Thread: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
View Single Post
Old 12-15-2008, 01:24 PM   #15 (permalink)
jaddison
Registered User
 
Join Date: Dec 2008
Posts: 11
OS: Microsoft XP SP2


Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
Here's the ComboFix log. Also, use of applications has been restored, apparently.

ComboFix 08-12-14.05 - jaddison 2008-12-15 13:36:27.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1463 [GMT -5:00]
Running from: c:\documents and settings\jaddison\Desktop\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-06-21 23:38 30,280 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-21 23:38 79,432 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-21 23:38 71,240 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-21 23:38 140,872 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-21 23:39 38,472 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-21 23:39 46,664 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-21 23:39 34,376 ----a-w c:\program files\mozilla firefox\plugins\logging.dll
2007-06-21 23:39 685,640 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-21 23:40 30,280 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_12.14.03.36 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 67,752 2006-12-22 11:29:56 c:\program files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe

----a-w 925,696 2005-05-20 13:11:06 c:\program files\Analog Devices\Core\bak\smax4pnp.exe

----a-w 716,800 2005-05-06 1912 c:\program files\Analog Devices\SoundMAX\bak\Smax4.exe

----a-w 90,112 2006-05-10 15:12:06 c:\program files\ATI Technologies\ATI.ACE\bak\CLIStart.exe

----a-w 1,197,648 2006-10-17 01:40:00 c:\program files\Canon\MyPrinter\bak\BJMyPrt.exe

----a-w 2,321,600 2007-08-05 13:21:15 c:\program files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe
----a-w 2,356,088 2008-12-08 00:12:24 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

----a-w 81,920 2005-02-16 20:15:20 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 221,184 2004-07-27 20:50:42 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

----a-w 536,576 2006-12-10 23:36:32 c:\program files\Common Files\Lenovo\Scheduler\bak\scheduler_proxy.exe
----a-w 487,424 2008-03-04 15:34:20 c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

----a-w 185,896 2006-09-28 17:16:20 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe

----a-w 48,800 2005-12-21 16:33:28 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 48,800 2005-12-21 16:33:28 c:\program files\Common Files\Symantec Shared\ccApp.exe

----a-w 271,672 2007-07-31 22:44:42 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 289,576 2008-10-01 22:57:12 c:\program files\iTunes\iTunesHelper.exe

----a-w 36,975 2005-11-10 17:03:52 c:\program files\Java\jre1.5.0_06\bin\bak\jusched.exe

----a-w 2,341,632 2006-11-09 18:15:16 c:\program files\Lenovo\Client Security Solution\bak\cssauth.exe

----a-w 94,208 2006-10-02 15:19:48 c:\program files\Lenovo\PkgMgr\HOTKEY\bak\TPHKMGR.exe

----a-r 41,472 2006-03-13 20:38:56 c:\program files\Lenovo\SafeGuard PrivateDisk\bak\pdservice.exe

----a-w 31,016 2006-10-27 04:47:42 c:\program files\Microsoft Office\Office12\bak\GrooveMonitor.exe
----a-w 33,648 2007-08-24 11:00:48 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

----a-w 286,720 2007-06-29 10:24:52 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-09-06 19:09:14 c:\program files\QuickTime\QTTask.exe

----a-w 75,304 2006-10-11 16:45:12 c:\program files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe

----a-w 1,592 2007-10-03 21:09:59 c:\program files\Steam\bak\ClientRegistry.blob
----a-w 546,136 2008-08-24 23:05:44 c:\program files\Steam\ClientRegistry.blob

----a-w 1,258,744 2007-08-05 01:20:45 c:\program files\Steam\bak\Steam.exe
----a-w 1,271,032 2008-04-06 19:53:30 c:\program files\Steam\Steam.exe

----a-w 29,826 2007-10-03 21:09:59 c:\program files\Steam\bak\Steamexe__237340__2007_10_3T21_9_59C3109.mdmp

----a-w 85,744 2006-05-27 2020 c:\program files\Symantec AntiVirus\bak\VPTray.exe
----a-w 85,744 2006-05-27 2020 c:\program files\Symantec AntiVirus\VPTray.exe

----a-w 512,000 2006-02-14 18:16:28 c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe

----a-w 110,592 2006-02-14 18:17:28 c:\program files\Synaptics\SynTP\bak\SynTPLpr.exe

----a-w 243,248 2006-11-29 06:30:00 c:\program files\ThinkPad\Utilities\bak\EzEjMnAp.Exe
------w 242,976 2008-06-05 06:36:00 c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE

----a-w 856,064 2006-06-03 02:00:18 c:\program files\ThinkPad\Utilities\bak\TpKmapAp.exe

----a-w 120,368 2007-02-02 07:01:00 c:\program files\ThinkVantage\PrdCtr\bak\LPMGR.exe
------w 165,208 2008-06-09 07:00:00 c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE

----a-w 31,232 2006-04-25 23:03:42 c:\program files\ThinkVantage Fingerprint Software\bak\launcher.exe
----a-w 48,904 2007-08-14 19:32:42 c:\program files\ThinkVantage Fingerprint Software\launcher.exe

----a-w 1,014,272 2007-08-15 08:48:34 c:\program files\Tunebite\bak\tunebite.exe
----a-w 1,014,272 2007-08-15 08:48:34 c:\program files\Tunebite\tunebite.exe

----a-w 122,940 2006-02-02 09:20:00 c:\windows\system32\DLA\bak\DLACTRLW.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tunebite.exe"="c:\program files\Tunebite\tunebite.exe" [2007-08-15 1014272]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\jaddison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-05 133104]
"windpipe"="c:\documents and settings\jaddison\Application Data\Google\fhexj6825097.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IUWORK"="c:\iuwork\LAUNCH.LNK" [N/A]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-07-29 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-07-29 208896]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-07-05 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-07-04 143360]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2008-06-09 165208]
"LPMailChecker"="c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2008-06-09 124248]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"TP4EX"="tp4ex.exe" [2005-10-17 c:\windows\system32\TP4EX.exe]
"TpShocks"="TpShocks.exe" [2008-06-06 c:\windows\system32\TpShocks.exe]
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 c:\windows\system32\ico.exe]

c:\documents and settings\jaddison\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-18 561213]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-08 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"AllowMultipleTSSessions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 14:54 89600 c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 15:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 15:02 34080 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\SteamApps\\matrix@moscowmail.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Spadester\\spades.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"c:\\Program Files\\MoRUN.net\\Sticker Lite\\sticker.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2967:UDP"= 2967:UDP:Symantec AntiVirus Managed Client (2967:UDP)
"7001:UDP"= 7001:UDP:AFS CacheManager Callback (7001:UDP)
"2967:TCP"= 2967:TCP:Symantec AntiVirus Managed Client (2967:TCP)
"7001:TCP"= 7001:TCP:AFS CacheManager Callback (7001:TCP)

.
Contents of the 'Scheduled Tasks' folder

2008-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-15 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\jaddison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-05 20:52]

2008-12-15 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-07-29 00:43]
.
.
------- Supplementary Scan -------
.
uStart Page =
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 14:39:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1132)
c:\windows\system32\vrlogon.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll

- - - - - - - > 'lsass.exe'(1188)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\acs.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\progra~1\PHAROS~1\Core\CTskMstr.exe
c:\program files\Symantec AntiVirus\SavRoam.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\ThinkPad\Utilities\PWMDBSVC.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\FSRremoS.EXE
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2008-12-15 14:47:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-15 19:47:22
ComboFix2.txt 2008-12-07 16:03:13
ComboFix3.txt 2008-12-06 18:48:51
ComboFix4.txt 2008-12-06 17:16:19

Pre-Run: 32,610,398,720 bytes free
Post-Run: 32,618,114,048 bytes free

256 --- E O F --- 2008-12-12 21:57:59
jaddison is offline