Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.TDSS.565 , Google redirect


  • This topic is locked This topic is locked
5 replies to this topic

#1 golfnwrx

golfnwrx

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 29 April 2011 - 10:26 AM

Hi,

I visited a website and now I've got TDSS root variant. Malware Bytes cannot see it, Symantec Corporate cannot see it, Doctor Web can remove it from memory but it reinfects itself in a few minutes.

GMER:
GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-04-29 07:37:05
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 HITACHI_ rev.PC3Z
Running: gmer.exe; Driver: C:\DOCUME~1\WJORAL~1\LOCALS~1\Temp\kxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT 8896BA78 ZwAlertResumeThread
SSDT 8896BB38 ZwAlertThread
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwAllocateVirtualMemory [0xAFFD8088]
SSDT 889B6B28 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB524C3C0]
SSDT 889E5B28 ZwCreateMutant
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwCreateThread [0xAFFD91E0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB524C640]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB524CBA0]
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwFreeVirtualMemory [0xAFFD8306]
SSDT 8899AA78 ZwImpersonateAnonymousToken
SSDT 8899AB38 ZwImpersonateThread
SSDT 88964A90 ZwMapViewOfSection
SSDT 889E1BC0 ZwOpenEvent
SSDT 88A03C00 ZwOpenProcessToken
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwOpenSection [0xAFFD7ED2]
SSDT 8896FAE0 ZwOpenThreadToken
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwQueueApcThread [0xAFFD92E2]
SSDT 88A09E08 ZwResumeThread
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwSetContextThread [0xAFFD932E]
SSDT 8896FBB0 ZwSetInformationProcess
SSDT 8896EAE8 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB524CDF0]
SSDT 889E1B00 ZwSuspendProcess
SSDT 8898AAC0 ZwSuspendThread
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwSystemDebugControl [0xAFFD7E00]
SSDT 889C6E08 ZwTerminateProcess
SSDT 8898AB80 ZwTerminateThread
SSDT 8897FB38 ZwUnmapViewOfSection
SSDT \SystemRoot\system32\drivers\dwprot.sys ZwWriteVirtualMemory [0xAFFD8416]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 12 Bytes [00, 1B, 9E, 88, C0, AA, 98, ...] {ADD [EBX], BL; SAHF ; MOV AL, AL; STOSB ; CWDE ; MOV [EAX], AL; JLE 0x8; SCASD }
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB72AB380, 0x3E6115, 0xE8000020]
? system32\drivers\dwprot.sys The system cannot find the path specified. !
? C:\DOCUME~1\WJORAL~1\LOCALS~1\Temp\ucINF8Ma.sys The system cannot find the file specified. !
? C:\DOCUME~1\WJORAL~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1912] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1912] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\svchost.exe[1912] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006D000C
.text C:\WINDOWS\System32\svchost.exe[1912] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01E5000A
.text C:\WINDOWS\System32\svchost.exe[1912] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 01E6000A
.text C:\WINDOWS\System32\svchost.exe[1912] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 01E7000A
.text C:\WINDOWS\System32\svchost.exe[1912] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E9000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0119000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 011A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E5000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2404] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[3144] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\Explorer.EXE[3144] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[3144] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C
.text C:\WINDOWS\system32\SearchIndexer.exe[3880] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 013F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01CD000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 013D000C
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4564] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 016B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4564] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0171000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4564] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 016A000C
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5032] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402024 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5668] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86C95C20
Device \FileSystem\Ntfs \Ntfs 8690C0D8
Device \FileSystem\Ntfs \Ntfs 88691860
Device \FileSystem\Ntfs \Ntfs 86623128
Device \FileSystem\Ntfs \Ntfs 8670D480
Device \FileSystem\Ntfs \Ntfs 865B4350

AttachedDevice \FileSystem\Ntfs \Ntfs dwprot.sys
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip dwprot.sys
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp dwprot.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RM6C8951\mevio_com[1].txt 0 bytes

---- EOF - GMER 1.0.15 ----


DDS:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by wjoralemon at 6:53:27.39 on Fri 04/29/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1972.421 [GMT -7:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
C:\Program Files\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe
C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\download\Firefox Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://intranet/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [Gadwin PrintScreen 3.5] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TpShocks] TpShocks.exe
mRun: [LenovoAutoScrollUtility] c:\program files\lenovo\virtscrl\virtscrl.exe
mRun: [IMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\symantec\backup exec\dlo\DLOClientu.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab
DPF: {51BB7DFD-A6F5-4FAC-B8C9-E71CF84D082C} - hxxp://itdb01-sfo/Altiris/NS/NSCap/Bin/Win32/x86/AltirisNSConsole.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1281610782484
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285791732140
DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} - hxxp://itdb01-sfo/aspnet_client/Altiris_AppWeaver/6_0_sp3/lib/VSFlex8.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli c:\program files\thinkvantage fingerprint software\psqlpwd.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\wjoral~1\applic~1\mozilla\firefox\profiles\vjp4mnyn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
============= SERVICES / DRIVERS ===============
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-8-11 24304]
R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [2010-8-18 21504]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-10-9 20520]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2010-8-11 13480]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-1-8 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-1-8 108392]
R2 DLOChangeJournalSvc;Symantec Backup Exec Desktop Agent Change Journal Reader;c:\program files\symantec\backup exec\dlo\DLOChangeLogSvcu.exe [2010-1-26 472440]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-8-11 132456]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2011-2-10 10448]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2010-8-11 45496]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2008-11-11 53248]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-8-11 45056]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\thinkvantage fingerprint software\smihlp.sys [2009-3-13 12560]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-1-7 1839776]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-3-27 63928]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-9-29 2320920]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-9-23 167080]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-2-9 102448]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-8-18 132480]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110428.002\NAVENG.SYS [2011-4-28 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110428.002\NAVEX15.SYS [2011-4-28 1393144]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-8-18 91496]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-11-12 38224]
RUnknown DwProt;DwProt; [x]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\atswpwdf.sys --> c:\windows\system32\drivers\ATSwpWDF.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2011-1-7 23888]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-11-4 243856]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
.
=============== Created Last 30 ================
.
2011-04-29 13:28:13 388096 ----a-r- c:\docume~1\wjoral~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-04-29 13:28:13 -------- d-----w- c:\program files\Trend Micro
2011-04-28 22:23:33 -------- d-----w- c:\documents and settings\wjoralemon\DoctorWeb
2011-04-28 21:48:41 -------- d-----w- C:\ComboFix
2011-04-28 16:59:17 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-04-27 16:35:34 -------- d-----w- c:\docume~1\wjoral~1\applic~1\Malwarebytes
2011-04-27 14:04:43 -------- d-sha-r- C:\cmdcons
2011-04-27 13:53:40 89088 ----a-w- c:\windows\MBR.exe
2011-04-27 13:53:39 98816 ----a-w- c:\windows\sed.exe
2011-04-27 13:53:39 256512 ----a-w- c:\windows\PEV.exe
2011-04-27 13:53:39 161792 ----a-w- c:\windows\SWREG.exe
2011-04-20 03:02:11 -------- d-----w- c:\windows\startm~1
2011-04-20 03:02:08 -------- d--h--w- c:\windows\PIF
2011-04-20 03:02:05 -------- d-----w- C:\Chemist6
2011-04-14 03:50:09 45568 -c----w- c:\windows\system32\dllcache\dnsrslvr.dll
.
==================== Find3M ====================
.
2011-04-28 15:25:36 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-05 21:39:40 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-09 02:03:56 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
.
============= FINISH: 6:56:23.56 ===============

BC AdBot (Login to Remove)

 


#2 golfnwrx

golfnwrx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 29 April 2011 - 10:49 AM

Here are the logs - had trouble uploading before.

Attached Files



#3 golfnwrx

golfnwrx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 29 April 2011 - 11:38 AM

After reading very similar posts, here is my combofix log.

ComboFix 11-04-28.01 - wjoralemon 04/29/2011 9:15.4.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1972.415 [GMT -7:00]
Running from: c:\download\Firefox Downloads\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-29 )))))))))))))))))))))))))))))))
.
.
2011-04-29 15:59 . 2011-04-29 15:59 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-29 15:59 . 2011-04-29 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-29 13:28 . 2011-04-29 13:28 388096 ----a-r- c:\documents and settings\wjoralemon\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-29 13:28 . 2011-04-29 13:28 -------- d-----w- c:\program files\Trend Micro
2011-04-28 22:23 . 2011-04-28 22:23 -------- d-----w- c:\documents and settings\wjoralemon\DoctorWeb
2011-04-28 16:59 . 2011-04-28 16:59 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-04-27 17:31 . 2011-04-27 17:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-04-27 16:35 . 2011-04-27 16:35 -------- d-----w- c:\documents and settings\wjoralemon\Application Data\Malwarebytes
2011-04-27 07:26 . 2011-04-27 07:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-20 03:02 . 2011-04-20 03:02 -------- d-----w- c:\windows\startm~1
2011-04-20 03:02 . 2011-04-20 03:02 -------- d--h--w- c:\windows\PIF
2011-04-20 03:02 . 2011-04-20 03:02 -------- d-----w- C:\Chemist6
2011-04-14 03:50 . 2009-04-20 17:17 45568 -c----w- c:\windows\system32\dllcache\dnsrslvr.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-28 15:25 . 2011-02-09 21:31 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-04-28 15:25 . 2011-02-09 21:31 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-04-24 02:34 . 2011-02-10 18:12 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-03-07 05:33 . 2008-11-11 22:10 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-05 21:39 . 2011-03-05 21:39 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-08-12 11:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-10 18:12 . 2011-02-10 18:12 53248 ----a-r- c:\documents and settings\wjoralemon\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-09 02:03 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-08 13:33 . 2004-08-04 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-27_14.15.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-29 06:07 . 2011-04-29 06:07 16384 c:\windows\temp\Perflib_Perfdata_490.dat
+ 2005-10-18 22:52 . 2011-04-29 06:11 80628 c:\windows\system32\perfc009.dat
- 2005-10-18 22:52 . 2011-04-27 13:50 80628 c:\windows\system32\perfc009.dat
+ 2008-11-12 22:44 . 2010-12-21 01:09 38224 c:\windows\system32\drivers\mbamswissarmy.sys
- 2008-11-12 22:44 . 2010-04-29 22:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys
- 2008-11-12 22:44 . 2010-04-29 22:39 20952 c:\windows\system32\drivers\mbam.sys
+ 2008-11-12 22:44 . 2010-12-21 01:08 20952 c:\windows\system32\drivers\mbam.sys
+ 2011-04-29 13:11 . 2011-04-29 16:02 13082 c:\windows\SoftwareDistribution\EventCache\{DEFC5AE2-3EDA-43E9-A997-920A5D04A7B6}.bin
+ 2011-02-09 19:38 . 2011-04-27 16:44 34144 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\oisicon.exe
- 2011-02-09 19:38 . 2011-04-15 16:57 34144 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\oisicon.exe
+ 2011-02-09 19:38 . 2011-04-27 16:44 42848 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\msouc.exe
- 2011-02-09 19:38 . 2011-04-15 16:57 42848 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\msouc.exe
- 2011-02-09 19:38 . 2011-04-15 16:57 19296 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\cagicon.exe
+ 2011-02-09 19:38 . 2011-04-27 16:44 19296 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\cagicon.exe
- 2011-02-09 21:29 . 2011-02-09 21:29 21446 c:\windows\Installer\{84B70C16-7032-41EE-965C-3C8D9D566CBB}\ARPPRODUCTICON.exe
+ 2011-04-28 15:25 . 2011-04-28 15:25 21446 c:\windows\Installer\{84B70C16-7032-41EE-965C-3C8D9D566CBB}\ARPPRODUCTICON.exe
- 2005-10-18 22:52 . 2011-04-27 13:50 467120 c:\windows\system32\perfh009.dat
+ 2005-10-18 22:52 . 2011-04-29 06:11 467120 c:\windows\system32\perfh009.dat
+ 2010-08-20 22:05 . 2011-04-29 13:11 272466 c:\windows\system32\nvModes.dat
- 2010-08-20 22:05 . 2011-04-27 12:58 272466 c:\windows\system32\nvModes.dat
+ 2011-02-09 19:38 . 2011-04-27 16:44 415584 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\pubs.exe
- 2011-02-09 19:38 . 2011-04-15 16:57 415584 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\pubs.exe
- 2011-02-09 19:38 . 2011-04-15 16:57 303456 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\outicon.exe
+ 2011-02-09 19:38 . 2011-04-27 16:44 303456 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\outicon.exe
+ 2011-02-09 19:38 . 2011-04-27 16:44 571232 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\misc.exe
- 2011-02-09 19:38 . 2011-04-15 16:57 571232 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\misc.exe
- 2011-02-09 19:38 . 2011-04-15 16:57 326496 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\joticon.exe
+ 2011-02-09 19:38 . 2011-04-27 16:44 326496 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\joticon.exe
+ 2011-04-29 13:28 . 2011-04-29 13:28 1094656 c:\windows\Installer\194f39d.msi
+ 2011-02-09 19:38 . 2011-04-27 16:44 1479520 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\xlicons.exe
- 2011-02-09 19:38 . 2011-04-15 16:57 1479520 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\xlicons.exe
+ 2011-02-09 19:38 . 2011-04-27 16:44 1858400 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\wordicon.exe
- 2011-02-09 19:38 . 2011-04-15 16:57 1858400 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\wordicon.exe
+ 2011-02-09 19:38 . 2011-04-27 16:44 3792736 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\pptico.exe
- 2011-02-09 19:38 . 2011-04-15 16:57 3792736 c:\windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\pptico.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadwin PrintScreen 3.5"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2006-07-08 1101824]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2010-03-16 718208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2010-07-28 69560]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-08-25 517480]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2010-08-25 208896]
"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2010-04-21 62312]
"TpShocks"="TpShocks.exe" [2009-12-11 337256]
"LenovoAutoScrollUtility"="c:\program files\Lenovo\VIRTSCRL\virtscrl.exe" [2010-04-01 43960]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2010-03-25 111640]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-19 13803520]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-01-08 115560]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Symantec Backup Exec Desktop Agent.lnk - c:\program files\Symantec\Backup Exec\DLO\DLOClientu.exe [2010-1-26 7181688]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2009-12-01 20:41 100104 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-1957994488-725345543-1899\Scripts\Logon\0\0]
"Script"=Altirislogon.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-1957994488-725345543-1899\Scripts\Logon\1\0]
"Script"=login.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-1957994488-725345543-1899\Scripts\Logon\2\0]
"Script"=dex.ini.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-1957994488-725345543-1899\Scripts\Logon\3\0]
"Script"=DynamicsGPODBCReg.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-1957994488-725345543-1899\Scripts\Logon\4\0]
"Script"=DLOinstall.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-1957994488-725345543-1899\Scripts\Logon\4\1]
"Script"=DLODB.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-1957994488-725345543-8678\Scripts\Logon\0\0]
"Script"=Altirislogon.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-1957994488-725345543-8678\Scripts\Logon\1\0]
"Script"=login.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-03-19 16:48 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-08-12 11:44 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2008-03-04 17:34 487424 ----a-w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AeXNSClient"=2 (0x2)
"SmcService"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"Smcinst"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [8/11/2010 2:21 PM 24304]
R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [8/18/2010 11:58 AM 21504]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/9/2009 12:10 PM 20520]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [8/11/2010 2:19 PM 13480]
R2 DLOChangeJournalSvc;Symantec Backup Exec Desktop Agent Change Journal Reader;c:\program files\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe [1/26/2010 12:27 PM 472440]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [8/11/2010 2:21 PM 132456]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2/10/2011 11:12 AM 10448]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [8/11/2010 2:19 PM 45496]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 10:07 AM 35088]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [11/11/2008 4:15 PM 53248]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [8/11/2010 2:16 PM 45056]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [3/13/2009 1:47 PM 12560]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [3/27/2008 11:45 AM 63928]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [9/29/2010 1:40 PM 2320920]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [9/23/2010 10:50 AM 167080]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/9/2011 2:33 PM 102448]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [8/18/2010 11:57 AM 132480]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [8/18/2010 1:59 PM 91496]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys --> c:\windows\system32\Drivers\ATSwpWDF.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/7/2011 11:58 PM 23888]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [11/4/2008 1:27 PM 243856]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 5:00 AM 14336]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - KXTDYPOW
*Deregistered* - Dwsh00005E4E
*Deregistered* - kxtdypow
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-29 c:\windows\Tasks\Check DLO Updates.job
- c:\program files\Symantec\LiveUpdate\LUALL.EXE [2010-08-11 00:05]
.
2011-04-29 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-11-11 08:28]
.
2011-04-29 c:\windows\Tasks\User_Feed_Synchronization-{ADF2079C-EC64-452A-85FD-FC2870044899}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
DPF: {51BB7DFD-A6F5-4FAC-B8C9-E71CF84D082C} - hxxp://itdb01-sfo/Altiris/NS/NSCap/Bin/Win32/x86/AltirisNSConsole.cab
DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} - hxxp://itdb01-sfo/aspnet_client/Altiris_AppWeaver/6_0_sp3/lib/VSFlex8.CAB
FF - ProfilePath - c:\documents and settings\wjoralemon\Application Data\Mozilla\Firefox\Profiles\vjp4mnyn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-29 09:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1432)
c:\windows\system32\AMInit.dll
c:\windows\system32\WININET.dll
c:\windows\system32\vrlogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
c:\windows\system32\CSGina.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
.
- - - - - - - > 'lsass.exe'(1496)
c:\windows\system32\AMInit.dll
c:\windows\system32\WININET.dll
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
.
- - - - - - - > 'explorer.exe'(4764)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-29 09:28:15
ComboFix-quarantined-files.txt 2011-04-29 16:28
ComboFix2.txt 2011-04-28 22:01
ComboFix3.txt 2011-04-27 14:18
.
Pre-Run: 283,638,431,744 bytes free
Post-Run: 284,201,025,536 bytes free
.
- - End Of File - - CA1195A0ACD19F00DA46582E870CAE34

Attached Files



#4 golfnwrx

golfnwrx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 29 April 2011 - 11:43 AM

One more note, after searching on the web, I found that several people thought Hitman fixed their issues, so I ran it...The process that was doing my redirecting did stop, but I know on reboot if not sooner it will start again, Doctor Web does the same thing...it's only temporary.

I have noted in the last post on bleeping computer in regards to TDL4@MBR to run the Kaspersky tool, TDSSKiller. I have tried to download this on differnet computers and it seems to be corrupted and will not extract.

I used this link : http://support.kaspersky.com/viruses/solutions?qid=208280684

Edited by golfnwrx, 29 April 2011 - 12:04 PM.


#5 golfnwrx

golfnwrx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 01 May 2011 - 10:33 AM

I have not lost to a virus before, I had never had to contact Bleeping Computer before, but I have used some of their past trials to aid me in removing viruses.

this time I have lost - this thing is reading the file descriptors instead of the filenames for blocking and now it has neutralised, Kaspersky, Symantec Corporate, Dr. Web and most of the scanning tools that run through Windows, it has disabled the recovery console and is running a series of background processes that I can't see.

I cannot wait the 8 days or so that Panda has been posting. I cannot think of anything else to do other than wait till the bootable CD's can read/replace corrupted files or just reload.

I will re-image my drive, this one is just too tough for me, and the bleeping staff is overburdened with the same virus.

Please feel free to close this thread.

Thanks.

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:23 PM

Posted 01 May 2011 - 03:27 PM

Hello,

Thank you for letting us know. I'm sorry we couldn't get to you sooner. Sometimes a reformat and reinstall is the quickest solution.

Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users