Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Links in search redirect


  • This topic is locked This topic is locked
6 replies to this topic

#1 JeepJeep

JeepJeep

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 21 January 2009 - 08:07 AM

I can do a search in Yahoo/Google, but when I click on a link in the search, I get redirected.
It starts out as oofindo.com... then to some random page.

I'm pretty sure it came from Facebook, as I got suckered into clicking a link in an email from an actual friend.

Thanks for the help!

Attached Files


Edited by JeepJeep, 21 January 2009 - 08:10 AM.


BC AdBot (Login to Remove)

 


#2 JeepJeep

JeepJeep
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 21 January 2009 - 08:51 AM

oops... I misread the instructions and thought it said NOT to paste this:


DDS (Ver_09-01-18.01) - NTFSx86
Run by SharpM at 7:03:21.71 on Wed 01/21/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1060 [GMT -6:00]

FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\webserv\webserv.exe
C:\Program Files\Network ICE\BlackIce\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\tintinyproxyy\tinyproxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\OfficeScan NT\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\OfficeScan NT\ntrtscan.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\StkSrv2K_.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\OfficeScan NT\OfcPfwSvc.exe
C:\WINDOWS\TEMP\NG797.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\SharpM\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://external.lifefitness.com/OA_HTML/AppsLocalLogin.jsp
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mWinlogon: System=ziswin.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\common\helper.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [EPSON Stylus CX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticda.exe /fu "c:\windows\temp\E_SD3.tmp" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [S3TRAY2] S3Tray2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UC_Start] c:\program files\ibm\updater\\ucstartup.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [NWTRAY] NWTRAY.EXE
mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe
mRun: [OfficeScanNT Monitor] "c:\officescan nt\pccntmon.exe" -HideWindow
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\applic~1.lnk - c:\program files\novell\zenworks\NALDESK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\novell~1.lnk - c:\program files\novell\ifolder\trayapp.exe
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - c:\novell\messen~1\NMCL32.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll
TCP: {BC1450C4-4C3D-4604-839E-C28D06CBE78D} = 66.174.95.44 69.78.96.14
Handler: ms-its50 - {F8606A00-F5CF-11D1-B6BB-0000F80149F6} - c:\program files\common files\microsoft shared\information retrieval\itss50.dll
Handler: nim - {3D206AE2-3039-413B-B748-3ACC562EC22A} - c:\novell\messenger\nmcg32.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: PCANotify - PCANotify.dll
Notify: QConGina - QConGina.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {b4870b70-f390-11d2-9fb9-f4ed725ea20d} - c:\program files\novell\zenworks\NalExpEx.dll
LSA: Authentication Packages = msv1_0 nwv1_0

============= SERVICES / DRIVERS ===============

R?4 Remote Management Agent;Novell ZfD Remote Management;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2003-5-22 135168]
R0 NifFltr;NifFltr;c:\windows\system32\drivers\niffltr.sys [2008-4-4 25300]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-8-19 59520]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-8-19 11520]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-11-17 11165]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-8-19 2432]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-8-19 4608]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2005-8-19 16384]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2003-3-18 2773]
R3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2007-9-12 58240]
R4 anftdird;anftdird;c:\windows\system32\anftdird.sys [2009-1-12 8448]
R4 Application Layer Gateway Service (ALG) ;Application Layer Gateway Service (ALG) ;c:\program files\webserv\webserv.exe [2009-1-12 8960]
R4 black;black;c:\windows\system32\drivers\blackdrv.sys [2005-9-7 227285]
R4 BlackICE;BlackICE;c:\program files\network ice\blackice\blackd.exe [2005-9-7 847872]
R4 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2003-3-18 4768]
R4 DHCP Client (Dhcp) ;DHCP Client (Dhcp) ;c:\program files\tintinyproxyy\tinyproxy.exe [2008-12-25 8960]
R4 Kblock;Kblock;c:\windows\system32\drivers\kblock.sys [2003-3-18 4043]
R4 Mouslock;Mouslock;c:\windows\system32\drivers\mouslock.sys [2003-3-18 4080]
R4 OfcPfwSvc;OfficeScanNT Personal Firewall;c:\officescan nt\OfcPfwSvc.exe [2005-3-15 229456]
R4 Prometheus Wake-On-LAN Status Agent;Novell ZfD Wake on LAN Status Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\WolSerNT.exe [2003-3-18 49152]
R4 QCONSVC (QCONSVC);QCONSVC (QCONSVC);c:\program files\smss\smss.exe [2009-1-12 121600]
R4 SlingAgentService;SlingAgent Service;c:\program files\sling media\slingagent\SlingAgentService.exe [2008-12-10 88576]
R4 StkSSrv;USB2.0 TVBOX Service;c:\windows\system32\StkSrv2K_.exe [2008-9-25 24576]
R4 TmFilter;Trend Micro Filter;c:\officescan nt\tmxpflt.sys [2005-2-18 183808]
R4 TmPreFilter;Trend Micro PreFilter;c:\officescan nt\tmpreflt.sys [2005-2-18 25088]
R4 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\novell\zenworks\asset management\bin\CClientSvc.exe [2006-11-1 49152]
R4 Windows Audio (AudioSrv);Windows Audio (AudioSrv);c:\program files\common files\system\smss.exe [2009-1-16 7424]
R4 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2008-4-4 9176]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2005-5-20 106496]
S3 nscmnt;Novell Local Security Context Manager;c:\windows\system32\drivers\novell\nscmnt.sys [2002-7-12 17984]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-8-19 12288]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2005-9-7 36676]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2005-9-7 24344]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-7-31 167808]
S3 StkMini;USB2.0 TVBox;c:\windows\system32\drivers\StkMini.sys [2008-9-25 750303]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]
S3 xauthnt;Novell XTier Authentication Service;c:\windows\system32\drivers\novell\xauthnt.sys [2002-6-17 7728]
S4 Event Log (Eventlog);Event Log (Eventlog);c:\program files\common files\smss\smss.exe [2009-1-15 122112]

=============== Created Last 30 ================

2009-01-20 17:38 <DIR> --d----- c:\program files\Trend Micro
2009-01-16 11:00 990 ----h--- c:\windows\f49f4d98.dat
2009-01-15 10:32 <DIR> --d----- c:\program files\common files\smss
2009-01-14 11:03 1 ----h--- c:\windows\nlmark2.dat
2009-01-13 10:52 1 a------- c:\windows\z45ft7575f44.dat
2009-01-13 10:51 1 ----h--- c:\windows\tgmark2.dat
2009-01-12 14:05 <DIR> --d----- c:\program files\smss
2009-01-12 14:05 29,184 ---shr-- c:\windows\system32\anfapi.dll
2009-01-12 14:05 8,448 ---shr-- c:\windows\system32\anftdird.sys
2009-01-12 14:04 1 a------- c:\windows\t55ft7575f44.dat
2009-01-12 14:04 <DIR> --d----- c:\program files\webserv
2008-12-25 09:06 <DIR> --d----- c:\program files\tintinyproxyy

==================== Find3M ====================

2004-08-04 01:56 73,728 a--sh--- c:\windows\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe
2008-08-20 13:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

============= FINISH: 7:04:04.95 ===============

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:01 AM

Posted 21 January 2009 - 09:01 AM

Hi,

This looks like a log from a Company owned computer, or computer used for work, so in that case, There are a few things that need attention first before we proceed with this..

* You must inform your Supervisor immediately.

This because of:
  • Most company machines are connected into a network at some time or other, and your infection may compromise the security of that network.
  • If sensitive material is compromised by an infection, your company could be held liable.
* Your Company must give permission for us to give you assistance.

This because of:
  • We are not here to replace your company's IT Department. If there's an IT Department, then they are responsible to deal with this.
  • There may be sensitive material on your computer that your company would not want revealed in an open forum.
Also, since this is a computer used at work - the first thing I always advise is to back up important files you don't want to lose, this since malware causes a system unstable and it may happen that it suddenly won't boot anymore, because of the damage already present.

It looks like you clicked the link via facebook more than once...

In anyway, you're dealing with a new variant of Tinyproxy here.

Do next please...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 JeepJeep

JeepJeep
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 21 January 2009 - 09:36 AM

This is my work laptop, but it's not on the network.
My work is on the road, so I do not have an actual office.
I will call my IT later on when they are available.

I thought about just doing a system restore.



ComboFix 09-01-20.05 - SharpM 2009-01-21 8:19:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1065 [GMT -6:00]
Running from: c:\documents and settings\SharpM\Desktop\Mikeys\ComboFix.exe
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\program files\tintinyproxyy\tinyproxy.exe
c:\program files\TinyProxy
c:\windows\f49f4daa.dat
c:\windows\fmark2.dat

----- BITS: Possible infected sites -----

hxxp://lffpwus
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_APPLICATION_LAYER_GATEWAY_SERVICE_(ALG)_
-------\Legacy_DHCP_CLIENT_(DHCP)_
-------\Service_Application Layer Gateway Service (ALG)
-------\Service_DHCP Client (Dhcp)


((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.

2009-01-20 17:38 . 2009-01-20 17:38 <DIR> d-------- c:\program files\Trend Micro
2009-01-16 11:21 . 2009-01-17 17:37 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-01-16 11:00 . 2009-01-16 11:05 990 ---h----- c:\windows\f49f4d98.dat
2009-01-15 10:32 . 2009-01-15 10:32 <DIR> d-------- c:\program files\Common Files\smss
2009-01-14 11:03 . 2009-01-14 11:03 1 ---h----- c:\windows\nlmark2.dat
2009-01-13 11:35 . 2009-01-13 11:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-13 10:52 . 2009-01-13 10:52 1 --a------ c:\windows\z45ft7575f44.dat
2009-01-13 10:51 . 2009-01-13 10:51 1 ---h----- c:\windows\tgmark2.dat
2009-01-12 14:05 . 2009-01-12 14:05 <DIR> d-------- c:\program files\smss
2009-01-12 14:05 . 2009-01-12 14:05 29,184 -r-hs---- c:\windows\system32\anfapi.dll
2009-01-12 14:05 . 2009-01-12 14:05 8,448 -r-hs---- c:\windows\system32\anftdird.sys
2009-01-12 14:04 . 2009-01-21 08:18 <DIR> d-------- c:\program files\webserv
2009-01-12 14:04 . 2009-01-12 14:04 1 --a------ c:\windows\t55ft7575f44.dat
2008-12-29 06:49 . 2008-12-29 06:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2008-12-25 09:06 . 2009-01-21 08:21 <DIR> d-------- c:\program files\tintinyproxyy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 14:20 --------- d-----w c:\program files\Common
2008-12-12 19:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-12 18:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-03 12:56 --------- d-----w c:\documents and settings\SharpM\Application Data\webex
2004-08-04 07:56 73,728 --sha-w c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
2008-08-20 19:07 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082020080821\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX7400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-06-16 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-06-16 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-03 94208]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 208896]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"UC_Start"="c:\program files\IBM\Updater\\ucstartup.exe" [2004-07-14 36864]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2004-07-29 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-07-29 395776]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2003-03-18 40960]
"OfficeScanNT Monitor"="c:\officescan nt\pccntmon.exe" [2005-03-15 335872]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 c:\windows\system32\S3Tray2.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 c:\windows\system32\TP4EX.exe]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 c:\windows\system32\nwtray.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - c:\program files\Novell\ZENworks\NALDESK.EXE [2003-05-30 1015808]
Novell iFolder.lnk - c:\program files\Novell\iFolder\trayapp.exe [2008-04-04 266317]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"= "c:\program files\Novell\ZENworks\NalExpEx.dll" [2003-05-05 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2005-05-20 10:51 8704 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 04:07 262144 c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-12 21:11 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
--a------ 2004-03-26 19:16 102400 c:\windows\system32\TpShocks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sling Media\\SlingPlayer\\SlingPlayer.exe"=
"c:\\Program Files\\webserv\\webserv.exe"=
"c:\\Program Files\\smss\\smss.exe"=
"c:\\Program Files\\Common Files\\smss\\smss.exe"=
"c:\\Program Files\\Common Files\\System\\smss.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7461:TCP"= 7461:TCP:ZENWorks Inventory TCP
"7461:UDP"= 7461:UDP:ZENWorks Inventory UDP

R?4 Remote Management Agent;Novell ZfD Remote Management;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2003-05-22 135168]
R0 NifFltr;NifFltr;c:\windows\system32\drivers\niffltr.sys [2008-04-04 25300]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-08-19 59520]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-08-19 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-08-19 2432]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-08-19 4608]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2005-08-19 16384]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2003-03-18 2773]
R3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2007-09-12 58240]
R4 anftdird;anftdird;c:\windows\system32\anftdird.sys [2009-01-12 8448]
R4 BlackICE;BlackICE;c:\program files\Network ICE\BlackIce\blackd.exe [2005-09-07 847872]
R4 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2003-03-18 4768]
R4 Kblock;Kblock;c:\windows\system32\drivers\kblock.sys [2003-03-18 4043]
R4 Mouslock;Mouslock;c:\windows\system32\drivers\mouslock.sys [2003-03-18 4080]
R4 Prometheus Wake-On-LAN Status Agent;Novell ZfD Wake on LAN Status Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe [2003-03-18 49152]
R4 QCONSVC (QCONSVC);QCONSVC (QCONSVC);c:\program files\smss\smss.exe [2009-01-12 121600]
R4 SlingAgentService;SlingAgent Service;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2008-12-10 88576]
R4 StkSSrv;USB2.0 TVBOX Service;c:\windows\system32\StkSrv2K_.exe [2008-09-25 24576]
R4 TmFilter;Trend Micro Filter;c:\officescan nt\tmxpflt.sys [2005-02-18 183808]
R4 TmPreFilter;Trend Micro PreFilter;c:\officescan nt\tmpreflt.sys [2005-02-18 25088]
R4 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe [2006-11-01 49152]
R4 Windows Audio (AudioSrv);Windows Audio (AudioSrv);c:\program files\Common Files\System\smss.exe [2009-01-16 7424]
R4 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2008-04-04 9176]
S3 nscmnt;Novell Local Security Context Manager;c:\windows\system32\drivers\Novell\nscmnt.sys [2002-07-12 17984]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-08-19 12288]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2005-09-07 36676]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2005-09-07 24344]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-07-31 167808]
S3 StkMini;USB2.0 TVBox;c:\windows\system32\drivers\StkMini.sys [2008-09-25 750303]
S3 xauthnt;Novell XTier Authentication Service;c:\windows\system32\drivers\Novell\xauthnt.sys [2002-06-17 7728]
S4 black;black;c:\windows\system32\drivers\blackdrv.sys [2005-09-07 227285]
S4 Event Log (Eventlog);Event Log (Eventlog);c:\program files\Common Files\smss\smss.exe [2009-01-15 122112]
.
Contents of the 'Scheduled Tasks' folder

2005-08-19 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2004-07-29 02:37]
.
.
------- Supplementary Scan -------
.
uStart Page = https://external.lifefitness.com/OA_HTML/AppsLocalLogin.jsp
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:7070
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {BC1450C4-4C3D-4604-839E-C28D06CBE78D} = 66.174.95.44 69.78.96.14
Handler: ms-its50 - {F8606A00-F5CF-11D1-B6BB-0000F80149F6} - c:\program files\Common Files\Microsoft Shared\Information Retrieval\itss50.dll
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18}
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-21 08:24:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1252)
c:\windows\system32\NETWIN32.DLL
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\program files\Novell\ZENworks\ZenLite.dll
c:\windows\system32\xmlparse.dll
c:\program files\Novell\ZENworks\ZENNW32.DLL
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Novell\ZENworks\NALNTSRV.EXE
c:\officescan nt\NTRtScan.exe
c:\windows\system32\QCONSVC.EXE
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\snmp.exe
c:\windows\system32\rundll32.exe
c:\officescan nt\TmListen.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Novell\ZENworks\Asset Management\bin\cclient.exe
c:\program files\Novell\ZENworks\WM.EXE
c:\windows\system32\CCM\CcmExec.exe
c:\officescan nt\OfcPfwSvc.exe
c:\windows\Temp\AFA20E.EXE
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\windows\system32\msiexec.exe
c:\officescan nt\PccNTUpd.exe
.
**************************************************************************
.
Completion time: 2009-01-21 8:26:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-21 14:26:52

Pre-Run: 18,185,420,800 bytes free
Post-Run: 18,201,108,480 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

228 --- E O F --- 2008-10-24 23:00:46

Edited by JeepJeep, 21 January 2009 - 09:40 AM.


#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:01 AM

Posted 21 January 2009 - 10:05 AM

Hi,

This is my work laptop, but it's not on the network.

Ouch! Even though it's not on the network, your data may be compromised, passwords may be known. You're not only dealing with Koobface (worm that was installed via Facebook), but I also see you are dealing with a backdoor and some other random malware. :thumbup2:
So you really have to notify the IT department about this and all passwords should be changed afterwards!!

I also hope that you have a backup already of the files that you don't want to lose, this because, as I said in my previous post, malware causes an unstable system and it isn't the first time it has happened that the computer won't boot anymore, especially during removal.

Anyway..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\t55ft7575f44.dat
c:\windows\nlmark2.dat
c:\windows\z45ft7575f44.dat
c:\windows\tgmark2.dat
c:\windows\f49f4d98.dat
Collect::[8]
c:\program files\Common Files\System\smss.exe
c:\Program Files\webserv\webserv.exe
c:\windows\system32\anfapi.dll
c:\windows\system32\anftdird.sys
Folder::
c:\program files\Common Files\smss
c:\program files\Common
c:\program files\tintinyproxyy
c:\program files\smss
Driver::
"Event Log (Eventlog)"
"Windows Audio (AudioSrv)"
anftdird
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:7070
uInternet Settings,ProxyOverride = *.local;<local>
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\webserv\\webserv.exe"=-
"c:\\Program Files\\smss\\smss.exe"=-
"c:\\Program Files\\Common Files\\smss\\smss.exe"=-
"c:\\Program Files\\Common Files\\System\\smss.exe"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Extra note...
In case you lost internet access after performing above instructions:

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:01 AM

Posted 26 January 2009 - 06:44 AM

Hi,

Still with us?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:01 AM

Posted 30 January 2009 - 05:11 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users