Tech Support Forum - View Single Post

Everest63 · 06-27-2009, 09:02 AM

ComboFix 09-06-26.02 - blandry 06/27/2009 10:51.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2006.1469 [GMT -4:00]
Running from: c:\documents and settings\blandry\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\blandry\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\17363594
c:\documents and settings\All Users\Application Data\17363594\17363594.glu
c:\documents and settings\All Users\Application Data\17363594\pc17363594cnf
c:\documents and settings\All Users\Application Data\17363594\pc17363594ins
c:\documents and settings\All Users\Application Data\97373586
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://cksnamsvr01
.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\proquota.exe --> c:\windows\system32\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.

2009-06-27 14:51 . 2009-06-27 14:51 -------- d-----w- c:\windows\LastGood
2009-06-27 14:51 . 2004-08-04 11:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-27 14:51 . 2004-08-04 11:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-27 03:25 . 2009-06-27 03:26 -------- d-----w- c:\windows\system32\dllcache\cache
2009-06-26 20:31 . 2009-06-26 20:59 -------- d-----w- c:\program files\Symantec
2009-06-25 18:30 . 2009-06-25 18:30 -------- d-sh--w- c:\windows\System Volume Information

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 00:00 . 2008-01-25 00:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-26 21:00 . 2008-01-25 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-26 20:29 . 2008-01-29 18:25 -------- d-----w- c:\program files\Trend Micro
2009-06-26 17:58 . 2009-01-13 20:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-26 17:57 . 2009-01-23 19:38 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 15:27 . 2009-01-13 20:15 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-01-13 20:15 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-01 20:26 . 2008-09-15 12:46 -------- d-----w- c:\documents and settings\blandry\Application Data\Skype
2009-05-01 19:05 . 2008-09-15 12:52 -------- d-----w- c:\documents and settings\blandry\Application Data\skypePM
2009-03-31 17:42 . 2008-01-25 00:58 86368 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-06-27_03.24.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-27 12:35 . 2009-06-27 12:35 16384 c:\windows\temp\Perflib_Perfdata_408.dat
+ 2009-06-27 03:26 . 2008-10-16 19:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-27 03:25 . 2004-08-04 11:00 82944 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-27 03:26 . 2004-08-04 11:00 24576 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-27 03:25 . 2004-08-04 11:00 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-27 03:26 . 2005-06-10 23:53 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-27 03:26 . 2004-08-04 11:00 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-27 03:26 . 2004-08-04 11:00 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-27 03:26 . 2004-08-04 05:58 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-27 03:25 . 2004-08-04 11:00 29056 c:\windows\system32\dllcache\cache\Ip6Fw.sys
+ 2009-06-27 03:26 . 2004-08-04 11:00 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-27 14:51 . 2008-04-14 00:12 50176 c:\windows\LastGood\system32\proquota.exe
+ 2009-06-27 03:25 . 2005-04-01 18:19 502784 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-27 03:25 . 2008-10-16 20:38 826368 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-27 03:25 . 2007-03-08 15:48 578048 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-27 03:26 . 2004-08-04 11:00 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-27 03:25 . 2008-06-20 10:44 360960 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-27 03:26 . 2004-08-04 11:00 108032 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-27 03:25 . 2006-05-02 10:55 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-27 03:26 . 2007-04-16 15:52 984576 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-27 03:26 . 2004-08-04 11:00 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-27 03:26 . 2004-08-04 11:00 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-27 03:26 . 2004-08-04 11:00 1580544 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-27 03:25 . 2008-08-14 09:55 2142720 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-27 03:25 . 2008-08-14 09:18 2020864 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-27 03:25 . 2007-06-13 10:23 1033216 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-02 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2004-08-04 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2006-06-02 271872]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-05 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-05 208896]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"IBMTBCTL"="c:\program files\ThinkPad\Tablet Shortcut\IBMTBCTL.EXE" [2007-06-22 782336]
"TSMResident"="c:\program files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE" [2007-06-22 45056]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-07 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-07 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-07 137752]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 68296]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 536576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2007-04-26 120368]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 419376]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-19 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-04 2630968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-14 385024]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2007-04-06 22528]
"TrackPointSrv"="tp4serv.exe" - c:\windows\system32\tp4serv.exe [2007-04-26 91184]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-09-28 181544]

c:\documents and settings\blandry\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-24 50688]
SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2007-4-9 206368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 11:00 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-15 06:17 89600 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 02:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 22:52 32768 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2006-10-05 12:45 31744 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd ACGina

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [9/28/2007 8:29 PM 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [9/28/2007 8:28 PM 19504]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [1/24/2008 8:22 PM 4442]
R1 TSMSMI;Lenovo System Interface Driver;c:\windows\system32\drivers\tsmsmi32.sys [1/24/2008 8:23 PM 6656]
R2 ASRSVC;ASR Service;c:\program files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe [1/24/2008 8:23 PM 73728]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 SCManager;SafeConnect Manager;c:\program files\SafeConnect\scManager.sys servicestart --> c:\program files\SafeConnect\scManager.sys servicestart [?]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/15/2007 2:10 AM 11152]
R2 TabletSVC;TABLET Service;c:\program files\ThinkPad\Tablet Shortcut\TSMService.exe [1/24/2008 8:23 PM 53248]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2/8/2007 5:11 PM 569344]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\Tvti2c.sys [6/26/2009 9:56 AM 30336]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [6/26/2009 9:56 AM 13568]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [6/26/2009 9:56 AM 22832]
.
Contents of the 'Scheduled Tasks' folder

2008-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]

2009-06-27 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]

2009-06-27 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-01-25 16:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: bmnet.dll
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://ussv042/officescan/console/html/AtxEnc.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 10:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1348)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\windows\system32\igfxdev.dll
c:\program files\Lenovo\HOTKEY\notifyf2.dll

- - - - - - - > 'lsass.exe'(1408)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\windows\system32\bmnet.dll
.
Completion time: 2009-06-27 10:55
ComboFix-quarantined-files.txt 2009-06-27 14:55
ComboFix2.txt 2009-06-27 12:40
ComboFix3.txt 2009-06-27 03:27

Pre-Run: 50,467,467,264 bytes free
Post-Run: 50,452,488,192 bytes free

226 --- E O F --- 2008-08-14 13:19

I cannot open the System Volme Information folder, ACCESS DENIED
c:\windows\System Volume Information