Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Viruses unknown


  • This topic is locked This topic is locked
14 replies to this topic

#1 Matt3376

Matt3376

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 14 November 2010 - 01:10 PM

Dear all, First time poster, i have read the rules, and hope to get some knowledgable folks to help.

I am using Windows XP, SP3 Professional - and yesterday, whilst watching sport on a maybe not so sensible website, my McAfee virus software went nuts. Plenty of virus' were detected, and the messages via McAfee read that files were deleted but cleaning failed.
Ever since, my laptop is running terribly, losing virtual memory and 101 processes were running in taskmanager
I have tried the following steps. (i am not a begineer, but a regular user of a computer, but wouldnt suggest i know really what i am doing)

Ran anti-virus scan, found nothing
Ran spybot S&D and found the usual stuff
Google suggested i donwload Hijack This and copy a report into a helpful forum so i have done that, and posted the results below
I have also booted into safemode and stopped a few processes via msconfig. The 101 processes have no reduced to 75.
The only other thing that may be of some use to clever people, is that when in safemode, and clicking start>all programs>startup> the following 'programs' were listed and they looked as dodgy as the website i found myself on yesterday.
acfon
diusy
ezdak
maup
ywizyx
yxso

Please see below Hijack This report - it suggested that copying the report into a forum would lead to some useful tips before i check things in a list to be fixed.

Any advice would be very well received - if i have missed any detail, i apologise - this is about all i can think of.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:26:28, on 14/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\DTS.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\AtService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Prot_srv.exe
C:\WINDOWS\system32\pstartSr.exe
C:\QUALCOMM\QDLService\QDLService.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Lumension Security\Sanctuary\Client\scomc.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\McAfee\VirusScan Enterprise\MCUPDATE.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Program Files\WebEx\Productivity Tools\PTIM.exe
C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe
C:\Program Files\WebEx\Productivity Tools\ptSrv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\GmoteServer\GmoteServer.exe
C:\Documents and Settings\Matthew.Kearsley\Start Menu\Programs\Startup\sishzm32.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://cwa.capita.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.capita.zone:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.constructionline.co.uk;*.capitadesktop;*.capita.zone;<local>
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WebEx Productivity Tools - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WebEx Productivity Tools - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PTIM.exe] C:\Program Files\WebEx\Productivity Tools\PTIM.exe
O4 - HKCU\..\Run: [PTOneClick] C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe /AutoRunning="2"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [{721AF518-9CF1-82F7-BDBF-E333480F9270}] "C:\WINDOWS\system32\config\systemprofile\Application Data\Oleq\ipeh.exe"
O4 - .DEFAULT User Startup: ezavqu.exe (User 'Default user')
O4 - .DEFAULT User Startup: kaah.exe (User 'Default user')
O4 - .DEFAULT User Startup: kyypsi.exe (User 'Default user')
O4 - .DEFAULT User Startup: pire.exe (User 'Default user')
O4 - .DEFAULT User Startup: pycuu.exe (User 'Default user')
O4 - .DEFAULT User Startup: ufhy.exe (User 'Default user')
O4 - Startup: GmoteServer.lnk = C:\Program Files\GmoteServer\GmoteServer.exe
O4 - Startup: sishzm32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0AFD9937-10D5-436F-9F2B-08BF61754446} (OutlookTools Object) - http://195.89.201.69/Capitacrm/Plugin/OTLTools.cab
O16 - DPF: {3DFD2B52-C6E9-11D4-8226-005004F658FC} (XeWare Control) - http://195.89.201.69/CapitaCRM/Plugin/eWarePluginX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260800928253
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://capita.webex.com/client/upgradeserver/client/ptool/T27L10NSP11EP15-6316/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = constline.local
O17 - HKLM\Software\..\Telephony: DomainName = constline.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{42D1249F-CF8E-4039-B129-C59CC280342D}: NameServer = 10.82.27.240
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = constline.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = constline.local
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AD Monitor (ADMonitor) - Unknown owner - C:\WINDOWS\system32\ADMonitor.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\WINDOWS\system32\AtService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Data Transfer Service (dtsvc) - Unknown owner - C:\WINDOWS\system32\DTS.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\system32\Prot_srv.exe
O23 - Service: Pointsec Service Start (Pointsec_start) - Unknown owner - C:\WINDOWS\system32\pstartSr.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Qualcomm Gobi Download Service (QDLService) - QUALCOMM, Inc. - C:\QUALCOMM\QDLService\QDLService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: Sanctuary Command and Control (scomc) - Lumension Security - C:\Program Files\Lumension Security\Sanctuary\Client\scomc.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 15213 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:17 PM

Posted 14 November 2010 - 01:32 PM

Hello Matt3376 ,

Posted Image


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If McAfee gives you any problems, you may have to temporarily uninstall it. For some reason, this is common with McAfee. <_<

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to Matt.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Matt3376

Matt3376
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 14 November 2010 - 02:37 PM

Tea,

thanks for taking the time to help: please see below combofix log.

---------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 10-11-13.01 - matthew.kearsley 14/11/2010 19:06:13.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1944.1302 [GMT 0:00]
Running from: c:\documents and settings\Matthew.Kearsley\My Documents\Downloads\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Matthew.Kearsley\Application Data\avdrn.dat
c:\documents and settings\Matthew.Kearsley\g2mdlhlpx.exe
c:\documents and settings\Matthew.Kearsley\Start Menu\Programs\Startup\sishzm32.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\dmlconf.dat
c:\program files\microsoft\watermark.exe . . . . Failed to delete

----- BITS: Possible infected sites -----

hxxp://custodian
.
((((((((((((((((((((((((( Files Created from 2010-10-14 to 2010-11-14 )))))))))))))))))))))))))))))))
.

2010-11-14 17:00 . 2010-11-14 17:00 -------- d-----w- c:\program files\Trend Micro
2010-11-14 16:10 . 2010-11-14 16:10 -------- d-----w- c:\program files\tmp
2010-11-13 15:36 . 2010-11-14 19:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-13 15:36 . 2010-11-14 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-11-13 14:52 . 2010-11-14 11:07 -------- d-----w- c:\program files\temp
2010-10-26 14:12 . 2010-10-26 14:12 -------- d-----w- c:\program files\Hewlett-Packard
2010-10-26 14:12 . 2010-10-26 14:12 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-10-26 14:11 . 2010-10-26 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-10-26 14:11 . 2007-03-28 13:01 117760 ----a-w- c:\windows\system32\hpzll5ha.dll
2010-10-26 14:11 . 2007-03-28 12:57 274944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5ha.dll
2010-10-26 14:10 . 2008-04-13 23:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-10-26 14:10 . 2008-04-13 23:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-10-26 14:10 . 2007-03-08 19:20 21568 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2010-10-26 14:10 . 2007-03-08 19:20 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-10-26 14:10 . 2007-03-08 19:20 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-10-26 14:10 . 2007-03-31 05:07 267864 ----a-w- c:\windows\system32\hpzids01.dll
2010-10-26 14:10 . 2007-03-18 06:11 675840 ----a-w- c:\windows\system32\hpowiax3.dll
2010-10-26 14:10 . 2007-03-18 06:11 303104 ----a-w- c:\windows\system32\hpovst10.dll
2010-10-26 14:10 . 2007-03-18 06:11 569344 ----a-w- c:\windows\system32\hpotscl3.dll
2010-10-26 14:10 . 2007-03-08 19:20 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2010-10-26 14:10 . 2010-10-26 14:10 -------- d-----w- c:\program files\HP
2010-10-26 14:07 . 2008-04-13 23:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-10-26 14:07 . 2008-04-13 23:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-10-22 07:28 . 2010-10-22 07:28 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-16 14:16 . 2010-10-22 07:28 -------- d-----w- c:\documents and settings\Matthew.Kearsley\Local Settings\Application Data\Google
2010-10-16 14:15 . 2010-10-22 07:28 -------- d-----w- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 12:23 . 2007-04-03 07:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 04:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 04:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2002-08-29 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-09 13:38 . 2008-04-14 04:42 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2008-04-14 04:42 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2008-04-14 04:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2008-04-14 04:41 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-01 11:51 . 2008-04-14 04:39 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2008-04-14 00:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 12:10 . 2008-04-13 23:07 389120 ----a-w- c:\windows\system32\html.iec
2010-08-27 08:02 . 2008-04-14 04:42 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-04-14 04:42 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-04-13 23:45 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-12-14 14:01 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-14 04:41 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-04-14 04:42 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-05-24 13:49 . 2010-05-24 13:49 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-05-24 13:49 . 2010-05-24 13:49 185224 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-05-24 13:50 . 2010-05-24 13:50 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2010-05-24 13:50 . 2010-05-24 13:50 99208 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

------- Sigcheck -------

[-] 2008-07-11 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"PTIM.exe"="c:\program files\WebEx\Productivity Tools\PTIM.exe" [2010-04-14 271672]
"PTOneClick"="c:\program files\WebEx\Productivity Tools\ptoneclk.exe" [2010-04-14 247096]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]

c:\documents and settings\Matthew.Kearsley\Start Menu\Programs\Startup\
GmoteServer.lnk - c:\program files\GmoteServer\GmoteServer.exe [2010-7-31 451584]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
kaah.exe [2010-11-14 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2008-10-26 18:41 180224 ----a-w- c:\windows\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 19:14 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^acfoa.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\acfoa.exe
backup=c:\windows\pss\acfoa.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^diusy.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\diusy.exe
backup=c:\windows\pss\diusy.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ezdak.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ezdak.exe
backup=c:\windows\pss\ezdak.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^maup.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\maup.exe
backup=c:\windows\pss\maup.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ywizyx.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ywizyx.exe
backup=c:\windows\pss\ywizyx.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^yxso.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\yxso.exe
backup=c:\windows\pss\yxso.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless USB Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless USB Manager.lnk
backup=c:\windows\pss\Wireless USB Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
c:\program files\Lenovo Fingerprint Software\fpapp.exe \s [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 17:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2007-02-02 03:00 419376 ------w- c:\program files\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
2009-01-15 01:52 287062 ------w- c:\progra~1\ThinkPad\UTILIT~1\BATLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 04:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-01 06:39 1164584 ------w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
2008-10-08 02:38 256576 ------w- c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-10-30 16:38 178712 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-10-30 16:38 150040 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPMailChecker]
2008-09-01 03:02 124248 ------w- c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2008-09-01 03:02 165208 ------w- c:\progra~1\THINKV~1\PrdCtr\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2009-09-22 15:00 136512 ------w- c:\program files\McAfee\Common Framework\UdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-10-30 16:38 150040 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\picon]
2008-05-29 17:12 367128 ------w- c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pointsec Tray]
2006-12-04 16:49 941424 ------w- c:\program files\Pointsec\Pointsec for PC\P95tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRMGRTR]
2009-01-15 01:52 467356 ------w- c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rtnotify]
2008-07-28 18:43 3671328 ------w- c:\program files\Lumension Security\Sanctuary\Client\RTNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
2008-05-12 14:30 111952 ----a-w- c:\program files\McAfee\VirusScan Enterprise\shstat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-15 15:14 149280 ------w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
2008-09-30 16:37 68976 ------w- c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
2008-08-01 16:29 181536 ----a-w- c:\windows\system32\TpShocks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrackPointSrv]
2008-09-29 10:15 93472 ------w- c:\program files\Lenovo\TrackPoint\tp4serv.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
"c:\\Program Files\\GmoteServer\\GmoteServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [04/12/2006 16:49 238496]
R0 sk;Sanctuary Kernel;c:\windows\system32\drivers\sk.sys [28/07/2008 18:44 743848]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/06/2008 16:39 19496]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [12/05/2008 18:04 13480]
R1 NEOFLTR_640_14343;Juniper Networks TDI Filter Driver (NEOFLTR_640_14343);c:\windows\system32\drivers\NEOFLTR_640_14343.sys [15/06/2009 21:10 77096]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [26/10/2008 18:33 1676536]
R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [09/01/2007 10:03 122880]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [26/10/2008 18:38 98304]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [04/12/2006 16:49 146720]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [04/12/2006 16:49 109856]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [19/03/2009 11:37 53248]
R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [11/07/2008 12:41 345336]
R2 scomc;Sanctuary Command and Control;c:\program files\Lumension Security\Sanctuary\Client\scomc.exe [28/07/2008 18:43 2045216]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [05/05/2010 13:05 266240]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [19/03/2009 12:33 2058776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [19/03/2009 15:15 482176]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [19/03/2009 14:15 239760]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [05/05/2010 13:05 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [05/05/2010 13:05 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [05/05/2010 13:05 3712]
R3 sk-ndis;SK-NDIS;c:\windows\system32\drivers\sk_ndis.sys [28/07/2008 18:44 10024]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [29/09/2008 10:15 23080]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [26/10/2008 18:38 106496]
S3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [26/10/2008 18:41 118784]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [14/04/2008 04:42 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2010-08-30 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2009-02-20 20:57]
.
.
------- Supplementary Scan -------
.
uStart Page = https://cwa.capita.co.uk/
uInternet Settings,ProxyServer = proxy.capita.zone:80
uInternet Settings,ProxyOverride = www.constructionline.co.uk;*.capitadesktop;*.capita.zone;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
TCP: {42D1249F-CF8E-4039-B129-C59CC280342D} = 10.82.27.240
DPF: {0AFD9937-10D5-436F-9F2B-08BF61754446} - hxxp://195.89.201.69/Capitacrm/Plugin/OTLTools.cab
DPF: {3DFD2B52-C6E9-11D4-8226-005004F658FC} - hxxp://195.89.201.69/CapitaCRM/Plugin/eWarePluginX.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Matthew.Kearsley\Application Data\Mozilla\Firefox\Profiles\6difg1in.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\WebEx\Productivity Tools\components\OCFF.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
.
- - - - ORPHANS REMOVED - - - -

Notify-ACNotify - ACNotify.dll
SafeBoot-scomc
SafeBoot-sk
MSConfigStartUp-ACTray - c:\program files\ThinkPad\ConnectUtilities\ACTray.exe
MSConfigStartUp-ACWLIcon - c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe
MSConfigStartUp-nonep - c:\docume~1\MATTHE~1.KEA\LOCALS~1\Temp\tmp499d3c42\r_KillEXE.exe
MSConfigStartUp-SDClientMonitor - c:\program files\LANDesk\LDClient\webportal\sdclientmonitor.exe
MSConfigStartUp-TPKMAPHELPER - c:\program files\ThinkPad\Utilities\TpKmapAp.exe
MSConfigStartUp-TVT Scheduler Proxy - c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
AddRemove-CNXT_AUDIO_HDA - c:\program files\CONEXANT\CNXT_AUDIO_HDA\UIU32a.exe
AddRemove-CNXT_MODEM_HDA_HSF - c:\program files\CONEXANT\CNXT_MODEM_HDA_HSF\UIU32m.exe
AddRemove-Lexmark_HostCD - c:\program files\Lexmark_HostCD\Install\Uninstall.exe
AddRemove-Lightscreen - c:\program files\Lightscreen\uninstall.exe
AddRemove-Windows Media Format Runtime - c:\program files\Windows Media Player\wmsetsdk.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-14 19:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\sxwmon32.dll
c:\windows\system32\pssogina.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'lsass.exe'(600)
c:\windows\system32\sxwmon32.dll

- - - - - - - > 'explorer.exe'(2596)
c:\windows\system32\WININET.dll
c:\windows\system32\sxwmon32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\acs.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\CBA\pds.exe
c:\program files\LANDesk\LDClient\tmcsvc.exe
c:\progra~1\LANDesk\LDClient\issuser.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\progra~1\LANDesk\LDClient\rcgui.exe
c:\program files\WebEx\Productivity Tools\ptSrv.exe
c:\program files\Java\jre6\bin\javaw.exe
.
**************************************************************************
.
Completion time: 2010-11-14 19:34:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-14 19:33

Pre-Run: 131,246,415,872 bytes free
Post-Run: 130,406,805,504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1C781C2A998858D3ED0D47747D31418A

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:17 PM

Posted 14 November 2010 - 02:51 PM

Hello,

You're welcome. :) How is it running now please?

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

FILE::
c:\program files\microsoft\watermark.exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Matt3376

Matt3376
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 14 November 2010 - 03:52 PM

Tea,

The log is below; please note, i received a message regarding my virus protection - it said to disable it (i already had for the initial run, but did again) and then it said it was still running, so i do this at my own risk...

Anyhow, i had no problems with running combofix after the message. Let me know if you think this really is a problem.

Finally, the laptop seems to be running better after a reboot, but by the time i was running the last scan it had deteriorated a fair bit. I only have 71 processes running now, whereas i had 75 when i first posted. I hope this is useful info..

----------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 10-11-13.01 - matthew.kearsley 14/11/2010 20:25:47.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1944.254 [GMT 0:00]
Running from: c:\documents and settings\Matthew.Kearsley\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Matthew.Kearsley\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\MATTHE~1.KEA\LOCALS~1\Temp\jna6079644393922139020.tmp
c:\documents and settings\Matthew.Kearsley\Local Settings\Temp\jna6079644393922139020.tmp
c:\program files\microsoft\watermark.exe
c:\windows\system32\dmlconf.dat

.
((((((((((((((((((((((((( Files Created from 2010-10-14 to 2010-11-14 )))))))))))))))))))))))))))))))
.

2010-11-14 17:00 . 2010-11-14 17:00 -------- d-----w- c:\program files\Trend Micro
2010-11-14 16:10 . 2010-11-14 16:10 -------- d-----w- c:\program files\tmp
2010-11-13 15:36 . 2010-11-14 19:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-13 15:36 . 2010-11-14 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-11-13 14:52 . 2010-11-14 11:07 -------- d-----w- c:\program files\temp
2010-10-26 14:12 . 2010-10-26 14:12 -------- d-----w- c:\program files\Hewlett-Packard
2010-10-26 14:12 . 2010-10-26 14:12 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-10-26 14:11 . 2010-10-26 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-10-26 14:11 . 2007-03-28 13:01 117760 ----a-w- c:\windows\system32\hpzll5ha.dll
2010-10-26 14:11 . 2007-03-28 12:57 274944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5ha.dll
2010-10-26 14:10 . 2008-04-13 23:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-10-26 14:10 . 2008-04-13 23:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-10-26 14:10 . 2007-03-08 19:20 21568 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2010-10-26 14:10 . 2007-03-08 19:20 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-10-26 14:10 . 2007-03-08 19:20 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-10-26 14:10 . 2007-03-31 05:07 267864 ----a-w- c:\windows\system32\hpzids01.dll
2010-10-26 14:10 . 2007-03-18 06:11 675840 ----a-w- c:\windows\system32\hpowiax3.dll
2010-10-26 14:10 . 2007-03-18 06:11 303104 ----a-w- c:\windows\system32\hpovst10.dll
2010-10-26 14:10 . 2007-03-18 06:11 569344 ----a-w- c:\windows\system32\hpotscl3.dll
2010-10-26 14:10 . 2007-03-08 19:20 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2010-10-26 14:10 . 2010-10-26 14:10 -------- d-----w- c:\program files\HP
2010-10-26 14:07 . 2008-04-13 23:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-10-26 14:07 . 2008-04-13 23:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-10-22 07:28 . 2010-10-22 07:28 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-16 14:16 . 2010-10-22 07:28 -------- d-----w- c:\documents and settings\Matthew.Kearsley\Local Settings\Application Data\Google
2010-10-16 14:15 . 2010-10-22 07:28 -------- d-----w- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 12:23 . 2007-04-03 07:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 04:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 04:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2002-08-29 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-09 13:38 . 2008-04-14 04:42 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2008-04-14 04:42 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2008-04-14 04:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2008-04-14 04:41 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-01 11:51 . 2008-04-14 04:39 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2008-04-14 00:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 12:10 . 2008-04-13 23:07 389120 ----a-w- c:\windows\system32\html.iec
2010-08-27 08:02 . 2008-04-14 04:42 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-04-14 04:42 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-04-13 23:45 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-12-14 14:01 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-14 04:41 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-04-14 04:42 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-05-24 13:49 . 2010-05-24 13:49 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-05-24 13:49 . 2010-05-24 13:49 185224 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-05-24 13:50 . 2010-05-24 13:50 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2010-05-24 13:50 . 2010-05-24 13:50 99208 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

------- Sigcheck -------

[-] 2008-07-11 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"PTIM.exe"="c:\program files\WebEx\Productivity Tools\PTIM.exe" [2010-04-14 271672]
"PTOneClick"="c:\program files\WebEx\Productivity Tools\ptoneclk.exe" [2010-04-14 247096]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-22 136512]

c:\documents and settings\Matthew.Kearsley\Start Menu\Programs\Startup\
GmoteServer.lnk - c:\program files\GmoteServer\GmoteServer.exe [2010-7-31 451584]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
kaah.exe [2010-11-14 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2008-10-26 18:41 180224 ----a-w- c:\windows\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 19:14 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^acfoa.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\acfoa.exe
backup=c:\windows\pss\acfoa.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^diusy.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\diusy.exe
backup=c:\windows\pss\diusy.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ezdak.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ezdak.exe
backup=c:\windows\pss\ezdak.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^maup.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\maup.exe
backup=c:\windows\pss\maup.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ywizyx.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ywizyx.exe
backup=c:\windows\pss\ywizyx.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^yxso.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\yxso.exe
backup=c:\windows\pss\yxso.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless USB Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless USB Manager.lnk
backup=c:\windows\pss\Wireless USB Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
c:\program files\Lenovo Fingerprint Software\fpapp.exe \s [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 17:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2007-02-02 03:00 419376 ------w- c:\program files\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
2009-01-15 01:52 287062 ------w- c:\progra~1\ThinkPad\UTILIT~1\BATLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 04:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-01 06:39 1164584 ------w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
2008-10-08 02:38 256576 ------w- c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-10-30 16:38 178712 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-10-30 16:38 150040 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPMailChecker]
2008-09-01 03:02 124248 ------w- c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2008-09-01 03:02 165208 ------w- c:\progra~1\THINKV~1\PrdCtr\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2009-09-22 15:00 136512 ----a-w- c:\program files\McAfee\Common Framework\UdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-10-30 16:38 150040 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\picon]
2008-05-29 17:12 367128 ------w- c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pointsec Tray]
2006-12-04 16:49 941424 ------w- c:\program files\Pointsec\Pointsec for PC\P95tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRMGRTR]
2009-01-15 01:52 467356 ------w- c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rtnotify]
2008-07-28 18:43 3671328 ------w- c:\program files\Lumension Security\Sanctuary\Client\RTNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
2008-05-12 14:30 111952 ----a-w- c:\program files\McAfee\VirusScan Enterprise\shstat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-15 15:14 149280 ------w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
2008-09-30 16:37 68976 ------w- c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
2008-08-01 16:29 181536 ----a-w- c:\windows\system32\TpShocks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrackPointSrv]
2008-09-29 10:15 93472 ------w- c:\program files\Lenovo\TrackPoint\tp4serv.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
"c:\\Program Files\\GmoteServer\\GmoteServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [04/12/2006 16:49 238496]
R0 sk;Sanctuary Kernel;c:\windows\system32\drivers\sk.sys [28/07/2008 18:44 743848]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/06/2008 16:39 19496]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [12/05/2008 18:04 13480]
R1 NEOFLTR_640_14343;Juniper Networks TDI Filter Driver (NEOFLTR_640_14343);c:\windows\system32\drivers\NEOFLTR_640_14343.sys [15/06/2009 21:10 77096]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [26/10/2008 18:33 1676536]
R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [09/01/2007 10:03 122880]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [26/10/2008 18:38 98304]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [04/12/2006 16:49 146720]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [04/12/2006 16:49 109856]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [19/03/2009 11:37 53248]
R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [11/07/2008 12:41 345336]
R2 scomc;Sanctuary Command and Control;c:\program files\Lumension Security\Sanctuary\Client\scomc.exe [28/07/2008 18:43 2045216]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [05/05/2010 13:05 266240]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [19/03/2009 12:33 2058776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [19/03/2009 15:15 482176]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [19/03/2009 14:15 239760]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [05/05/2010 13:05 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [05/05/2010 13:05 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [05/05/2010 13:05 3712]
R3 sk-ndis;SK-NDIS;c:\windows\system32\drivers\sk_ndis.sys [28/07/2008 18:44 10024]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [29/09/2008 10:15 23080]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [26/10/2008 18:38 106496]
S3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [26/10/2008 18:41 118784]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [14/04/2008 04:42 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2010-08-30 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2009-02-20 20:57]
.
.
------- Supplementary Scan -------
.
uStart Page = https://cwa.capita.co.uk/
uInternet Settings,ProxyServer = proxy.capita.zone:80
uInternet Settings,ProxyOverride = www.constructionline.co.uk;*.capitadesktop;*.capita.zone;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
TCP: {42D1249F-CF8E-4039-B129-C59CC280342D} = 10.82.27.240
DPF: {0AFD9937-10D5-436F-9F2B-08BF61754446} - hxxp://195.89.201.69/Capitacrm/Plugin/OTLTools.cab
DPF: {3DFD2B52-C6E9-11D4-8226-005004F658FC} - hxxp://195.89.201.69/CapitaCRM/Plugin/eWarePluginX.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Matthew.Kearsley\Application Data\Mozilla\Firefox\Profiles\6difg1in.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\WebEx\Productivity Tools\components\OCFF.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-14 20:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\windows\system32\sxwmon32.dll
c:\windows\system32\pssogina.dll
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'lsass.exe'(600)
c:\windows\system32\sxwmon32.dll

- - - - - - - > 'explorer.exe'(1444)
c:\windows\system32\WININET.dll
c:\windows\system32\sxwmon32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\acs.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\CBA\pds.exe
c:\program files\LANDesk\LDClient\tmcsvc.exe
c:\progra~1\LANDesk\LDClient\issuser.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\WebEx\Productivity Tools\ptSrv.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Java\jre6\bin\javaw.exe
c:\progra~1\LANDesk\LDClient\rcgui.exe
.
**************************************************************************
.
Completion time: 2010-11-14 20:46:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-14 20:46
ComboFix2.txt 2010-11-14 19:34

Pre-Run: 129,766,588,416 bytes free
Post-Run: 129,705,312,256 bytes free

- - End Of File - - 47351AAEA7E00BAD55E6F282C8E0B2DF

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:17 PM

Posted 14 November 2010 - 04:11 PM

Hello,

Okay, looks like there is a dropper, or droppers, regenerating the infection.....please do a Windows search for yxso.exe and tell me if it shows up. And, I'd like to have a file analyzed :

Please visit the online Jotti Virus Scanner Posted Image<--link
  • Copy and paste the following filepath in the box:

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\ywizyx.exe


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Matt3376

Matt3376
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 14 November 2010 - 04:29 PM

Thanks for your help Tea, i have never heard of a dropper or droppers before!!

Interestingly, there was no file ywizyx.exe in the folder you specified - i even checked hidden files. There was only one file, so i scanned that through the link you posted. The file name was gaohpo the report is below

[ArcaVir]
2010-11-14 Found nothing
[G DATA]
2010-11-14 Gen:Variant.Kazy.3314
[Avast! antivirus]
2010-11-14 Found nothing
[Ikarus]
2010-11-14 Found nothing
[Grisoft AVG Anti-Virus]
2010-11-14 Found nothing
[Kaspersky Anti-Virus]
2010-11-14 Found nothing
[Avira AntiVir]
2010-11-14 Found nothing
[ESET NOD32]
2010-11-14 Win32/Kryptik.IDW
[Softwin BitDefender]
2010-11-14 Gen:Variant.Kazy.3314
[Panda Antivirus]
2010-11-14 Found nothing
[ClamAV]
2010-11-14 Found nothing
[Quick Heal]
2010-11-12 Found nothing
[CPsecure]
2010-11-14 Found nothing
[Sophos]
2010-11-14 Found nothing
[Dr.Web]
2010-11-14 Found nothing
[VirusBlokAda VBA32]
2010-11-12 Found nothing
[Frisk F-Prot Antivirus]
2010-11-13 Found nothing
[VirusBuster]
2010-11-14 Found nothing
[F-Secure Anti-Virus]
2010-11-14 Gen:Variant.Kazy.3314


Finally, the file i searched for was there

Location: c:\windows\pss


Thanks again pal

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:17 PM

Posted 14 November 2010 - 05:03 PM

Hello,

i have never heard of a dropper or droppers before!!

They are the file(s) that bring in their friends to play. <_< Unless they are found and deleted the infection will regenerate every single time.

Would you do me a favor please and post a new HijackThis log? I want to see if these are "morphing" so I know how to go about killing them.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Matt3376

Matt3376
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 14 November 2010 - 05:07 PM

cheeky little blighters

here you are Tea

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:06:16, on 14/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\DTS.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\AtService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Prot_srv.exe
C:\WINDOWS\system32\pstartSr.exe
C:\QUALCOMM\QDLService\QDLService.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Lumension Security\Sanctuary\Client\scomc.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WebEx\Productivity Tools\PTIM.exe
C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\WebEx\Productivity Tools\ptSrv.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\GmoteServer\GmoteServer.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://cwa.capita.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.capita.zone:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.constructionline.co.uk;*.capitadesktop;*.capita.zone;<local>
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WebEx Productivity Tools - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WebEx Productivity Tools - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PTIM.exe] C:\Program Files\WebEx\Productivity Tools\PTIM.exe
O4 - HKCU\..\Run: [PTOneClick] C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe /AutoRunning="2"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - .DEFAULT User Startup: gouda.exe (User 'Default user')
O4 - .DEFAULT User Startup: kaah.exe (User 'Default user')
O4 - Startup: GmoteServer.lnk = C:\Program Files\GmoteServer\GmoteServer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0AFD9937-10D5-436F-9F2B-08BF61754446} (OutlookTools Object) - http://195.89.201.69/Capitacrm/Plugin/OTLTools.cab
O16 - DPF: {3DFD2B52-C6E9-11D4-8226-005004F658FC} (XeWare Control) - http://195.89.201.69/CapitaCRM/Plugin/eWarePluginX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260800928253
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://capita.webex.com/client/upgradeserver/client/ptool/T27L10NSP11EP15-6316/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = constline.local
O17 - HKLM\Software\..\Telephony: DomainName = constline.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{42D1249F-CF8E-4039-B129-C59CC280342D}: NameServer = 10.82.27.240
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = constline.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = constline.local
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AD Monitor (ADMonitor) - Unknown owner - C:\WINDOWS\system32\ADMonitor.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\WINDOWS\system32\AtService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Data Transfer Service (dtsvc) - Unknown owner - C:\WINDOWS\system32\DTS.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\system32\Prot_srv.exe
O23 - Service: Pointsec Service Start (Pointsec_start) - Unknown owner - C:\WINDOWS\system32\pstartSr.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Qualcomm Gobi Download Service (QDLService) - QUALCOMM, Inc. - C:\QUALCOMM\QDLService\QDLService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: Sanctuary Command and Control (scomc) - Lumension Security - C:\Program Files\Lumension Security\Sanctuary\Client\scomc.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 13945 bytes

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:17 PM

Posted 14 November 2010 - 05:23 PM

Hi,

Yes, they sure are! :lol: It *looks* like we don't have to worry about them changing their names though, so let's go from there :

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

FILE::
c:\documents and settings\Administrator\Start Menu\Programs\Startup\ywizyx.exe
c:\windows\pss\ywizyx.exe
c:\windows\pss\maup.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\maup.exe
c:\windows\pss\ezdak.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\ezdak.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\diusy.exe
c:\windows\pss\diusy.exe
c:\windows\pss\acfoa.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\acfoa.exe
c:\program files\microsoft\watermark.exe
FCOPY::
c:\windows\ServicePackFiles\i386\sfcfiles.dll l | c:\windows\system32\sfcfiles.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Also let me know how it's running. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Matt3376

Matt3376
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 14 November 2010 - 06:00 PM

Thanks again Tea, things seem to be progressing with each throw of the dice. The system is running much better, although there appears too many processes running still...see what you make of this!?

ComboFix 10-11-14.01 - matthew.kearsley 14/11/2010 22:37:43.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1944.1460 [GMT 0:00]
Running from: c:\documents and settings\Matthew.Kearsley\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Matthew.Kearsley\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::
"c:\documents and settings\Administrator\Start Menu\Programs\Startup\acfoa.exe"
"c:\documents and settings\Administrator\Start Menu\Programs\Startup\diusy.exe"
"c:\documents and settings\Administrator\Start Menu\Programs\Startup\ezdak.exe"
"c:\documents and settings\Administrator\Start Menu\Programs\Startup\maup.exe"
"c:\documents and settings\Administrator\Start Menu\Programs\Startup\ywizyx.exe"
"c:\program files\microsoft\watermark.exe"
"c:\windows\pss\acfoa.exe"
"c:\windows\pss\diusy.exe"
"c:\windows\pss\ezdak.exe"
"c:\windows\pss\maup.exe"
"c:\windows\pss\ywizyx.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\Server\admin.txt
c:\program files\microsoft\watermark.exe
c:\windows\system32\dmlconf.dat
c:\windows\TEMP\winlogon.dat

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-14 to 2010-11-14 )))))))))))))))))))))))))))))))
.

2010-11-14 22:05 . 2010-11-14 22:05 466418 ----a-r- c:\documents and settings\Matthew.Kearsley\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-14 17:00 . 2010-11-14 17:00 -------- d-----w- c:\program files\Trend Micro
2010-11-14 16:10 . 2010-11-14 21:29 -------- d-----w- c:\program files\tmp
2010-11-13 15:36 . 2010-11-14 19:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-13 15:36 . 2010-11-14 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-11-13 14:52 . 2010-11-14 11:07 -------- d-----w- c:\program files\temp
2010-10-26 14:12 . 2010-10-26 14:12 -------- d-----w- c:\program files\Hewlett-Packard
2010-10-26 14:12 . 2010-10-26 14:12 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-10-26 14:11 . 2010-10-26 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-10-26 14:11 . 2007-03-28 13:01 117760 ----a-w- c:\windows\system32\hpzll5ha.dll
2010-10-26 14:11 . 2007-03-28 12:57 274944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5ha.dll
2010-10-26 14:10 . 2008-04-13 23:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-10-26 14:10 . 2008-04-13 23:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-10-26 14:10 . 2007-03-08 19:20 21568 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2010-10-26 14:10 . 2007-03-08 19:20 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-10-26 14:10 . 2007-03-08 19:20 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-10-26 14:10 . 2007-03-31 05:07 267864 ----a-w- c:\windows\system32\hpzids01.dll
2010-10-26 14:10 . 2007-03-18 06:11 675840 ----a-w- c:\windows\system32\hpowiax3.dll
2010-10-26 14:10 . 2007-03-18 06:11 303104 ----a-w- c:\windows\system32\hpovst10.dll
2010-10-26 14:10 . 2007-03-18 06:11 569344 ----a-w- c:\windows\system32\hpotscl3.dll
2010-10-26 14:10 . 2007-03-08 19:20 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2010-10-26 14:10 . 2010-10-26 14:10 -------- d-----w- c:\program files\HP
2010-10-26 14:07 . 2008-04-13 23:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-10-26 14:07 . 2008-04-13 23:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-10-22 07:28 . 2010-10-22 07:28 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-16 14:16 . 2010-10-22 07:28 -------- d-----w- c:\documents and settings\Matthew.Kearsley\Local Settings\Application Data\Google
2010-10-16 14:15 . 2010-10-22 07:28 -------- d-----w- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 12:23 . 2007-04-03 07:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 04:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 04:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2002-08-29 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-09 13:38 . 2008-04-14 04:42 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2008-04-14 04:42 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2008-04-14 04:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2008-04-14 04:41 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-01 11:51 . 2008-04-14 04:39 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2008-04-14 00:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 12:10 . 2008-04-13 23:07 389120 ----a-w- c:\windows\system32\html.iec
2010-08-27 08:02 . 2008-04-14 04:42 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-04-14 04:42 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-04-13 23:45 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-12-14 14:01 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-14 04:41 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-04-14 04:42 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-05-24 13:49 . 2010-05-24 13:49 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-05-24 13:49 . 2010-05-24 13:49 185224 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-05-24 13:50 . 2010-05-24 13:50 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2010-05-24 13:50 . 2010-05-24 13:50 99208 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

------- Sigcheck -------

[-] 2008-07-11 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"PTIM.exe"="c:\program files\WebEx\Productivity Tools\PTIM.exe" [2010-04-14 271672]
"PTOneClick"="c:\program files\WebEx\Productivity Tools\ptoneclk.exe" [2010-04-14 247096]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-22 136512]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
gaohpo.exe [2010-11-14 106496]

c:\documents and settings\Matthew.Kearsley\Start Menu\Programs\Startup\
GmoteServer.lnk - c:\program files\GmoteServer\GmoteServer.exe [2010-7-31 451584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2008-10-26 18:41 180224 ----a-w- c:\windows\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 19:14 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^acfoa.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\acfoa.exe
backup=c:\windows\pss\acfoa.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^diusy.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\diusy.exe
backup=c:\windows\pss\diusy.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ezdak.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ezdak.exe
backup=c:\windows\pss\ezdak.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^maup.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\maup.exe
backup=c:\windows\pss\maup.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ywizyx.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\ywizyx.exe
backup=c:\windows\pss\ywizyx.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^yxso.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\yxso.exe
backup=c:\windows\pss\yxso.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless USB Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless USB Manager.lnk
backup=c:\windows\pss\Wireless USB Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
c:\program files\Lenovo Fingerprint Software\fpapp.exe \s [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 17:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2007-02-02 03:00 419376 ------w- c:\program files\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
2009-01-15 01:52 287062 ------w- c:\progra~1\ThinkPad\UTILIT~1\BATLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 04:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-01 06:39 1164584 ------w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
2008-10-08 02:38 256576 ------w- c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-10-30 16:38 178712 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-10-30 16:38 150040 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPMailChecker]
2008-09-01 03:02 124248 ------w- c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2008-09-01 03:02 165208 ------w- c:\progra~1\THINKV~1\PrdCtr\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2009-09-22 15:00 136512 ------w- c:\program files\McAfee\Common Framework\UdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-10-30 16:38 150040 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\picon]
2008-05-29 17:12 367128 ------w- c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pointsec Tray]
2006-12-04 16:49 941424 ------w- c:\program files\Pointsec\Pointsec for PC\P95tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRMGRTR]
2009-01-15 01:52 467356 ------w- c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rtnotify]
2008-07-28 18:43 3671328 ------w- c:\program files\Lumension Security\Sanctuary\Client\RTNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
2008-05-12 14:30 111952 ----a-w- c:\program files\McAfee\VirusScan Enterprise\shstat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-15 15:14 149280 ------w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
2008-09-30 16:37 68976 ------w- c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
2008-08-01 16:29 181536 ----a-w- c:\windows\system32\TpShocks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrackPointSrv]
2008-09-29 10:15 93472 ------w- c:\program files\Lenovo\TrackPoint\tp4serv.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
"c:\\Program Files\\GmoteServer\\GmoteServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [04/12/2006 16:49 238496]
R0 sk;Sanctuary Kernel;c:\windows\system32\drivers\sk.sys [28/07/2008 18:44 743848]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/06/2008 16:39 19496]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [12/05/2008 18:04 13480]
R1 NEOFLTR_640_14343;Juniper Networks TDI Filter Driver (NEOFLTR_640_14343);c:\windows\system32\drivers\NEOFLTR_640_14343.sys [15/06/2009 21:10 77096]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [26/10/2008 18:33 1676536]
R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [09/01/2007 10:03 122880]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [26/10/2008 18:38 98304]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [04/12/2006 16:49 146720]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [04/12/2006 16:49 109856]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [19/03/2009 11:37 53248]
R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [11/07/2008 12:41 345336]
R2 scomc;Sanctuary Command and Control;c:\program files\Lumension Security\Sanctuary\Client\scomc.exe [28/07/2008 18:43 2045216]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [05/05/2010 13:05 266240]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [19/03/2009 12:33 2058776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [19/03/2009 15:15 482176]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [19/03/2009 14:15 239760]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [05/05/2010 13:05 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [05/05/2010 13:05 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [05/05/2010 13:05 3712]
R3 sk-ndis;SK-NDIS;c:\windows\system32\drivers\sk_ndis.sys [28/07/2008 18:44 10024]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [29/09/2008 10:15 23080]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [26/10/2008 18:38 106496]
S3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [26/10/2008 18:41 118784]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [14/04/2008 04:42 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2010-08-30 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2009-02-20 20:57]
.
.
------- Supplementary Scan -------
.
uStart Page = https://cwa.capita.co.uk/
uInternet Settings,ProxyServer = proxy.capita.zone:80
uInternet Settings,ProxyOverride = www.constructionline.co.uk;*.capitadesktop;*.capita.zone;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
TCP: {42D1249F-CF8E-4039-B129-C59CC280342D} = 10.82.27.240
DPF: {0AFD9937-10D5-436F-9F2B-08BF61754446} - hxxp://195.89.201.69/Capitacrm/Plugin/OTLTools.cab
DPF: {3DFD2B52-C6E9-11D4-8226-005004F658FC} - hxxp://195.89.201.69/CapitaCRM/Plugin/eWarePluginX.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Matthew.Kearsley\Application Data\Mozilla\Firefox\Profiles\6difg1in.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\WebEx\Productivity Tools\components\OCFF.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-14 22:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\dmlconf.dat 16 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\sxwmon32.dll
c:\windows\system32\pssogina.dll
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'lsass.exe'(684)
c:\windows\system32\sxwmon32.dll

- - - - - - - > 'explorer.exe'(4700)
c:\windows\system32\WININET.dll
c:\windows\system32\sxwmon32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\acs.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\CBA\pds.exe
c:\program files\LANDesk\LDClient\tmcsvc.exe
c:\progra~1\LANDesk\LDClient\issuser.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\progra~1\LANDesk\LDClient\rcgui.exe
c:\program files\WebEx\Productivity Tools\ptSrv.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Java\jre6\bin\javaw.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-11-14 22:57:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-14 22:57
ComboFix2.txt 2010-11-14 20:46
ComboFix3.txt 2010-11-14 19:34

Pre-Run: 127,553,990,656 bytes free
Post-Run: 137,914,466,304 bytes free

- - End Of File - - B3F36BC50E5B4F860D5059200FA46CDC

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:17 PM

Posted 14 November 2010 - 06:12 PM

Hello,

Bad news, I'm afraid......everything that's happening points to Ramnit, and it cannot be cured. :(

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


I'm sorry. :(
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Matt3376

Matt3376
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 15 November 2010 - 04:22 AM

Nightmare news Tea, but i have to thank you for the effort you put in....i wish i understood what on earth you were doing, but there wont be enough space on the internet for you to explain it to me...

Thanks all the same

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:17 PM

Posted 15 November 2010 - 11:47 AM

Hello,

Yes, it's the worst thing that happens to me too, believe me. I HATE this part of this, having to tell someone. In your case, the more we chipped away at this, the more that showed up as we went along, the more research I did, and the worse it looked. I am SO sorry. :(

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:17 PM

Posted 19 November 2010 - 11:25 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users