:32 40960]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-10 22:05 344064]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 14:57 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 14:57 512000]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-22 16:26 180269]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 18:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 02:40 124656]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 19:44 65536]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 13:43 1052672]
"Novell Application Explorer"="C:\Program Files\Novell\ZENworks\NalView.exe" [2004-06-15 22:03 35840]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 01:08 49152]

C:\Documents and Settings\lachh\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-10-19 21:24:38 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-24 01:28:44 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 02:39:30 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= C:\Program Files\Novell\ZENworks\NalShell.dll [2004-06-15 22:03 417792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
C:\WINDOWS\system32\Novell\XtNotify.dll 2004-10-01 15:32 24576 C:\WINDOWS\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 nipplpt2;Novell iCapture Lpt Redirector 2;C:\WINDOWS\system32\drivers\nipplpt.sys [2005-10-24 12:27]
R2 BlankScr;HBDevice;C:\WINDOWS\system32\drivers\BlankScr.sys [2004-06-04 22:17]
R2 Remote Management Agent;Novell ZfD Remote Management;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2004-05-20 15:42]
R2 XTAgent;Novell XTier Agent Services;C:\WINDOWS\System32\Novell\XTAgent.exe [2004-10-01 15:32]
R3 Darpan;Darpan;C:\WINDOWS\system32\DRIVERS\Darpan.sys [2004-05-10 13:18]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2005-12-08 12:39]
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 23:29]
S3 jgameenp;jgameenp;C:\DOCUME~1\lachh\LOCALS~1\Temp\jgameenp.sys []
S3 TPM11;NSC Integrated Trusted Platform Module 1.1;C:\WINDOWS\system32\DRIVERS\nsctpm11.sys [2005-04-21 13:44]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 16:38:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 11:33:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\xmlparse.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Novell\ZENworks\NALNTSRV.EXE
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Novell\ZENworks\WM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
.
**************************************************************************
.
Completion time: 2008-05-14 11:37:41 - machine was rebooted [its_admin]
ComboFix-quarantined-files.txt 2008-05-14 16:36:37

Pre-Run: 62,243,934,208 bytes free
Post-Run: 62,442,262,528 bytes free

228

#4 lolwtfinternet

lolwtfinternet
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 14 May 2008 - 12:02 PM

I figured out how to enable the Task Manager in the windows settings. The problem is resolved from my end, thank you guys for your help and guidance.
Honestly though, I love you guys. :thumbsup:

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:47 PM

Posted 14 May 2008 - 02:47 PM

Hi lolwtfinternet,

The problem is resolved from my end, thank you guys for your help and guidance.


You are not out of the woods yet! Sorry to give you the bad news but you are still heavily infected with malware!.



ComboFix 08-05-12.1 - its_admin 2008-05-14 11:24:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.529 [GMT -5:00]
Running from: C:\Documents and Settings\its_admin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!



I need you to install Recovery Console before we can proceed. It is our Safety Net.
Follow the directions here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix for installing Recovery Console.

Then post a fresh ComboFix log and we will remove the remaining malware.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 lolwtfinternet

lolwtfinternet
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 14 May 2008 - 04:14 PM

Alright then, I guess Ill stay around a bit longer.
Every time I try to follow the no-cd Recovery Tutorial and try to drag the recovery install file on the combo fix icon, it just tries to start combo fix.
Ill keep looking for that CD in the meantime.

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:47 PM

Posted 14 May 2008 - 04:38 PM

Ill keep looking for that CD in the meantime.



You dont need the Windows CD. :thumbsup: Just follow the instructions for "if you dont have the windows CD" on the tutorial. It only takes a few minutes to install Recovery Console.

Every time I try to follow the no-cd Recovery Tutorial and try to drag the recovery install file on the combo fix icon, it just tries to start combo fix.


That is what it should do. It installs Recovery Console and starts ComboFix. :)

Edited by SifuMike, 14 May 2008 - 04:40 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 lolwtfinternet

lolwtfinternet
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 15 May 2008 - 05:19 PM

ComboFix 08-05-12.1 - lachh 2008-05-15 16:47:41.3 - NTFSx86
Running from: C:\Documents and Settings\lachh\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
.
---- Previous Run -------
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ENnpsBeg.ini
C:\WINDOWS\system32\ENnpsBeg.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-14 16:06 . 2008-05-14 16:06 83,152 --a------ C:\WINDOWS\system32\ookueoxo.dll
2008-05-14 16:06 . 2008-05-15 16:48 474 ---hs---- C:\WINDOWS\system32\oxoeukoo.ini
2008-05-14 16:00 . 2008-05-14 16:00 98,928 --a------ C:\WINDOWS\system32\xjscmshs.dll
2008-05-14 15:55 . 2008-05-14 15:55 90,208 --a------ C:\WINDOWS\system32\qmpynmnx.dll
2008-05-14 11:12 . 2008-05-14 11:12 98,928 --a------ C:\WINDOWS\system32\ntssumad.dll
2008-05-14 11:07 . 2008-05-14 11:07 90,208 --a------ C:\WINDOWS\system32\syevlhns.dll
2008-05-13 17:02 . 2008-05-13 17:02 <DIR> d-------- C:\Documents and Settings\its_admin\Application Data\HP
2008-05-13 16:24 . 2008-05-13 16:24 90,304 --a------ C:\WINDOWS\system32\gwqvgbdf.dll
2008-05-13 16:23 . 2008-05-13 16:23 314,480 --a------ C:\WINDOWS\system32\geBtUooO.dll
2008-05-12 02:50 . 2008-05-14 11:38 109,807 --a------ C:\WINDOWS\BM07767086.xml
2008-05-11 14:47 . 2008-05-11 14:47 316,464 --a------ C:\WINDOWS\system32\geBspnNE.dll
2008-05-11 11:11 . 2008-05-11 11:11 316,464 --a------ C:\WINDOWS\system32\byXQJBTk.dll
2008-05-11 11:06 . 2008-05-11 11:06 <DIR> d-------- C:\WINDOWS\system32\dFrnx06
2008-05-11 11:06 . 2008-05-11 11:06 <DIR> d-------- C:\temp\tmpvc14
2008-05-11 11:06 . 2008-05-11 11:06 578 --a------ C:\WINDOWS\index.html

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 21:47 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-11 03:27 --------- d-----w C:\Documents and Settings\lachh\Application Data\AdobeUM
2008-03-20 15:57 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-14_11.36.12.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 16:29:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-15 21:44:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A77CD61A-1718-4B6E-964D-BF8617E84D9D}]
2008-05-11 14:47 316464 --a------ C:\WINDOWS\system32\geBspnNE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"Xohk"="C:\Program Files\Common Files\F?nts\?ttrib.exe" [ ]
"Mytf"="C:\Program Files\Common Files\s?mbols\?ervices.exe" [ ]
"Tdlixx"="C:\Documents and Settings\lachh\Application Data\?dobe\?hkdsk.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 10:37 28672 C:\WINDOWS\system32\nwtray.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-29 13:02 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-29 13:02 77824]
"ZENRC Tray Icon"="C:\WINDOWS\system32\zentray.exe" [2004-05-17 12:24 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-29 13:02 114688]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2005-10-24 12:32 40960]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-10 22:05 344064]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 14:57 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 14:57 512000]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-22 16:26 180269]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 18:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 02:40 124656]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 19:44 65536]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 13:43 1052672]
"Novell Application Explorer"="C:\Program Files\Novell\ZENworks\NalView.exe" [2004-06-15 22:03 35840]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 01:08 49152]
"0445431a"="C:\WINDOWS\system32\ookueoxo.dll" [2008-05-14 16:06 83152]
"BM07767086"="C:\WINDOWS\system32\qmpynmnx.dll" [2008-05-14 15:55 90208]

C:\Documents and Settings\lachh\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-10-19 21:24:38 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-24 01:28:44 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 02:39:30 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= C:\Program Files\Novell\ZENworks\NalShell.dll [2004-06-15 22:03 417792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
C:\WINDOWS\system32\Novell\XtNotify.dll 2004-10-01 15:32 24576 C:\WINDOWS\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 nipplpt2;Novell iCapture Lpt Redirector 2;C:\WINDOWS\system32\drivers\nipplpt.sys [2005-10-24 12:27]
R2 BlankScr;HBDevice;C:\WINDOWS\system32\drivers\BlankScr.sys [2004-06-04 22:17]
R2 XTAgent;Novell XTier Agent Services;C:\WINDOWS\System32\Novell\XTAgent.exe [2004-10-01 15:32]
R3 Darpan;Darpan;C:\WINDOWS\system32\DRIVERS\Darpan.sys [2004-05-10 13:18]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2005-12-08 12:39]
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 23:29]
S3 jgameenp;jgameenp;C:\DOCUME~1\lachh\LOCALS~1\Temp\jgameenp.sys []
S3 TPM11;NSC Integrated Trusted Platform Module 1.1;C:\WINDOWS\system32\DRIVERS\nsctpm11.sys [2005-04-21 13:44]
Start Pending2 Remote Management Agent;Novell ZfD Remote Management;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2004-05-20 15:42]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 16:38:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-15 16:50:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\xmlparse.dll
.
Completion time: 2008-05-15 16:51:56
ComboFix-quarantined-files.txt 2008-05-15 21:51:51
ComboFix2.txt 2008-05-14 16:37:42

Pre-Run: 61,385,113,600 bytes free
Post-Run: 61,364,174,848 bytes free

136

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:47 PM

Posted 15 May 2008 - 05:49 PM

Hi lolwtfinternet,

I can see from the ComboFix log you ran it three times. :thumbsup: Please tell me why you did that?
Was there some kind of error? If so, what was it.

You should have only run ComboFix once. Running it more than once will not make your computer better. It is not a tool to be run without subervison.

I need to see the log from the first run of ComboFix, so please post it.
You will find it here in at C:\ComboFix2.txt 2008-05-14 16:37:4
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 lolwtfinternet

lolwtfinternet
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 16 May 2008 - 10:48 AM

Yes there was some sort of error.
I let ComboFix run for about an hour, and then I had to leave, so I let it run overnight. A day later I checked it and it showed no progress, so I figured it was frozen. A day should have been enough time.

As for the second log, it is nowhere to be found.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:47 PM

Posted 16 May 2008 - 01:36 PM

Hi lolwtfinternet,

Yes there was some sort of error.
I let ComboFix run for about an hour, and then I had to leave, so I let it run overnight. A day later I checked it and it showed no progress, so I figured it was frozen. A day should have been enough time.


It should not have taken more than 30 minutes to run. Did you see what error ComboFix produced?


Please look again, as I need to see it.

The ComboFix log you posted said it made a log file.

Completion time: 2008-05-15 16:51:56
ComboFix-quarantined-files.txt 2008-05-15 21:51:51
ComboFix2.txt 2008-05-14 16:37:42



Download FileFind.zip and unzip to your desktop.
  • Double-click FindFile.exe
  • In the box labeled "Enter the directory to search" enter the Drive: C:\
  • In the box labeled "Enter the File to Search" enter ComboFix2.txt to search for the file(s).
  • Click "Find" to begin the search.
  • When the search is done, it will list the total number of files found.
  • Double-click on "Export"
  • This will create and save a text file named export.txt in the root of your C:\ directory.
  • Locate export.txt and copy/paste its contents in your next post.

Edited by SifuMike, 16 May 2008 - 01:38 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 lolwtfinternet

lolwtfinternet
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 16 May 2008 - 01:56 PM

For some reason Filefind could not find the file, it found a different ComboFix2.txt that was actually the original ComboFix log. I will talk to one of my colleagues to make sure they did not mess with the laptop at all.

Edited by lolwtfinternet, 16 May 2008 - 02:05 PM.


#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:47 PM

Posted 16 May 2008 - 02:05 PM

Hi lolwtfinternet,

ComboFix 08-05-12.1 - its_admin 2008-05-14 11:24:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.529 [GMT -5:00]
Running from: C:\Documents and Settings\its_admin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.


You need to install Recovery Console. In case something goes drasticly wrong, it is our only safety net.

See the "how to run combofix" on the way to do it, then post a fresh ComboFix log. : )
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 lolwtfinternet

lolwtfinternet
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 16 May 2008 - 02:07 PM

Sorry, I edited the last post because I realize that log that I had on there was identical to the first log, which I accidentally posted thinking it was the second.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:47 PM

Posted 16 May 2008 - 02:13 PM

It was not the same log, it was the correct log (from the first run of ComboFix).

Please put it back where it was. Do not edit your previous posts.

Edited by SifuMike, 16 May 2008 - 02:14 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users