View Full Version : Virtumonde Strikes again
freedumfyter
2008-10-21, 20:41
Need Help removing virtumonde. Have run spybot in safe mode, hasn't worked.
Here is the hjt log. Please help or respond as to why you can't help.
Thanks in advance.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:00 PM, on 10/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\system32\SKDAEMON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AWE Tools\AWE Tools.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://mapproxy.bsci.bossci.com/array.dll?Get.Routing.Script
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SPYBOTD] C:\WINDOWS\system32\Dis_Spybot_Wizard.EXE
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ProductView8_0---UserRegSet] C:\WINDOWS\Productview\ProductView8_0---UserRegSet.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotDeletingA6198] command /c del "C:\WINDOWS\system32\jxwahppy.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1044] cmd /c del "C:\WINDOWS\system32\jxwahppy.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1470] command /c del "C:\WINDOWS\system32\jxwahppy.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1611] cmd /c del "C:\WINDOWS\system32\jxwahppy.dll_old"
O4 - Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: BSCI AWE Tools.lnk = C:\Program Files\AWE Tools\AWE Tools.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Intranet - {403F21A0-8173-11D3-A4DD-00104B65E7ED} - http://inside.bsci.com (file missing) (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bsci.bossci.com
O17 - HKLM\Software\..\Telephony: DomainName = bsci.bossci.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bsci.bossci.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bsci.bossci.com
O20 - AppInit_DLLs: cytlxh.dll rcimol.dll tjjrjy.dll jgpvek.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 10072 bytes
__RiP_ChAiN_
2008-10-22, 12:01
Hello freedumfyter,
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.
Download ComboFix from one of these locations:
Link 1 (http://subs.geekstogo.com/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
freedumfyter
2008-11-02, 17:31
Here is the combofix log let me know if I need to do anything else. And Thanks!
ComboFix 08-11-01.06 - ChamberS 2008-11-02 9:21:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.191 [GMT -6:00]
Running from: C:\Documents and Settings\chambers\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\bold.log
C:\WINDOWS\system32\lSrC5QQ2.exe.a_a
C:\WINDOWS\system32\nUtE2SS8.dll
C:\WINDOWS\system32\rcuefXF5.exe.a_a
.
((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 )))))))))))))))))))))))))))))))
.
2008-11-01 19:00 . 2008-11-01 19:00 <DIR> d--hs---- C:\Documents and Settings\NetworkService\PrivacIE
2008-11-01 09:56 . 2008-11-02 08:54 41,474 --a------ C:\WINDOWS\system32\lSrC5QQ2.exe
2008-11-01 09:56 . 2008-11-02 01:15 40,450 --a------ C:\WINDOWS\system32\lSrC5QQ2.exe_
2008-11-01 09:42 . 2008-11-01 09:41 31,744 --a------ C:\WINDOWS\system32\rcuefXF5.exe
2008-10-30 19:28 . 2008-10-30 19:28 7,704 --a------ C:\WINDOWS\system32\mst120.dll
2008-10-22 17:57 . 2008-10-22 19:09 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-10-21 17:59 . 2008-10-22 17:57 <DIR> d-------- C:\Program Files\Windows Defender
2008-10-20 22:30 . 2008-10-20 22:30 95 --a------ C:\WINDOWS\wininit.ini
2008-10-20 19:46 . 2008-10-20 19:46 <DIR> d-------- C:\WINDOWS\Sun
2008-10-19 12:04 . 2008-10-19 12:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-18 16:23 . 2006-10-04 08:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-10-18 16:22 . 2008-10-18 16:22 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-10-18 16:17 . 2008-10-18 16:17 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-10-18 16:17 . 2008-10-18 16:20 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-10-17 14:00 . 2008-10-17 14:00 <DIR> d-------- C:\Documents and Settings\chambers\Application Data\Leadertech
2008-10-17 13:58 . 2008-10-17 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HotSync
2008-10-17 13:57 . 2008-10-23 21:23 <DIR> d-------- C:\Program Files\palmOne
2008-10-17 13:56 . 2008-10-17 13:56 <DIR> d-------- C:\Documents and Settings\chambers\Application Data\HotSync
2008-10-09 20:59 . 2008-10-09 20:59 <DIR> d-------- C:\Documents and Settings\chambers\Application Data\PlayFirst
2008-10-09 20:59 . 2008-10-14 18:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-09 20:59 . 2008-10-09 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-10-09 20:58 . 2008-10-18 22:43 <DIR> d-------- C:\Program Files\iWin.com
2008-10-09 20:57 . 2008-10-09 20:57 <DIR> d-------- C:\Documents and Settings\chambers\Application Data\iWinArcade
2008-10-09 20:57 . 2008-10-09 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
2008-10-04 13:31 . 2008-10-04 13:31 0 --a------ C:\WINDOWS\nsreg.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-02 15:15 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-11-02 15:00 2,634,240 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-11-02 15:00 1,065,472 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-11-01 19:05 --------- d-----w C:\Documents and Settings\chambers\Application Data\Move Networks
2008-10-30 15:08 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-30 15:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-29 02:08 5,690,331 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-10-22 22:11 2,216,448 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-10-17 01:51 2,636,800 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-10-17 01:51 1,001,472 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-10-14 23:27 999,424 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-09-27 22:03 --------- d-----w C:\Documents and Settings\chambers\Application Data\Apple Computer
2008-09-27 21:54 --------- d-----w C:\Program Files\QuickTime
2008-09-27 21:53 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-27 21:52 --------- d-----w C:\Program Files\Apple Software Update
2008-09-27 21:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-27 21:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-09-24 02:20 186,368 ----a-w C:\Documents and Settings\All Users\rNg6.exe
2008-09-23 15:57 275,968 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-09-23 02:06 591,872 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-09-21 17:41 404,480 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-09-20 04:50 353,792 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-08-22 08:08 878,592 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-22 08:08 43,008 ----a-w C:\WINDOWS\system32\licmgr10.dll
2008-08-22 08:07 18,944 ----a-w C:\WINDOWS\system32\corpol.dll
2008-08-22 08:06 72,704 ----a-w C:\WINDOWS\system32\admparse.dll
2008-08-22 08:06 71,680 ----a-w C:\WINDOWS\system32\iesetup.dll
2008-08-22 08:06 434,176 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-08-22 08:05 48,640 ----a-w C:\WINDOWS\system32\PrivacIE.dll
2008-08-22 08:05 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2008-08-22 08:05 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
2008-08-22 08:04 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2008-08-22 07:57 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2008-08-05 22:55 265,720 ----a-w C:\WINDOWS\system32\msdbg2.dll
2008-08-04 18:56 763,392 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2005-08-18 08:39 120,154 ----a-w C:\WINDOWS\system32\config\systemprofile\LOGVIRUS2.EXE
2005-08-18 08:39 120,154 ----a-w C:\Documents and Settings\nathem\LOGVIRUS2.EXE
2005-08-18 08:39 120,154 ----a-w C:\Documents and Settings\Default User\LOGVIRUS2.EXE
2005-08-18 08:39 120,154 ----a-w C:\Documents and Settings\chambers\LOGVIRUS2.EXE
2003-08-20 22:34 120,313 ----a-w C:\Documents and Settings\SMSCCMBootAcct&\LOGVIRUS1.EXE
2003-08-20 17:34 120,313 ----a-w C:\WINDOWS\system32\config\systemprofile\LOGVIRUS1.EXE
2003-08-20 17:34 120,313 ----a-w C:\Documents and Settings\nathem\LOGVIRUS1.EXE
2003-08-20 17:34 120,313 ----a-w C:\Documents and Settings\Default User\LOGVIRUS1.EXE
2003-08-20 17:34 120,313 ----a-w C:\Documents and Settings\chambers\LOGVIRUS1.EXE
2002-11-11 13:19 34,304 ----a-w C:\Documents and Settings\SMSCCMBootAcct&\Shutdown.exe
2002-11-11 08:19 34,304 ----a-w C:\WINDOWS\system32\config\systemprofile\Shutdown.exe
2002-11-11 08:19 34,304 ----a-w C:\Documents and Settings\nathem\Shutdown.exe
2002-11-11 08:19 34,304 ----a-w C:\Documents and Settings\Default User\Shutdown.exe
2002-11-11 08:19 34,304 ----a-w C:\Documents and Settings\chambers\Shutdown.exe
.
((((((((((((((((((((((((((((( snapshot@2008-10-22_20.16.09.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 02:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 13:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
+ 2000-08-31 14:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
- 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
+ 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-19 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-19 512000]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-10-23 897024]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 110592]
"SPYBOTD"="C:\WINDOWS\system32\Dis_Spybot_Wizard.EXE" [2004-12-02 110791]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-14 118784]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-04-13 196608]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-04-13 208896]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-25 344064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-17 8433664]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-05-17 81920]
"ProductView8_0---UserRegSet"="C:\WINDOWS\Productview\ProductView8_0---UserRegSet.EXE" [2006-06-30 120823]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"TP4EX"="tp4ex.exe" [2002-09-03 C:\WINDOWS\system32\TP4EX.exe]
"TpShocks"="TpShocks.exe" [2005-11-07 C:\WINDOWS\system32\TpShocks.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 C:\WINDOWS\AGRSMMSG.exe]
"Hot Key Kbd Daemon"="SKDAEMON.EXE" [2004-03-05 C:\WINDOWS\system32\SKDAEMON.EXE]
C:\Documents and Settings\chambers\Start Menu\Programs\Startup\
palmOne Registration.lnk - C:\Program Files\palmOne\register.exe [2005-09-19 2367488]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader\reader_sl.exe [2005-09-23 29696]
BSCI AWE Tools.lnk - C:\Program Files\AWE Tools\AWE Tools.exe [2006-09-28 13312]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 471040]
VPN Client.lnk - C:\WINDOWS\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2006-09-28 6144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 15:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 10:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2724113797-4241170016-2566783980-8360\Scripts\Logon\0\0]
"Script"=EnableHTTP11onIE.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2724113797-4241170016-2566783980-8360\Scripts\Logon\1\0]
"Script"=EnableHTTP11onIE.bat
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-11-30 85760]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 4736]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-04-13 4442]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2006-02-09 578784]
R2 iPCAgent;iPCAgent;C:\Program Files\iPass\iPassConnect\iPCAgent.exe [2004-10-19 90112]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys [2006-09-27 15793]
S3 LenovoRd;LenovoRd;C:\WINDOWS\system32\Drivers\LenovoRd.sys [2007-02-26 81920]
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2006-02-09 20704]
S3 vsinstdv;vsinstdv;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{61B245E9-100A-46E9-8760-31EBEC18F586}\vsinstdv.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
2008-11-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-11-02 C:\WINDOWS\Tasks\At1.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-02 C:\WINDOWS\Tasks\At10.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-01 C:\WINDOWS\Tasks\At11.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-01 C:\WINDOWS\Tasks\At12.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-01 C:\WINDOWS\Tasks\At13.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-01 C:\WINDOWS\Tasks\At14.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-01 C:\WINDOWS\Tasks\At15.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-01 C:\WINDOWS\Tasks\At16.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-01 C:\WINDOWS\Tasks\At17.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-01 C:\WINDOWS\Tasks\At18.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-01 C:\WINDOWS\Tasks\At19.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-02 C:\WINDOWS\Tasks\At2.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-02 C:\WINDOWS\Tasks\At20.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-02 C:\WINDOWS\Tasks\At21.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-02 C:\WINDOWS\Tasks\At22.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-02 C:\WINDOWS\Tasks\At23.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-02 C:\WINDOWS\Tasks\At24.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-02 C:\WINDOWS\Tasks\At25.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-02 C:\WINDOWS\Tasks\At26.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-02 C:\WINDOWS\Tasks\At27.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-01 C:\WINDOWS\Tasks\At28.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-01 C:\WINDOWS\Tasks\At29.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-02 C:\WINDOWS\Tasks\At3.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-01 C:\WINDOWS\Tasks\At30.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-01 C:\WINDOWS\Tasks\At31.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-01 C:\WINDOWS\Tasks\At32.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-01 C:\WINDOWS\Tasks\At33.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-02 C:\WINDOWS\Tasks\At34.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-01 C:\WINDOWS\Tasks\At35.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-01 C:\WINDOWS\Tasks\At36.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-01 C:\WINDOWS\Tasks\At37.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-01 C:\WINDOWS\Tasks\At38.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-01 C:\WINDOWS\Tasks\At39.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-01 C:\WINDOWS\Tasks\At4.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-01 C:\WINDOWS\Tasks\At40.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-01 C:\WINDOWS\Tasks\At41.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-01 C:\WINDOWS\Tasks\At42.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-01 C:\WINDOWS\Tasks\At43.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-02 C:\WINDOWS\Tasks\At44.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-02 C:\WINDOWS\Tasks\At45.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-02 C:\WINDOWS\Tasks\At46.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-02 C:\WINDOWS\Tasks\At47.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-02 C:\WINDOWS\Tasks\At48.job
- C:\WINDOWS\system32\lSrC5QQ2.exe [2008-11-02 08:54]
2008-11-01 C:\WINDOWS\Tasks\At5.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-01 C:\WINDOWS\Tasks\At6.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-01 C:\WINDOWS\Tasks\At7.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-01 C:\WINDOWS\Tasks\At8.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-01 C:\WINDOWS\Tasks\At9.job
- C:\WINDOWS\system32\rcuefXF5.exe [2008-11-01 09:41]
2008-11-02 C:\WINDOWS\Tasks\PMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-04-13 00:15]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\chambers\Application Data\Mozilla\Firefox\Profiles\j4a11rqi.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-02 09:24:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\csgina.dll
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
Completion time: 2008-11-02 9:26:47
ComboFix-quarantined-files.txt 2008-11-02 15:26:43
ComboFix2.txt 2008-10-23 01:16:52
Pre-Run: 25,455,992,832 bytes free
Post-Run: 25,526,607,872 bytes free
294
__RiP_ChAiN_
2008-11-02, 18:57
Hello freedumfyter,
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Documents and Settings\All Users\rNg6.exe
C:\WINDOWS\system32\lSrC5QQ2.exe
C:\WINDOWS\system32\lSrC5QQ2.exe_
C:\WINDOWS\system32\rcuefXF5.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
Save this as CFScript.txt, in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
freedumfyter
2008-11-03, 17:01
here is the second log.
ComboFix 08-11-01.06 - ChamberS 2008-11-03 8:53:22.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.159 [GMT -6:00]
Running from: C:\Documents and Settings\chambers\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\chambers\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\All Users\rNg6.exe
C:\WINDOWS\system32\lSrC5QQ2.exe
C:\WINDOWS\system32\lSrC5QQ2.exe_
C:\WINDOWS\system32\rcuefXF5.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\bold.log
C:\Documents and Settings\All Users\rNg6.exe
C:\WINDOWS\system32\lSrC5QQ2.exe
C:\WINDOWS\system32\lSrC5QQ2.exe.a_a
C:\WINDOWS\system32\lSrC5QQ2.exe_
C:\WINDOWS\system32\nUtE2SS8.dll
C:\WINDOWS\system32\rcuefXF5.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.
---- Previous Run -------
.
C:\bold.log
.
((((((((((((((((((((((((( Files Created from 2008-10-03 to 2008-11-03 )))))))))))))))))))))))))))))))
.
2008-11-01 19:00 . 2008-11-01 19:00 <DIR> d--hs---- C:\Documents and Settings\NetworkService\PrivacIE
2008-10-30 19:28 . 2008-10-30 19:28 7,704 --a------ C:\WINDOWS\system32\mst120.dll
2008-10-22 17:57 . 2008-10-22 19:09 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-10-21 17:59 . 2008-10-22 17:57 <DIR> d-------- C:\Program Files\Windows Defender
2008-10-20 22:30 . 2008-10-20 22:30 95 --a------ C:\WINDOWS\wininit.ini
2008-10-20 19:46 . 2008-10-20 19:46 <DIR> d-------- C:\WINDOWS\Sun
2008-10-19 12:04 . 2008-10-19 12:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-18 16:23 . 2006-10-04 08:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-10-18 16:22 . 2008-10-18 16:22 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-10-18 16:17 . 2008-10-18 16:17 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-10-18 16:17 . 2008-10-18 16:20 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-10-17 14:00 . 2008-10-17 14:00 <DIR> d-------- C:\Documents and Settings\chambers\Application Data\Leadertech
2008-10-17 13:58 . 2008-10-17 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HotSync
2008-10-17 13:57 . 2008-10-23 21:23 <DIR> d-------- C:\Program Files\palmOne
2008-10-17 13:56 . 2008-10-17 13:56 <DIR> d-------- C:\Documents and Settings\chambers\Application Data\HotSync
2008-10-09 20:59 . 2008-10-09 20:59 <DIR> d-------- C:\Documents and Settings\chambers\Application Data\PlayFirst
2008-10-09 20:59 . 2008-10-14 18:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-09 20:59 . 2008-10-09 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-10-09 20:58 . 2008-10-18 22:43 <DIR> d-------- C:\Program Files\iWin.com
2008-10-09 20:57 . 2008-10-09 20:57 <DIR> d-------- C:\Documents and Settings\chambers\Application Data\iWinArcade
2008-10-09 20:57 . 2008-10-09 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
2008-10-04 13:31 . 2008-10-04 13:31 0 --a------ C:\WINDOWS\nsreg.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-02 15:15 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-11-02 15:00 2,634,240 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-11-02 15:00 1,065,472 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-11-01 19:05 --------- d-----w C:\Documents and Settings\chambers\Application Data\Move Networks
2008-10-30 15:08 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-30 15:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-29 02:08 5,690,331 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-10-22 22:11 2,216,448 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-10-17 01:51 2,636,800 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-10-17 01:51 1,001,472 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-10-14 23:27 999,424 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-09-27 22:03 --------- d-----w C:\Documents and Settings\chambers\Application Data\Apple Computer
2008-09-27 21:54 --------- d-----w C:\Program Files\QuickTime
2008-09-27 21:53 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-27 21:52 --------- d-----w C:\Program Files\Apple Software Update
2008-09-27 21:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-27 21:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-09-23 15:57 275,968 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-09-23 02:06 591,872 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-09-21 17:41 404,480 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-09-20 04:50 353,792 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-08-22 08:08 878,592 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-22 08:08 43,008 ----a-w C:\WINDOWS\system32\licmgr10.dll
2008-08-22 08:07 18,944 ----a-w C:\WINDOWS\system32\corpol.dll
2008-08-22 08:06 72,704 ----a-w C:\WINDOWS\system32\admparse.dll
2008-08-22 08:06 71,680 ----a-w C:\WINDOWS\system32\iesetup.dll
2008-08-22 08:06 434,176 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-08-22 08:05 48,640 ----a-w C:\WINDOWS\system32\PrivacIE.dll
2008-08-22 08:05 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2008-08-22 08:05 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
2008-08-22 08:04 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2008-08-22 07:57 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2008-08-05 22:55 265,720 ----a-w C:\WINDOWS\system32\msdbg2.dll
2008-08-04 18:56 763,392 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2005-08-18 08:39 120,154 ----a-w C:\WINDOWS\system32\config\systemprofile\LOGVIRUS2.EXE
2005-08-18 08:39 120,154 ----a-w C:\Documents and Settings\nathem\LOGVIRUS2.EXE
2005-08-18 08:39 120,154 ----a-w C:\Documents and Settings\Default User\LOGVIRUS2.EXE
2005-08-18 08:39 120,154 ----a-w C:\Documents and Settings\chambers\LOGVIRUS2.EXE
2003-08-20 22:34 120,313 ----a-w C:\Documents and Settings\SMSCCMBootAcct&\LOGVIRUS1.EXE
2003-08-20 17:34 120,313 ----a-w C:\WINDOWS\system32\config\systemprofile\LOGVIRUS1.EXE
2003-08-20 17:34 120,313 ----a-w C:\Documents and Settings\nathem\LOGVIRUS1.EXE
2003-08-20 17:34 120,313 ----a-w C:\Documents and Settings\Default User\LOGVIRUS1.EXE
2003-08-20 17:34 120,313 ----a-w C:\Documents and Settings\chambers\LOGVIRUS1.EXE
2002-11-11 13:19 34,304 ----a-w C:\Documents and Settings\SMSCCMBootAcct&\Shutdown.exe
2002-11-11 08:19 34,304 ----a-w C:\WINDOWS\system32\config\systemprofile\Shutdown.exe
2002-11-11 08:19 34,304 ----a-w C:\Documents and Settings\nathem\Shutdown.exe
2002-11-11 08:19 34,304 ----a-w C:\Documents and Settings\Default User\Shutdown.exe
2002-11-11 08:19 34,304 ----a-w C:\Documents and Settings\chambers\Shutdown.exe
.
((((((((((((((((((((((((((((( snapshot@2008-10-22_20.16.09.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 02:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 13:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
+ 2000-08-31 14:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
- 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
+ 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
- 2008-06-09 16:21:24 55,790 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-11-02 15:32:40 55,790 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-09 16:21:24 387,808 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-11-02 15:32:40 387,808 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-19 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-19 512000]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-10-23 897024]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 110592]
"SPYBOTD"="C:\WINDOWS\system32\Dis_Spybot_Wizard.EXE" [2004-12-02 110791]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-14 118784]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-04-13 196608]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-04-13 208896]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-25 344064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-17 8433664]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-05-17 81920]
"ProductView8_0---UserRegSet"="C:\WINDOWS\Productview\ProductView8_0---UserRegSet.EXE" [2006-06-30 120823]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"TP4EX"="tp4ex.exe" [2002-09-03 C:\WINDOWS\system32\TP4EX.exe]
"TpShocks"="TpShocks.exe" [2005-11-07 C:\WINDOWS\system32\TpShocks.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 C:\WINDOWS\AGRSMMSG.exe]
"Hot Key Kbd Daemon"="SKDAEMON.EXE" [2004-03-05 C:\WINDOWS\system32\SKDAEMON.EXE]
C:\Documents and Settings\chambers\Start Menu\Programs\Startup\
palmOne Registration.lnk - C:\Program Files\palmOne\register.exe [2005-09-19 2367488]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader\reader_sl.exe [2005-09-23 29696]
BSCI AWE Tools.lnk - C:\Program Files\AWE Tools\AWE Tools.exe [2006-09-28 13312]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 471040]
VPN Client.lnk - C:\WINDOWS\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2006-09-28 6144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 15:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 10:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2724113797-4241170016-2566783980-8360\Scripts\Logon\0\0]
"Script"=EnableHTTP11onIE.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2724113797-4241170016-2566783980-8360\Scripts\Logon\1\0]
"Script"=EnableHTTP11onIE.bat
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-11-30 85760]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 4736]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-04-13 4442]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2006-02-09 578784]
R2 iPCAgent;iPCAgent;C:\Program Files\iPass\iPassConnect\iPCAgent.exe [2004-10-19 90112]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys [2006-09-27 15793]
S3 LenovoRd;LenovoRd;C:\WINDOWS\system32\Drivers\LenovoRd.sys [2007-02-26 81920]
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2006-02-09 20704]
S3 vsinstdv;vsinstdv;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{61B245E9-100A-46E9-8760-31EBEC18F586}\vsinstdv.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
2008-11-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-11-03 C:\WINDOWS\Tasks\PMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-04-13 00:15]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-03 08:57:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\csgina.dll
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
-> C:\Program Files\Lenovo\HOTKEY\notifyf2.dll
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-11-03 8:59:13
ComboFix-quarantined-files.txt 2008-11-03 14:59:08
ComboFix2.txt 2008-11-02 15:26:49
ComboFix3.txt 2008-10-23 01:16:52
Pre-Run: 24,476,286,976 bytes free
Post-Run: 24,558,534,656 bytes free
305
__RiP_ChAiN_
2008-11-07, 22:34
Hello freedumfyter,
Please go to VirSCAN.org FREE on-line scan service (http://virscan.org/)
Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
C:\Documents and Settings\nathem\LOGVIRUS2.EXE
Click on the Upload button
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\PrivacIE.dll
Folder::
C:\Documents and Settings\NetworkService\PrivacIE
Save this as CFScript.txt, in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
freedumfyter
2008-11-08, 07:07
VirSCAN.org Scanned Report :
Scanned time : 2008/11/07 22:46:22 (CST)
Scanner results: All Scanners reported not find malware!
File Name : LOGVIRUS2.EXE
File Size : 120154 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 138afdba7049de9e86bfa48c781fdbfe
SHA1 : 35ccdfb37317f6a580e09716f73f6b7764a9984b
Online report : http://virscan.org/report/56ead590ccd9bc309233750d310b5cd3.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.23 2008.11.03 2008-11-03 1.69 -
AhnLab V3 2008.11.08.00 2008.11.08 2008-11-08 1.12 -
AntiVir 7.9.0.29 7.1.0.55 2008-11-07 1.52 -
Antiy 2.0.18 20081106.1560299 2008-11-06 0.12 -
Arcavir 1.0.5 200811061144 2008-11-06 1.34 -
Authentium 5.1.1 200811070922 2008-11-07 1.06 -
AVAST! 3.0.1 081107-0 2008-11-07 0.01 -
AVG 7.5.52.442 270.9.0/1774 2008-11-07 1.73 -
BitDefender 7.60825.2082914 7.21743 2008-11-08 3.40 -
CA (VET) 9.0.0.143 31.6.6199 2008-11-07 3.83 -
ClamAV 0.94 8591 2008-11-08 0.03 -
Comodo 2.11 2.0.0.700 2008-11-07 0.43 -
CP Secure 1.1.0.715 2008.11.08 2008-11-08 6.44 -
Dr.Web 4.44.0.9170 2008.11.08 2008-11-08 3.49 -
ewido 4.0.0.2 2008.11.07 2008-11-07 3.03 -
F-Prot 4.4.4.56 20081107 2008-11-07 1.06 -
F-Secure 5.51.6100 2008.11.08.01 2008-11-08 0.14 -
Fortinet 2.81-3.117 9.696 2008-11-07 0.20 -
GData 19.1416/19.95 20081108 2008-11-08 2.72 -
ViRobot 20081107 2008.11.07 2008-11-07 0.40 -
Ikarus T3.1.01.45 2008.11.08.71815 2008-11-08 3.64 -
JiangMin 11.0.706 2008.11.07 2008-11-07 1.31 -
Kaspersky 5.5.10 2008.11.08 2008-11-08 0.12 -
KingSoft 2008.9.8.18 2008.11.7.20 2008-11-07 0.68 -
McAfee 5.3.00 5427 2008-11-07 2.40 -
Microsoft 1.4104 2008.11.07 2008-11-07 4.55 -
mks_vir 2.01 2008.11.08 2008-11-08 2.69 -
Norman 5.93.01 5.93.00 2008-11-07 5.28 -
Panda 9.05.01 2008.11.07 2008-11-07 2.32 -
Trend Micro 8.700-1004 5.644.14 2008-11-07 0.03 -
Quick Heal 9.50 2008.11.07 2008-11-07 1.88 -
Rising 20.0 21.02.50.00 2008-11-08 0.90 -
Sophos 2.80.0 4.35 2008-11-08 1.90 -
Sunbelt 3.1.1785.2 4374 2008-11-04 0.71 -
Symantec 1.3.0.24 20081107.008 2008-11-07 0.05 -
nProtect 2008-11-07.00 2383957 2008-11-07 4.42 -
The Hacker 6.3.1.1 v00145 2008-11-07 0.47 -
VBA32 3.12.8.9 20081107.1704 2008-11-07 1.40 -
VirusBuster 4.5.11.10 10.91.1/671326 2008-11-07 0.90 -
Combo Fix
ComboFix 08-11-01.06 - ChamberS 2008-11-07 22:57:40.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.201 [GMT -6:00]
Running from: C:\Documents and Settings\chambers\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\chambers\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\PrivacIE.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\NetworkService\PrivacIE
C:\Documents and Settings\NetworkService\PrivacIE\index.dat
C:\WINDOWS\system32\PrivacIE.dll
.
((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.
2008-11-05 20:44 . 2008-11-05 20:45 330 --a------ C:\END
2008-10-30 19:28 . 2008-10-30 19:28 7,704 --a------ C:\WINDOWS\system32\mst120.dll
2008-10-22 17:57 . 2008-10-22 19:09 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-10-21 17:59 . 2008-10-22 17:57 <DIR> d-------- C:\Program Files\Windows Defender
2008-10-20 22:30 . 2008-10-20 22:30 95 --a------ C:\WINDOWS\wininit.ini
2008-10-20 19:46 . 2008-10-20 19:46 <DIR> d-------- C:\WINDOWS\Sun
2008-10-19 12:04 . 2008-10-19 12:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-18 16:23 . 2006-10-04 08:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-10-18 16:22 . 2008-10-18 16:22 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-10-18 16:17 . 2008-10-18 16:17 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-10-18 16:17 . 2008-10-18 16:20 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-10-17 14:00 . 2008-10-17 14:00 <DIR> d-------- C:\Documents and Settings\chambers\Application Data\Leadertech
2008-10-17 13:58 . 2008-10-17 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HotSync
2008-10-17 13:57 . 2008-10-23 21:23 <DIR> d-------- C:\Program Files\palmOne
2008-10-17 13:56 . 2008-10-17 13:56 <DIR> d-------- C:\Documents and Settings\chambers\Application Data\HotSync
2008-10-09 20:59 . 2008-10-09 20:59 <DIR> d-------- C:\Documents and Settings\chambers\Application Data\PlayFirst
2008-10-09 20:59 . 2008-10-14 18:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-09 20:59 . 2008-10-09 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-10-09 20:58 . 2008-10-18 22:43 <DIR> d-------- C:\Program Files\iWin.com
2008-10-09 20:57 . 2008-10-09 20:57 <DIR> d-------- C:\Documents and Settings\chambers\Application Data\iWinArcade
2008-10-09 20:57 . 2008-10-09 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 01:55 --------- d-----w C:\Documents and Settings\chambers\Application Data\Move Networks
2008-11-02 15:15 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-11-02 15:00 2,634,240 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-11-02 15:00 1,065,472 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-10-30 15:08 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-30 15:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-29 02:08 5,690,331 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-10-22 22:11 2,216,448 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-10-17 01:51 2,636,800 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-10-17 01:51 1,001,472 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-10-14 23:27 999,424 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-09-27 22:03 --------- d-----w C:\Documents and Settings\chambers\Application Data\Apple Computer
2008-09-27 21:54 --------- d-----w C:\Program Files\QuickTime
2008-09-27 21:53 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-27 21:52 --------- d-----w C:\Program Files\Apple Software Update
2008-09-27 21:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-27 21:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-09-23 15:57 275,968 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-09-23 02:06 591,872 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-09-21 17:41 404,480 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-09-20 04:50 353,792 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-08-22 08:08 878,592 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-22 08:08 43,008 ----a-w C:\WINDOWS\system32\licmgr10.dll
2008-08-22 08:07 18,944 ----a-w C:\WINDOWS\system32\corpol.dll
2008-08-22 08:06 72,704 ----a-w C:\WINDOWS\system32\admparse.dll
2008-08-22 08:06 71,680 ----a-w C:\WINDOWS\system32\iesetup.dll
2008-08-22 08:06 434,176 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-08-22 08:05 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2008-08-22 08:05 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
2008-08-22 08:04 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2008-08-22 07:57 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2005-08-18 08:39 120,154 ----a-w C:\WINDOWS\system32\config\systemprofile\LOGVIRUS2.EXE
2005-08-18 08:39 120,154 ----a-w C:\Documents and Settings\nathem\LOGVIRUS2.EXE
2005-08-18 08:39 120,154 ----a-w C:\Documents and Settings\Default User\LOGVIRUS2.EXE
2005-08-18 08:39 120,154 ----a-w C:\Documents and Settings\chambers\LOGVIRUS2.EXE
2003-08-20 22:34 120,313 ----a-w C:\Documents and Settings\SMSCCMBootAcct&\LOGVIRUS1.EXE
2003-08-20 17:34 120,313 ----a-w C:\WINDOWS\system32\config\systemprofile\LOGVIRUS1.EXE
2003-08-20 17:34 120,313 ----a-w C:\Documents and Settings\nathem\LOGVIRUS1.EXE
2003-08-20 17:34 120,313 ----a-w C:\Documents and Settings\Default User\LOGVIRUS1.EXE
2003-08-20 17:34 120,313 ----a-w C:\Documents and Settings\chambers\LOGVIRUS1.EXE
2002-11-11 13:19 34,304 ----a-w C:\Documents and Settings\SMSCCMBootAcct&\Shutdown.exe
2002-11-11 08:19 34,304 ----a-w C:\WINDOWS\system32\config\systemprofile\Shutdown.exe
2002-11-11 08:19 34,304 ----a-w C:\Documents and Settings\nathem\Shutdown.exe
2002-11-11 08:19 34,304 ----a-w C:\Documents and Settings\Default User\Shutdown.exe
2002-11-11 08:19 34,304 ----a-w C:\Documents and Settings\chambers\Shutdown.exe
.
((((((((((((((((((((((((((((( snapshot@2008-10-22_20.16.09.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 02:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 13:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
+ 2000-08-31 14:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
- 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
+ 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
- 2008-06-09 16:21:24 55,790 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-11-02 15:32:40 55,790 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-09 16:21:24 387,808 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-11-02 15:32:40 387,808 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]
"AbacastDistributedOnDemand:11"="C:\Documents and Settings\chambers\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe" [2008-09-29 54776]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-19 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-19 512000]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-10-23 897024]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 110592]
"SPYBOTD"="C:\WINDOWS\system32\Dis_Spybot_Wizard.EXE" [2004-12-02 110791]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-14 118784]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-04-13 196608]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-04-13 208896]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-25 344064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-17 8433664]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-05-17 81920]
"ProductView8_0---UserRegSet"="C:\WINDOWS\Productview\ProductView8_0---UserRegSet.EXE" [2006-06-30 120823]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"TP4EX"="tp4ex.exe" [2002-09-03 C:\WINDOWS\system32\TP4EX.exe]
"TpShocks"="TpShocks.exe" [2005-11-07 C:\WINDOWS\system32\TpShocks.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 C:\WINDOWS\AGRSMMSG.exe]
"Hot Key Kbd Daemon"="SKDAEMON.EXE" [2004-03-05 C:\WINDOWS\system32\SKDAEMON.EXE]
C:\Documents and Settings\chambers\Start Menu\Programs\Startup\
palmOne Registration.lnk - C:\Program Files\palmOne\register.exe [2005-09-19 2367488]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader\reader_sl.exe [2005-09-23 29696]
BSCI AWE Tools.lnk - C:\Program Files\AWE Tools\AWE Tools.exe [2006-09-28 13312]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 471040]
VPN Client.lnk - C:\WINDOWS\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2006-09-28 6144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 15:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 10:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2724113797-4241170016-2566783980-8360\Scripts\Logon\0\0]
"Script"=EnableHTTP11onIE.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2724113797-4241170016-2566783980-8360\Scripts\Logon\1\0]
"Script"=EnableHTTP11onIE.bat
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-11-30 85760]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 4736]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-04-13 4442]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2006-02-09 578784]
R2 iPCAgent;iPCAgent;C:\Program Files\iPass\iPassConnect\iPCAgent.exe [2004-10-19 90112]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys [2006-09-27 15793]
S3 LenovoRd;LenovoRd;C:\WINDOWS\system32\Drivers\LenovoRd.sys [2007-02-26 81920]
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2006-02-09 20704]
S3 vsinstdv;vsinstdv;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{61B245E9-100A-46E9-8760-31EBEC18F586}\vsinstdv.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
2008-11-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-11-08 C:\WINDOWS\Tasks\PMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-04-13 00:15]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-07 23:00:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\csgina.dll
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
-> C:\Program Files\Lenovo\HOTKEY\notifyf2.dll
.
Completion time: 2008-11-07 23:02:34
ComboFix-quarantined-files.txt 2008-11-08 05:02:30
ComboFix2.txt 2008-11-03 14:59:15
ComboFix3.txt 2008-11-02 15:26:49
ComboFix4.txt 2008-10-23 01:16:52
Pre-Run: 25,057,701,888 bytes free
Post-Run: 25,092,317,184 bytes free
195
__RiP_ChAiN_
2008-11-12, 07:24
Hello freedumfyter,
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
This topic has been archived due to inactivity.
As it has been five days or more since your last post, and your helper posted a response to which you did not reply, this topic has been archived and will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread.
Applies only to the original poster, anyone else with similar problems please start a new topic.