Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unclassified, unknown origin; referred here


  • This topic is locked This topic is locked
22 replies to this topic

#1 jerryc

jerryc

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 26 February 2009 - 08:37 PM

Here's my original post;
http://www.bleepingcomputer.com/forums/ind...id=1152510&

Brief synopsis; helping a friend's cousin. Old machine, xp sp1 with no antivirus. I cleaned as much off as I could and have updated to sp3. it runs much better, but slow and oddly still, and there are some registry values that Trend and Kaspersky and Superantispyware and Dr.Web and SDFix and some others all have pointed to, copied below, that will not delete. I don't know if this is relevant but they use AOL and have a lot of aol proggies and 'stuff'. I know aol used to take over a machine pretty much.

I just ran DSS, here is the log


DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 15:32:17.97 on Thu 02/26/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.41 [GMT -5:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\WINDOWS\TEMP\ZZD370.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Administrator\Desktop\Security\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [TrackPointSrv] tp4serv.exe
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: connwsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://10.30.100.95/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://10.30.100.95/officescan/console/html/ClientInstall/setup.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://10.30.100.95/officescan/console/html/ClientInstall/RemoveCtrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233340915899
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=26688
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R1 DSMBATT;DSMBATT;c:\windows\system32\drivers\DSMBATT.SYS [2002-9-6 9888]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2002-9-6 2295]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2002-9-6 12288]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2008-11-26 205328]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2008-11-26 36368]
R3 NetWlan5;802.11b Wireless LAN Adapter Driver;c:\windows\system32\drivers\NetWlan5.sys [2003-9-30 137820]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-4-20 307984]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2007-4-5 943696]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2007-4-27 575064]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1980-1-1 14175]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2009-02-24 20:26 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-02-24 20:24 <DIR> --d----- c:\windows\ERUNT
2009-02-24 20:17 <DIR> --d----- C:\SDFix
2009-02-20 14:22 <DIR> --d----- c:\documents and settings\administrator\DoctorWeb
2009-02-05 15:31 1 a------- C:\s1jo.97r
2009-02-03 18:09 <DIR> --d----- c:\docume~1\admini~1\applic~1\IBM
2009-02-03 12:49 14,179 a------- c:\windows\cfgall.ini
2009-02-03 12:40 <DIR> --d----- c:\program files\Trend Micro
2009-02-03 12:40 21 a------- C:\tmuninst.ini
2009-02-02 15:23 138,384 a------- c:\windows\system32\drivers\tmcomm.sys
2009-02-02 13:38 <DIR> --d----- c:\documents and settings\administrator\.housecall6.6
2009-02-02 12:15 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-02-02 12:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-02 12:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-02 12:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-02 12:15 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-02 12:14 2,737,808 a------- c:\program files\mbam-setup.exe
2009-01-31 20:35 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-31 20:35 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-31 15:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-31 15:47 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-31 15:47 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-01-31 15:46 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-31 15:46 5,966,368 a------- c:\program files\SUPERAntiSpyware.exe
2009-01-31 11:27 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-01-31 11:27 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2009-01-31 11:27 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2009-01-31 11:27 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-01-31 11:26 1,846,400 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-31 11:26 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-31 11:26 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-31 11:26 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-31 11:26 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-31 11:26 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-31 11:26 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-01-31 11:26 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-31 11:26 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-01-31 11:25 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-01-31 11:25 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-01-31 11:25 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-01-31 11:25 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2009-01-30 15:47 <DIR> --d----- c:\windows\system32\scripting
2009-01-30 15:47 <DIR> --d----- c:\windows\l2schemas
2009-01-30 15:47 <DIR> --d----- c:\windows\system32\en
2009-01-30 15:27 <DIR> --d----- c:\windows\network diagnostic
2009-01-30 15:05 208,896 -------- c:\windows\system32\dllcache\unregmp2.exe
2009-01-30 15:04 364,544 -------- c:\windows\system32\dllcache\npdsplay.dll
2009-01-30 15:03 290,816 -------- c:\windows\system32\dllcache\l3codeca.acm
2009-01-30 15:02 294,912 -------- c:\windows\system32\dllcache\dlimport.exe
2009-01-30 13:47 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-01-30 13:47 <DIR> --d----- c:\windows\system32\PreInstall
2009-01-30 13:47 <DIR> --d-h--- c:\windows\$hf_mig$
2009-01-30 13:45 <DIR> --d----- c:\windows\system32\bits
2009-01-30 13:44 354,304 a------- c:\windows\system32\winhttp.dll
2009-01-30 13:44 18,944 a------- c:\windows\system32\qmgrprxy.dll
2009-01-30 13:44 438,784 -------- c:\windows\system32\xpob2res.dll
2009-01-30 13:44 8,192 -------- c:\windows\system32\bitsprx2.dll
2009-01-30 13:44 7,168 -------- c:\windows\system32\bitsprx3.dll
2009-01-30 13:42 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-01-30 13:42 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-01-30 13:42 213,528 a------- c:\windows\system32\wuaucpl.cpl
2009-01-30 13:42 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-01-30 13:42 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-01-30 13:41 <DIR> --ds---- c:\documents and settings\administrator\UserData
2009-01-30 13:06 <DIR> --d----- c:\windows\peernet
2009-01-30 13:06 <DIR> --d----- c:\windows\provisioning
2009-01-30 12:26 11,264 -------- c:\windows\system32\spnpinst.exe
2009-01-30 12:26 7,208 -------- c:\windows\system32\secupd.sig
2009-01-30 12:26 4,569 -------- c:\windows\system32\secupd.dat
2009-01-30 01:34 <DIR> --d----- c:\windows\pss
2009-01-30 01:32 <DIR> --d----- c:\docume~1\admini~1\applic~1\AOL

==================== Find3M ====================

2009-01-30 15:59 87,295 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 15:33:16.45 ===============

Malwarebytes found this;

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44a1-9f4543d34546} (Trojan.Clicker) -> Delete on reboot.

Superantispyware found this;

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{54645654-2225-4455-44A1-9F4543D34546}
HKCR\CLSID\{54645654-2225-4455-44A1-9F4543D34546}
HKCR\CLSID\{54645654-2225-4455-44A1-9F4543D34546}\InProcServer32

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 10 March 2009 - 04:19 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Download and Run DDS
If you already have a copy of DDS, there is no need to download a new one.

DDS is a tool that gives us a general overview of the condition of your machine.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please post back with:
-the DDS logs
-the F-Secure scan log

Please give me an update on the symptoms. Also tell me of any changes you have made to this computer.

With Regards,
The Panda

#3 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 12 March 2009 - 11:18 PM

Hi and thanks for assistance. I will be back at this tomorrow with scans.
Thanks again.
Jerry

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 13 March 2009 - 07:02 AM

No problem.

The Panda

#5 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 13 March 2009 - 08:52 PM

This is the DDS report, the attachment is with 7-zip; I will have to post the Fsecure scan tomorrow or Monday.
You had said to comment on all changes to the comp; did you mean since I started working on it, or since I posted this thread? If the latter, no changes. If the former, many changes; going from SP1 to SP3, removing all temp files I could find, adding Trend Officescan, many scans with various online and dl'd antimalwares.
Thanks



DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 16:42:12.69 on Fri 03/13/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.48 [GMT -4:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\WINDOWS\TEMP\IB5B6D.EXE
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Administrator\Desktop\Security\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe
mRun: [TrackPointSrv] tp4serv.exe
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: connwsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://10.30.100.95/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://10.30.100.95/officescan/console/html/ClientInstall/setup.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://10.30.100.95/officescan/console/html/ClientInstall/RemoveCtrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233340915899
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=26688
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R1 DSMBATT;DSMBATT;c:\windows\system32\drivers\DSMBATT.SYS [2002-9-6 9888]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2002-9-6 2295]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2002-9-6 12288]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2008-11-26 205328]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2008-11-26 36368]
R3 NetWlan5;802.11b Wireless LAN Adapter Driver;c:\windows\system32\drivers\NetWlan5.sys [2003-9-30 137820]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-4-20 307984]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2007-4-5 943696]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2007-4-27 575064]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1980-1-1 14175]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2009-02-24 21:26 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-02-24 21:24 <DIR> --d----- c:\windows\ERUNT
2009-02-24 21:17 <DIR> --d----- C:\SDFix
2009-02-20 15:22 <DIR> --d----- c:\documents and settings\administrator\DoctorWeb

==================== Find3M ====================

2009-02-02 13:14 2,737,808 a------- c:\program files\mbam-setup.exe
2009-01-31 21:34 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-31 16:46 5,966,368 a------- c:\program files\SUPERAntiSpyware.exe
2009-01-30 16:59 87,295 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-14 17:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 17:11 15,504 a------- c:\windows\system32\drivers\mbam.sys

============= FINISH: 16:43:16.20 ===============

Attached Files



#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 14 March 2009 - 08:51 AM

Hello.

The registry keys that were flagged look to me like leftovers of an infection because the files were not found.

Are they still being picked up in the scans now?

With Regards,
The Panda

#7 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 14 March 2009 - 04:39 PM

I came back to the comp today, having dl'd and started Fsecure last night (when I left it was running and had looked at about 150 files; no malware), and pulled the ethernet cable out. Today all I got was an error message about IE, no evidence of Fsecure at all. Maybe even after downloading it has to still be connected? Others don't, you can run most scans I know of without an internet connection, after they are downloaded.
I did get a message about microsoft security updates, the ones from last Tue I believe, so I did install those, and it then needed to reboot. That reboot took about 4-5 mins. Oh, I did turn off almost everything in msconfig/startup a few weeks ago when I started all this. So it seems to still be affected by something. I have not run any other scans since what I have already mentioned, so I am not sure about the keys being leftovers.
I am restarting Fsecure and leaving the cable plugged in. If I get a report I will post it later.

I take it from the image you use that you're a mtn biker; that looks like an IRC Mythos I think. I used to run bike shops and rode one of the early Tom Ritchey's, in 1982.
Thanks

#8 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 14 March 2009 - 04:54 PM

'k, dumb; yes it has to be connected to scan.
Running now.

#9 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 14 March 2009 - 07:05 PM

Fsecure scan is done; says 1 virus and 4 spyware. I then clicked 'automatic repair' and it immediately said 9 virus and 0 spyware. ??? It is now sitting there....
Ah; says it's done, cleaned 5 malware. I am writing this on another comp; will post log when it comes up, which is going very slowly.

#10 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 14 March 2009 - 07:17 PM

Comp is running very slowly; took over 2 mins to bring up notepad.

Fsecure report

Result: 5 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Atdmt (spyware)
System
TrackingCookie.Doubleclick (spyware)
System
TrackingCookie.Questionmarket (spyware)
System
Trojan.HTML.Starter.a (virus)
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DOCTORWEB\QUARANTINE\777.HTM (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 24717
System: 3017
Not scanned: 7
Actions:
Disinfected: 0
Renamed: 1
Deleted: 0
None: 4
Submitted: 1
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Hydra: 3.6.8511, 2009-03-14
F-Secure AVP: 7.0.171, 2009-03-14
F-Secure Pegasus: 1.20.0, 1969-11-31
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 14 March 2009 - 07:22 PM

Hello.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

With Regards,
The Panda

#12 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 14 March 2009 - 07:40 PM

Unfortunately there is no entry on the 'how to disable' page for Trend. I cannot unload, disable, nor remove it as it wants a password that no one here has, and which Trend says they don't have either.
Hmm. I may have to wait til Monday to talk to them again.
Thanks

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 15 March 2009 - 09:16 AM

Hello.

In that case, go ahead with ComboFix. It usually isn't an issue.

With Regards,
The Panda

#14 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 15 March 2009 - 04:53 PM

Combofix log; was very hard to do; many reboots to get to download, then corrupted download, then messages like incorrect OS, Very slow running, but it finally worked and the comp runs much faster.
Other log to follow I hope.


ComboFix 09-03-14.02 - Administrator 2009-03-15 15:20:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.50 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Security\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2009-03-15 15:09 . 2009-03-15 15:10 <DIR> d-------- C:\32788R22FWJFW
2009-03-15 14:51 . 2009-03-15 14:53 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-03-13 19:49 . 2009-03-13 19:49 <DIR> d-------- C:\fsaua.data
2009-03-13 19:26 . 2009-03-13 19:26 <DIR> d-------- c:\program files\7-Zip
2009-03-13 19:26 . 2009-03-13 19:26 939,956 --a------ c:\program files\7z465.exe
2009-02-24 21:26 . 2009-02-24 21:26 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-02-24 21:24 . 2009-02-24 21:25 <DIR> d-------- c:\windows\ERUNT
2009-02-24 21:17 . 2008-11-06 03:03 <DIR> d-------- C:\SDFix
2009-02-20 15:22 . 2009-02-20 15:29 <DIR> d-------- c:\documents and settings\Administrator\DoctorWeb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 00:40 --------- d-----w c:\program files\Common Files\Real
2009-02-24 00:43 --------- d-----w c:\program files\Google
2009-02-23 22:32 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-03 23:09 --------- d-----w c:\documents and settings\Administrator\Application Data\IBM
2009-02-03 17:40 --------- d-----w c:\program files\Trend Micro
2009-02-03 17:40 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-02 17:15 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-02 17:15 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-02 17:14 2,737,808 ----a-w c:\program files\mbam-setup.exe
2009-02-01 01:34 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-01 01:34 --------- d-----w c:\program files\Java
2009-01-31 20:47 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-31 20:47 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-31 20:47 --------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-01-31 20:46 5,966,368 ----a-w c:\program files\SUPERAntiSpyware.exe
2009-01-31 20:46 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-30 06:32 --------- d-----w c:\documents and settings\Administrator\Application Data\AOL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2002-03-26 61440]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2002-07-15 49152]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2002-05-30 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-31 136600]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-06-07 702072]
"TrackPointSrv"="tp4serv.exe" [2002-03-20 c:\windows\system32\tp4serv.exe]

c:\documents and settings\lilyE\Start Menu\Programs\Startup\
MSWin--339694643.exe [2008-06-08 836]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2005-04-11 10:36 83544 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-04-07 12:07 496752 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2005-08-02 15:33 159832 c:\program files\Common Files\AOL\1124865704\ee\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
--a------ 2004-05-07 16:54 99480 c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-06-08 11:29 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tgcmd]
--a--c--- 2001-11-07 06:50 1519616 c:\program files\Support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPTRAY]
--a------ 2002-03-26 04:24 48128 c:\progra~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2002-02-23 10:37 87037 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2002-06-12 16:03 28672 c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
--a------ 2002-02-22 04:04 40960 c:\windows\system32\TP4EX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 DSMBATT;DSMBATT;c:\windows\system32\drivers\DSMBATT.SYS [2002-09-06 9888]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2002-09-06 2295]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2002-09-06 12288]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [2008-11-26 205328]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [2008-11-26 36368]
R3 NetWlan5;802.11b Wireless LAN Adapter Driver;c:\windows\system32\drivers\NetWlan5.sys [2003-09-30 137820]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-04-20 307984]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1980-01-01 14175]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - AOL ACS
*Deregistered* - Ati HotKey Poller
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - IBMPMSVC
*Deregistered* - Irmon
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LexBceS
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - ntrtscan
*Deregistered* - NWCWorkstation
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - QCONSVC
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - tmlisten
*Deregistered* - TmPfw
*Deregistered* - TmProxy
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WANMiniportService
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-03-15 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\Bmmtask.exe [2002-03-26 04:24]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-American Airlines DealFinder - c:\program files\American Airlines DealFinder\American_Airlines_DealFinder.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
LSP: connwsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 15:29:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{54645654-2225-4455-44A1-9F4543D34546}\InProcServer32]
@DACL=(02 0000)
@=expand:"c:\\WINDOWS\\System32\\vbsys2.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1180)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(1236)
c:\windows\system32\connwsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\rundll32.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\windows\system32\QCONSVC.EXE
c:\windows\wanmpsvc.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe
c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe
c:\windows\Temp\NE9842.EXE
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-03-15 15:43:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-15 19:42:25

Pre-Run: 9,313,542,144 bytes free
Post-Run: 9,431,085,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

245 --- E O F --- 2009-03-14 19:11:42

#15 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 15 March 2009 - 06:15 PM

Gmer log; the same registry entry is still there that all scans have pointed to.

GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-15 17:10:39
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)

Device \FileSystem\Fastfat \Fat F0E7ED20

AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{54645654-2225-4455-44A1-9F4543D34546}\InProcServer32@ C:\WINDOWS\System32\vbsys2.dll

---- EOF - GMER 1.0.15 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users