Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

system32\%tp% Issue


  • This topic is locked This topic is locked
12 replies to this topic

#1 Trents

Trents

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 27 January 2009 - 08:49 AM

Hi there,

I've been forwarded here after posting in the wrong forum. Mod. edit: Did not post in the wrong forum. Was referred here from Am I Infected as the infection was too difficult to handle in that forum. ~ OBThat thread can be found HERE

I've got a folder in C:\WINDOWS\System32 called %tp%

The contents seem to be a duplicate of the My Docs folder. I tried deleting it but by the next login it had recreated itself.

Is there any easy way to delete this file for good? IT's taking up a big chunk of disk space.

I have attached the required file and here is the DDS log:

DDS (Ver_09-01-19.01) - NTFSx86
Run by uk001375 at 12:20:16.49 on 27/01/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1015.343 [GMT 0:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
FW: Symantec Client Firewall *enabled*

============== Running Processes ===============

C:\Program Files\lotus\notes\nslsvice.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SafeBoot\SbClientManager.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
c:\Program Files\iPass\iPassConnect Global_Client\iPassPeriodicUpdateService.exe
c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Citrix\PNAgent\ssonsvr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\srccode\UPRUService\UPRUService.exe
c:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\Program Files\iPass\iPassConnect Global_Client\iPassPeriodicUpdateApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adjust Screen Saver Settings\AdjustScreenSaverSettings.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Info Tool.exe
C:\Program Files\3M\PSNotes2\Psn.exe
C:\Program Files\Citrix\PNAgent\pnagent.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\3M\PSNotes2\PSNGive.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Lotus\Notes\NLNOTES.EXE
C:\Program Files\Lotus\Notes\ntaskldr.EXE
C:\WINDOWS\system32\igfxsrvc.exe
E:\Programs\HijackThis\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://3msource.mmm.com/wps/myportal/
uWindow Title = Microsoft Internet Explorer provided by 3M/IE 6.0
uInternet Settings,ProxyOverride =
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PTHOSTTR] c:\program files\hpq\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~2\VPTray.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: []
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_10\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [WinMessengerRemSysTray] "wscript.exe" /NOLOGO /B "c:\windows\WinMessengerRemSysTray.vbs" REMOVE
mRun: [SafeBootTrayManager] "c:\program files\safeboot tray manager\SbTrayManager.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SDClientMonitor] "c:\program files\landesk\ldclient\webportal\sdclientmonitor.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adjust~1.lnk - c:\program files\adjust screen saver settings\AdjustScreenSaverSettings.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Info Tool.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nmregfix.lnk - c:\NMRegfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnotes2\Psn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\progra~1.lnk - c:\program files\citrix\pnagent\pnagent.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: SetVisualStyle =
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\srccode\wins\o2k3\files\pfiles\msoffice\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0C528348-18DC-4ECE-819B-624E226028DA} - hxxp://wsso.mmm.com/Frontier_program_launcher.CAB
DPF: {0F53CD12-B88F-43E0-99E7-1E2DE701C462} - hxxp://wsso.mmm.com/clientCheck.CAB
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://euspcitrixweb2.mmm.com/Citrix/ICAWEB/en/ica32/PNSetup.exe
DPF: {6E1BAAF6-ECB9-4505-86C1-5D04467B02CC} - hxxp://euqlikview.euro.mmm.com/QvPlugin/QvPluginSetup.exe
DPF: {74DC8438-E36A-40A0-B750-4E2257FA2E41} - hxxp://euqlikview3.euro.mmm.com/QvPlugin/QvPluginSetup.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxp://uk-mail-04.mmm.com/dwa7W.cab
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\progra~1\qlikview\qvprot~1\Qvp.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
LSA: Notification Packages = SbNp scecli

============= SERVICES / DRIVERS ===============

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-10-1 101615]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-7-16 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-10-1 11640]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2007-10-1 5840]
R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2005-12-20 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2005-12-20 54968]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2007-10-1 34000]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2007-10-1 14960]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2006-11-9 26137]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-3 99376]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-8-28 88192]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-10-21 36352]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090126.004\naveng.sys [2009-1-26 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090126.004\navex15.sys [2009-1-26 876112]
R4 CBA8;LANDesk® Management Agent;c:\program files\landesk\shared files\residentAgent.exe [2007-1-9 122880]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-12-21 186016]
R4 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-12-21 239264]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-12-21 177824]
R4 SafeBootClientManager;SafeBoot Client Manager;c:\program files\safeboot\SbClientManager.exe [2007-10-1 356352]
R4 Softmon;LANDesk® Software Monitoring Service;c:\program files\landesk\ldclient\SoftMon.exe [2007-10-10 266240]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2006-5-27 1764592]
R4 UPRU;Universal Patch Reporting Utility;c:\srccode\upruservice\UPRUService.exe [2008-8-5 564711]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-12-21 83616]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2006-11-9 155152]
S3 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2006-5-27 169200]

=============== Created Last 30 ================

2009-01-26 17:27 --d----- C:\cleanupstats
2009-01-20 11:30 --d----- c:\docume~1\uk001375\applic~1\Malwarebytes
2009-01-20 11:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-20 11:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 11:30 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-20 11:30 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 12:13 --d----- c:\program files\Spybot - Search & Destroy
2009-01-14 12:13 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-13 12:38 --d----- c:\documents and settings\uk001375\HODObjs
2009-01-13 12:38 --d----- c:\documents and settings\uk001375\HODData
2009-01-13 12:36 --d----- c:\documents and settings\uk001375\HODCCV10
2009-01-13 08:26 4,764 a------- c:\windows\system32\CcmFramework.ini
2009-01-13 08:26 621 a------- c:\windows\system32\CcmFramework.h
2009-01-13 08:23 --d----- c:\windows\ms
2009-01-13 08:21 --d----- c:\program files\Windows Imaging
2009-01-13 08:21 -cd-h--- c:\windows\$UninstallRDC$
2009-01-09 08:54 --d----- c:\windows\system32\%tp%

==================== Find3M ====================

2009-01-26 17:13 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2008-12-19 09:23 135,162 a------- c:\windows\hpwins10.dat
2007-09-10 16:16 7,805 a------- c:\program files\INSTALL.LOG
2001-08-14 01:10 131,072 a------- c:\program files\Uninstal.EXE

============= FINISH: 12:20:56.39 ===============

Thanks in advance.

Attached Files


Edited by Orange Blossom, 27 January 2009 - 08:43 PM.


BC AdBot (Login to Remove)

 


#2 Trents

Trents
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 30 January 2009 - 04:04 AM

Didn't see the no bumping rule, please delete this

Edited by Trents, 30 January 2009 - 04:07 AM.


#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:03 AM

Posted 08 February 2009 - 03:04 PM

Hello, Trents
:thumbup2: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :step4:
NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 Trents

Trents
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 11 February 2009 - 07:25 AM

Hi Bill,

Thanks for your assistance with this. Please find the log as requested below:



ComboFix 09-02-10.03 - uk001375 2009-02-11 12:09:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.460 [GMT 0:00]
Running from: e:\temp\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
FW: Symantec Client Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\INSTALL.LOG
c:\windows\IE4 Error Log.txt

----- BITS: Possible infected sites -----

hxxp://UKATHR05.euro.mmm.com:80
.
((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-02-06 10:29 . 2009-02-06 10:29 <DIR> d-------- C:\tmpIB
2009-02-05 17:24 . 2009-02-05 17:24 <DIR> d-------- C:\cleanupstats
2009-01-20 11:30 . 2009-01-20 11:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 11:30 . 2009-01-20 11:30 <DIR> d-------- c:\documents and settings\uk001375\Application Data\Malwarebytes
2009-01-20 11:30 . 2009-01-20 11:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 11:30 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 11:30 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-14 12:13 . 2009-01-20 11:31 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-14 12:13 . 2009-01-20 11:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-13 12:38 . 2009-01-13 12:38 <DIR> d-------- c:\documents and settings\uk001375\HODObjs
2009-01-13 12:38 . 2009-01-13 12:38 <DIR> d-------- c:\documents and settings\uk001375\HODData
2009-01-13 12:36 . 2009-01-13 12:36 <DIR> d-------- c:\documents and settings\uk001375\HODCCV10
2009-01-13 08:26 . 2009-01-13 08:26 4,764 --a------ c:\windows\system32\CcmFramework.ini
2009-01-13 08:26 . 2009-01-13 08:26 621 --a------ c:\windows\system32\CcmFramework.h
2009-01-13 08:23 . 2009-01-13 08:23 <DIR> d-------- c:\windows\ms
2009-01-13 08:21 . 2009-01-13 08:21 <DIR> d--h-c--- c:\windows\$UninstallRDC$
2009-01-13 08:21 . 2009-01-13 08:21 <DIR> d-------- c:\program files\Windows Imaging

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 12:16 --------- d-----w c:\documents and settings\All Users\Application Data\vulScan
2009-02-11 12:03 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-16 10:06 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2001-08-14 01:10 131,072 ----a-w c:\program files\Uninstal.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1207080]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 48800]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2006-05-27 85744]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"SafeBootTrayManager"="c:\program files\SafeBoot Tray Manager\SbTrayManager.exe" [2007-06-12 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-14 385024]
"SDClientMonitor"="c:\program files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2006-11-01 258048]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 c:\windows\AGRSMMSG.exe]
"WinMessengerRemSysTray"="wscript.exe" [2004-08-04 c:\windows\system32\wscript.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\LocalService\Start Menu\Programs\Startup\
NMRegfix.lnk - C:\NMRegfix.exe [2006-11-09 163034]

c:\documents and settings\NetworkService\Start Menu\Programs\Startup\
NMRegfix.lnk - C:\NMRegfix.exe [2006-11-09 163034]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adjust Screen Saver Settings Utility.lnk - c:\program files\Adjust Screen Saver Settings\AdjustScreenSaverSettings.exe [2004-11-10 106496]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-09-11 25214]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-27 581693]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2006-08-28 184320]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Info Tool.exe [2006-09-19 130560]
NMRegfix.lnk - C:\NMRegfix.exe [2006-11-09 163034]
Post-it© Software Notes.lnk - c:\program files\3M\PSNotes2\Psn.exe [2005-10-12 1228800]
Program Neighborhood Agent.lnk - c:\program files\Citrix\PNAgent\pnagent.exe [2007-09-11 213264]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbNp scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\euro.mmm.com\SysVol\euro.mmm.com\scripts\SysMgmt\UPRU\SysMgmt.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\euro.mmm.com\netlogon\SCCM\install.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614895754-527237240-1177238915-113624\Scripts\Logon\0\0]
"Script"=\\euro.mmm.com\SYSVOL\euro.mmm.com\scripts\IETrustedZones\EURO-IE-GPO.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614895754-527237240-1177238915-113624\Scripts\Logon\1\0]
"Script"=\\euro.mmm.com\SysVol\euro.mmm.com\scripts\kb958644\kb958644langcheck.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\3M\\PSNotes2\\PSNGive.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Nortel Networks\\Extranet.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9495:TCP"= 9495:TCP:TivoliEndpoint
"9495:UDP"= 9495:UDP:TivoliEndpoint
"9496:TCP"= 9496:TCP:TivoliEndpointAux
"9496:UDP"= 9496:UDP:TivoliEndpointAux
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-10-01 101615]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-07-16 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-10-01 11640]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2007-10-01 5840]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2007-10-01 34000]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2007-10-01 14960]
R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [2007-01-09 122880]
R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\SafeBoot\SbClientManager.exe [2007-10-01 356352]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [2007-10-10 266240]
R2 UPRU;Universal Patch Reporting Utility;c:\srccode\UPRUService\UPRUService.exe [2008-08-05 564711]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2006-11-09 26137]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-03 99376]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-08-28 88192]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-10-21 36352]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2006-11-09 155152]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2006-05-27 169200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\Daily Backup.job
- c:\windows\system32\ntbackup.exe [2004-08-04 12:00]

2009-02-10 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-03-31 17:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://3msource.mmm.com/wps/myportal/
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\srccode\wins\O2K3\FILES\PFILES\MSOFFICE\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Trusted Zone: mmm.com\cm-place
Trusted Zone: mmm.com\dspa
Trusted Zone: mmm.com\eubraqvsprod1.euro
Trusted Zone: mmm.com\eubraqvsprod2.euro
Trusted Zone: mmm.com\eubraqvsprod3.euro
Trusted Zone: mmm.com\eubraqvsprod4.euro
Trusted Zone: mmm.com\eubraqvstest1.euro
Trusted Zone: mmm.com\eubraqvstest2.euro
Trusted Zone: mmm.com\euqlikview.euro
Trusted Zone: mmm.com\euqlikview2.euro
Trusted Zone: mmm.com\euqlikview3.euro
Trusted Zone: mmm.com\euqlikview4.euro
Trusted Zone: mmm.com\euqlikviewqa.euro
Trusted Zone: mmm.com\euqlikviewqa2.euro
Trusted Zone: mmm.com\qvcfr
Trusted Zone: mmm.com\qvcnwi
Trusted Zone: mmm.com\qvcoposa
Trusted Zone: mmm.com\qvemma
Trusted Zone: mmm.com\qvgps
Trusted Zone: mmm.com\qvsara
Trusted Zone: mmm.com\qvscpa
Trusted Zone: mmm.com\qvwdsr
Trusted Zone: mmm.com\usqlikview1
Trusted Zone: mmm.com\usstpqvsdev1
Trusted Zone: mmm.com\usstpqvsprod1
Trusted Zone: mmm.com\usstpqvsprod2
Trusted Zone: mmm.com\usstpqvsprod3
Trusted Zone: mmm.com\usstpqvsprod4
Trusted Zone: mmm.com\usstpqvsprod5
Trusted Zone: mmm.com\usstpqvsprod6
Trusted Zone: mmm.com\usstpqvsprod7
Trusted Zone: mmm.com\usstpqvsprod9
Trusted Zone: mmm.com\www8.3m.com
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\progra~1\QlikView\QVPROT~1\Qvp.dll
DPF: {0C528348-18DC-4ECE-819B-624E226028DA} - hxxp://wsso.mmm.com/Frontier_program_launcher.CAB
DPF: {0F53CD12-B88F-43E0-99E7-1E2DE701C462} - hxxp://wsso.mmm.com/clientCheck.CAB
DPF: {6E1BAAF6-ECB9-4505-86C1-5D04467B02CC} - hxxp://euqlikview.euro.mmm.com/QvPlugin/QvPluginSetup.exe
DPF: {74DC8438-E36A-40A0-B750-4E2257FA2E41} - hxxp://euqlikview3.euro.mmm.com/QvPlugin/QvPluginSetup.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 12:18:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???x<??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1612)
c:\windows\system32\SbNp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lotus\Notes\nslsvice.exe
c:\program files\Lotus\Notes\nsl.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\scardsvr.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\cba\pds.exe
c:\program files\LANDesk\LDClient\tmcsvc.exe
c:\program files\iPass\iPassConnect Global_Client\iPassPeriodicUpdateService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\LANDesk\LDClient\collector.exe
c:\program files\Citrix\PNAgent\ssonsvr.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\sessmgr.exe
c:\program files\iPass\iPassConnect Global_Client\iPassPeriodicUpdateApp.exe
c:\windows\system32\msiexec.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\Info Tool.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\progra~1\3M\PSNotes2\PSNGive.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\irftp.exe
.
**************************************************************************
.
Completion time: 2009-02-11 12:22:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-11 12:22:36

Pre-Run: 39,018,196,992 bytes free
Post-Run: 39,351,898,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

272

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:03 AM

Posted 11 February 2009 - 05:57 PM

Hello, Trents
No!!! Not the ScotchGuard! Nooooooo! :thumbup2:

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    folder::
    C:\tmpIB
    C:\cleanupstats
    file::
    c:\program files\Uninstal.EXE
    registry::
    [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
    "NoAutoUpdate"=-
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

We need to execute a Batch File
  • Go to Start -> Run, and type "notepad" into the box.
  • Press ok.
  • Copy and paste the following code into notepad:
    del C:\system32\^%tp^% > log.txt
    dir C:\system32\^%* >> log.txt
    nircmd wait 100
    start notepad log.txt
    nircmd wait 100
    del log.txt
    del fix.bat
  • Go to File -> Save
  • To the right of "Save as Type:" in the bottom of the window, change the ComboBox to "All Files"
  • Enter fix.bat into the "File name:" box just above the "Save as Type" box.
  • Double click fix.bat on your desktop.
In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 Trents

Trents
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 12 February 2009 - 07:35 AM

Hi Bill,

Below is the latest log file. The fix.bat part of your request didn't seem to complete. Looks like you wanted to delete the rouge folder. If that was the case I think you got the file path wrong. Should be C:\windows\system32\^%tp^% rather than C:\system32\^%tp^%. Perhaps you could confirm?




ComboFix 09-02-10.03 - uk001375 2009-02-12 12:00:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.436 [GMT 0:00]
Running from: e:\temp\ComboFix.exe
Command switches used :: e:\temp\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
FW: Symantec Client Firewall *disabled*
* Created a new restore point

FILE ::
c:\program files\Uninstal.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanupstats
c:\cleanupstats\GBIHUB7300MDK.txt
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Uninstal.EXE
C:\tmpIB
c:\tmpib\ASD Basic Training English 20081125.pdf

----- BITS: Possible infected sites -----

hxxp://UKATHR05.euro.mmm.com:80
.
((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-12 11:57 . 2009-02-12 11:57 <DIR> d-------- C:\32788R22FWJFW
2009-01-20 11:30 . 2009-01-20 11:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 11:30 . 2009-01-20 11:30 <DIR> d-------- c:\documents and settings\uk001375\Application Data\Malwarebytes
2009-01-20 11:30 . 2009-01-20 11:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 11:30 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 11:30 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-14 12:13 . 2009-01-20 11:31 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-14 12:13 . 2009-01-20 11:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-13 12:38 . 2009-01-13 12:38 <DIR> d-------- c:\documents and settings\uk001375\HODObjs
2009-01-13 12:38 . 2009-01-13 12:38 <DIR> d-------- c:\documents and settings\uk001375\HODData
2009-01-13 12:36 . 2009-01-13 12:36 <DIR> d-------- c:\documents and settings\uk001375\HODCCV10
2009-01-13 08:26 . 2009-01-13 08:26 4,764 --a------ c:\windows\system32\CcmFramework.ini
2009-01-13 08:26 . 2009-01-13 08:26 621 --a------ c:\windows\system32\CcmFramework.h
2009-01-13 08:23 . 2009-01-13 08:23 <DIR> d-------- c:\windows\ms
2009-01-13 08:21 . 2009-01-13 08:21 <DIR> d--h-c--- c:\windows\$UninstallRDC$
2009-01-13 08:21 . 2009-01-13 08:21 <DIR> d-------- c:\program files\Windows Imaging

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 08:11 --------- d-----w c:\documents and settings\All Users\Application Data\vulScan
2009-02-11 12:03 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-05 17:12 25,992 ----a-w c:\windows\system32\pgdfgsvc.exe
2009-01-16 10:06 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
.

((((((((((((((((((((((((((((( SnapShot@2009-02-11_12.21.25.86 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-11 11:58:14 70,478 ----a-w c:\windows\system32\%tp%\Application Data\Microsoft\ActiveSync\Profiles\WM_uk001375\repl.dat
+ 2009-02-11 16:29:31 70,478 ----a-w c:\windows\system32\%tp%\Application Data\Microsoft\ActiveSync\Profiles\WM_uk001375\repl.dat
- 2009-02-11 11:26:35 3,181 ---ha-w c:\windows\system32\%tp%\Application Data\Microsoft\Office\Recent\index.dat
+ 2009-02-11 16:28:58 3,069 ---ha-w c:\windows\system32\%tp%\Application Data\Microsoft\Office\Recent\index.dat
- 2009-02-11 12:09:37 180,224 ----a-w c:\windows\system32\%tp%\Cookies\index.dat
+ 2009-02-11 16:28:34 180,224 ----a-w c:\windows\system32\%tp%\Cookies\index.dat
- 2009-02-11 12:12:46 5,505,024 ---ha-w c:\windows\system32\%tp%\NTUSER.DAT
+ 2009-02-11 16:29:41 5,505,024 ---ha-w c:\windows\system32\%tp%\NTUSER.DAT
- 2007-02-06 15:29:26 24,576 ----a-w c:\windows\system32\HPBMIAPI.DLL
+ 2007-02-06 16:29:26 24,576 ----a-w c:\windows\system32\HPBMIAPI.DLL
- 2006-06-06 13:20:20 241,721 ----a-w c:\windows\system32\HPBMINI.DLL
+ 2006-06-06 14:20:20 241,721 ----a-w c:\windows\system32\HPBMINI.DLL
- 2007-02-06 15:29:10 25,600 ----a-w c:\windows\system32\HPBOID.DLL
+ 2007-02-06 16:29:10 25,600 ----a-w c:\windows\system32\HPBOID.DLL
- 2007-02-06 15:29:20 7,680 ----a-w c:\windows\system32\HPBOIDPS.DLL
+ 2007-02-06 16:29:20 7,680 ----a-w c:\windows\system32\HPBOIDPS.DLL
- 2007-02-06 15:29:22 39,424 ----a-w c:\windows\system32\HPBPRO.DLL
+ 2007-02-06 16:29:22 39,424 ----a-w c:\windows\system32\HPBPRO.DLL
- 2007-02-06 15:29:24 7,680 ----a-w c:\windows\system32\HPBPROPS.DLL
+ 2007-02-06 16:29:24 7,680 ----a-w c:\windows\system32\HPBPROPS.DLL
- 2006-09-01 13:29:24 30,208 ----a-w c:\windows\system32\hpzipt12.dll
+ 2006-09-01 14:29:24 30,208 ----a-w c:\windows\system32\hpzipt12.dll
- 2006-09-01 14:18:02 20,480 ----a-w c:\windows\system32\hpzisn12.dll
+ 2006-09-01 15:18:02 20,480 ----a-w c:\windows\system32\hpzisn12.dll
- 2007-02-06 15:29:26 24,576 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPBMIAPI.DLL
+ 2007-02-06 16:29:26 24,576 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPBMIAPI.DLL
- 2006-06-06 13:20:20 241,721 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPBMINI.DLL
+ 2006-06-06 14:20:20 241,721 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPBMINI.DLL
- 2007-02-06 15:29:10 25,600 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPBOID.DLL
+ 2007-02-06 16:29:10 25,600 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPBOID.DLL
- 2007-02-06 15:29:20 7,680 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPBOIDPS.DLL
+ 2007-02-06 16:29:20 7,680 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPBOIDPS.DLL
- 2007-02-06 15:29:22 39,424 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPBPRO.DLL
+ 2007-02-06 16:29:22 39,424 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPBPRO.DLL
- 2007-02-06 15:29:24 7,680 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPBPROPS.DLL
+ 2007-02-06 16:29:24 7,680 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPBPROPS.DLL
- 2004-10-16 04:31:22 61,440 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPNRA.EXE
+ 2004-10-16 05:31:22 61,440 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPNRA.EXE
- 2007-03-02 14:46:42 977,920 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpz3c5in.dll
+ 2007-03-02 15:46:42 977,920 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpz3c5in.dll
- 2007-03-02 17:24:14 455,680 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzev5in.DLL
+ 2007-03-02 18:24:14 455,680 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzev5in.DLL
- 2006-08-31 18:19:58 49,152 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPZIDR12.DLL
+ 2006-08-31 19:19:58 49,152 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPZIDR12.DLL
- 2006-05-11 17:15:42 43,520 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPZINW12.DLL
+ 2006-05-11 18:15:42 43,520 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPZINW12.DLL
- 2006-05-11 17:15:50 52,736 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.DLL
+ 2006-05-11 18:15:50 52,736 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.DLL
- 2006-08-31 18:34:04 33,792 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPZIPR12.DLL
+ 2006-08-31 19:34:04 33,792 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPZIPR12.DLL
- 2006-09-01 13:29:24 30,208 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPZIPT12.DLL
+ 2006-09-01 14:29:24 30,208 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPZIPT12.DLL
- 2006-09-01 14:18:02 20,480 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPZISN12.DLL
+ 2006-09-01 15:18:02 20,480 ----a-w c:\windows\system32\spool\drivers\w32x86\3\HPZISN12.DLL
- 2007-03-02 17:26:42 1,561,088 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzls5in.DLL
+ 2007-03-02 18:26:42 1,561,088 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzls5in.DLL
- 2007-03-02 17:24:24 200,192 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzpe5in.DLL
+ 2007-03-02 18:24:24 200,192 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzpe5in.DLL
- 2007-03-02 17:30:14 139,264 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzpi5in.DLL
+ 2007-03-02 18:30:14 139,264 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzpi5in.DLL
- 2007-03-02 16:32:54 670,208 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzss5in.DLL
+ 2007-03-02 17:32:54 670,208 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzss5in.DLL
- 2007-03-02 14:44:34 5,594,624 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzst5in.DLL
+ 2007-03-02 15:44:34 5,594,624 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzst5in.DLL
- 2007-03-02 17:24:04 3,323,904 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzui5in.DLL
+ 2007-03-02 18:24:04 3,323,904 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzui5in.DLL
- 2007-03-02 14:46:26 3,459,072 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzur5in.dll
+ 2007-03-02 15:46:26 3,459,072 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpzur5in.dll
+ 2007-03-02 17:30:14 139,264 ----a-w c:\windows\system32\spool\drivers\w32x86\3\Old\1\hpzpi5in.DLL
+ 2007-03-08 21:33:52 372,736 ----a-w c:\windows\system32\spool\drivers\w32x86\3\Old\1\UNIDRV.DLL
+ 2007-03-08 21:33:54 740,864 ----a-w c:\windows\system32\spool\drivers\w32x86\3\Old\1\UNIDRVUI.DLL
- 2007-03-08 21:33:52 372,736 ----a-w c:\windows\system32\spool\drivers\w32x86\3\UNIDRV.DLL
+ 2007-03-09 10:03:52 372,736 ----a-w c:\windows\system32\spool\drivers\w32x86\3\UNIDRV.DLL
- 2007-03-08 21:33:54 740,864 ----a-w c:\windows\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL
+ 2007-03-09 10:03:54 740,864 ----a-w c:\windows\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL
- 2007-03-08 21:33:58 761,344 ----a-w c:\windows\system32\spool\drivers\w32x86\3\UNIRES.DLL
+ 2007-03-09 10:03:58 761,344 ----a-w c:\windows\system32\spool\drivers\w32x86\3\UNIRES.DLL
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1207080]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 48800]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2006-05-27 85744]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"SafeBootTrayManager"="c:\program files\SafeBoot Tray Manager\SbTrayManager.exe" [2007-06-12 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-14 385024]
"SDClientMonitor"="c:\program files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2006-11-01 258048]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 c:\windows\AGRSMMSG.exe]
"WinMessengerRemSysTray"="wscript.exe" [2004-08-04 c:\windows\system32\wscript.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\LocalService\Start Menu\Programs\Startup\
NMRegfix.lnk - C:\NMRegfix.exe [2006-11-09 163034]

c:\documents and settings\NetworkService\Start Menu\Programs\Startup\
NMRegfix.lnk - C:\NMRegfix.exe [2006-11-09 163034]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adjust Screen Saver Settings Utility.lnk - c:\program files\Adjust Screen Saver Settings\AdjustScreenSaverSettings.exe [2004-11-10 106496]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-09-11 25214]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-27 581693]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2006-08-28 184320]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Info Tool.exe [2006-09-19 130560]
NMRegfix.lnk - C:\NMRegfix.exe [2006-11-09 163034]
Post-it© Software Notes.lnk - c:\program files\3M\PSNotes2\Psn.exe [2005-10-12 1228800]
Program Neighborhood Agent.lnk - c:\program files\Citrix\PNAgent\pnagent.exe [2007-09-11 213264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\euro.mmm.com\SysVol\euro.mmm.com\scripts\SysMgmt\UPRU\SysMgmt.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\euro.mmm.com\netlogon\SCCM\install.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614895754-527237240-1177238915-113624\Scripts\Logon\0\0]
"Script"=\\euro.mmm.com\SYSVOL\euro.mmm.com\scripts\IETrustedZones\EURO-IE-GPO.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1614895754-527237240-1177238915-113624\Scripts\Logon\1\0]
"Script"=\\euro.mmm.com\SysVol\euro.mmm.com\scripts\kb958644\kb958644langcheck.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\3M\\PSNotes2\\PSNGive.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Nortel Networks\\Extranet.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9495:TCP"= 9495:TCP:TivoliEndpoint
"9495:UDP"= 9495:UDP:TivoliEndpoint
"9496:TCP"= 9496:TCP:TivoliEndpointAux
"9496:UDP"= 9496:UDP:TivoliEndpointAux
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-10-01 101615]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-07-16 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-10-01 11640]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2007-10-01 5840]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2007-10-01 34000]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2007-10-01 14960]
R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [2007-01-09 122880]
R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\SafeBoot\SbClientManager.exe [2007-10-01 356352]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [2007-10-10 266240]
R2 UPRU;Universal Patch Reporting Utility;c:\srccode\UPRUService\UPRUService.exe [2008-08-05 564711]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2006-11-09 26137]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-03 99376]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-08-28 88192]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-10-21 36352]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2006-11-09 155152]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2006-05-27 169200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder

2009-02-11 c:\windows\Tasks\Daily Backup.job
- c:\windows\system32\ntbackup.exe [2004-08-04 12:00]

2009-02-12 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-03-31 17:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://3msource.mmm.com/wps/myportal/
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\srccode\wins\O2K3\FILES\PFILES\MSOFFICE\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Trusted Zone: mmm.com\cm-place
Trusted Zone: mmm.com\dspa
Trusted Zone: mmm.com\eubraqvsprod1.euro
Trusted Zone: mmm.com\eubraqvsprod2.euro
Trusted Zone: mmm.com\eubraqvsprod3.euro
Trusted Zone: mmm.com\eubraqvsprod4.euro
Trusted Zone: mmm.com\eubraqvstest1.euro
Trusted Zone: mmm.com\eubraqvstest2.euro
Trusted Zone: mmm.com\euqlikview.euro
Trusted Zone: mmm.com\euqlikview2.euro
Trusted Zone: mmm.com\euqlikview3.euro
Trusted Zone: mmm.com\euqlikview4.euro
Trusted Zone: mmm.com\euqlikviewqa.euro
Trusted Zone: mmm.com\euqlikviewqa2.euro
Trusted Zone: mmm.com\qvcfr
Trusted Zone: mmm.com\qvcnwi
Trusted Zone: mmm.com\qvcoposa
Trusted Zone: mmm.com\qvemma
Trusted Zone: mmm.com\qvgps
Trusted Zone: mmm.com\qvsara
Trusted Zone: mmm.com\qvscpa
Trusted Zone: mmm.com\qvwdsr
Trusted Zone: mmm.com\usqlikview1
Trusted Zone: mmm.com\usstpqvsdev1
Trusted Zone: mmm.com\usstpqvsprod1
Trusted Zone: mmm.com\usstpqvsprod2
Trusted Zone: mmm.com\usstpqvsprod3
Trusted Zone: mmm.com\usstpqvsprod4
Trusted Zone: mmm.com\usstpqvsprod5
Trusted Zone: mmm.com\usstpqvsprod6
Trusted Zone: mmm.com\usstpqvsprod7
Trusted Zone: mmm.com\usstpqvsprod9
Trusted Zone: mmm.com\www8.3m.com
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\progra~1\QlikView\QVPROT~1\Qvp.dll
DPF: {0C528348-18DC-4ECE-819B-624E226028DA} - hxxp://wsso.mmm.com/Frontier_program_launcher.CAB
DPF: {0F53CD12-B88F-43E0-99E7-1E2DE701C462} - hxxp://wsso.mmm.com/clientCheck.CAB
DPF: {6E1BAAF6-ECB9-4505-86C1-5D04467B02CC} - hxxp://euqlikview.euro.mmm.com/QvPlugin/QvPluginSetup.exe
DPF: {74DC8438-E36A-40A0-B750-4E2257FA2E41} - hxxp://euqlikview3.euro.mmm.com/QvPlugin/QvPluginSetup.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 12:03:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???x<??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1784)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(1840)
c:\windows\system32\SbNp.dll
.
Completion time: 2009-02-12 12:05:48
ComboFix-quarantined-files.txt 2009-02-12 12:05:43
ComboFix2.txt 2009-02-11 12:22:44

Pre-Run: 39,285,465,088 bytes free
Post-Run: 39,284,588,544 bytes free

316

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:03 AM

Posted 12 February 2009 - 08:14 PM

Below is the latest log file. The fix.bat part of your request didn't seem to complete. Looks like you wanted to delete the rouge folder. If that was the case I think you got the file path wrong. Should be C:\windows\system32\^%tp^% rather than C:\system32\^%tp^%. Perhaps you could confirm?

:thumbup2: Yeah.. those should be C:\Windows\System32 :).

Sorry about that. Change the batch file above to:

del C:\windows\system32\^%tp^% > log.txt
dir C:\windows\system32\^%* >> log.txt
nircmd wait 100
start notepad log.txt
nircmd wait 100
del log.txt
del fix.bat

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 Trents

Trents
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 13 February 2009 - 09:20 AM

Hi Billy,

Tried running that .bat file but it just froze at the cmd screen, screenshot attached.

When I looked in the log.txt file that had been created it just contained C:\windows\system32\*, Are you sure (Y/N)?

I've been stung in the past by messing where I shouldn't so ran the fix.bat on another laptop I use for testing and pressed Y and Enter at the frozen cmd screen. Bad move. It proceeded to delete all unused .dll files out of the system32 folder. Not a drama there, was about to reimage that one anyway.

I'm not sure if this is because that fix.bat file will only work on the laptop with the rouge folder but I'd rather get your guidance first. I was assuming this file would run without any user interaction.

Cheers

Attached Files



#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:03 AM

Posted 13 February 2009 - 05:48 PM

It's difficult to get the command interpreter to understand % correctly -- % is a special character in batch files. ^ is supposed to "escape" that character, and tell cmd.exe to treat it as a literal % character. However, it appears the escape didn't work on your machine. It attempted to expand %TP%, which did not exist on your system.

On the machine where it hung, go ahead and modify the batch to this, and try again:

del C:\windows\system32\%%tp%% > log.txt
dir C:\windows\system32\%%* >> log.txt
nircmd wait 100
start notepad log.txt
nircmd wait 100
del log.txt
del fix.bat

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:03 AM

Posted 16 February 2009 - 05:26 PM

Hello, Trents
Are you still here?

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:03 AM

Posted 17 February 2009 - 05:46 PM

Hello, Trents
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:03 AM

Posted 18 February 2009 - 08:13 PM

User returned; Topic reopened :thumbup2:

Welcome back! Please post your logs below.....
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:03 AM

Posted 22 February 2009 - 09:20 PM

Hello, Trents
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users