|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
12-04-2008, 09:01 PM
|
#1 (permalink) |
|
Registered User
Join Date: Dec 2008
Posts: 11
OS: Microsoft XP SP2
|
False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
To whom it may concern,
Today I began receiving pop-ups that appeared to be related to the Windows Firewall under the heading "Security Center Alert" that warned of a piece of suspicious software called "Sinowal.Trojan" on my computer and gave me an option to "Enable Protection". The aforementioned link takes you to a website for Perfect Defender 2009; some sort of rogue anti-spyware lookalike, apparently. At any rate, I can't get these stupid pop-ups to go away (they respawn every 10 minutes or so) nor can I get certain applications to work properly, like Mozilla Firefox and Thunderbird. The only browser I can use is Safari, and it's been crashing a good bit as well. MalwareBytes hasn't been able to fix the problem, and I recently found your website in hopes of figuring this out once and for all. I just want to get rid of this malware. Here are the requested logs. I received an error when trying to attach "Attach.txt" that reads: "Upload Errors Attach.txt: Attachment in Progress. Can be deleted here." Thank you very much for your help and for donating your time! Sincerely, J. Addison DDS (Version 1.0) - NTFSx86 Run by jaddison at 22:28:51.51 on Thu 12/04/2008 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1354 [GMT -5:00] ============== Running Processes =============== C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\WINDOWS\system32\acs.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\TpShocks.exe C:\WINDOWS\system32\ICO.EXE C:\WINDOWS\system32\FSRremoS.EXE C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\Program Files\Lenovo\Zoom\TpScrex.exe C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe C:\Program Files\Tunebite\tunebite.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\jaddison\Application Data\Google\ggqjh22510678.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\TPHDEXLG.exe C:\WINDOWS\system32\TpKmpSVC.exe C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe C:\Program Files\Common Files\Lenovo\Logger\logmon.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe c:\program files\lenovo\system update\suservice.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\jaddison\Desktop\dds.com C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = uInternet Settings,ProxyOverride = *.local BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL BHO: {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll BHO: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll BHO: {F040E541-A427-4CF7-85D8-75E3E0F476C5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll uRun: [tunebite.exe] c:\program files\tunebite\tunebite.exe -tray uRun: [Aim6] uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [vidxhp] "c:\documents and settings\jaddison\application data\google\ggqjh22510678.exe" mRun: [IUWORK] c:\iuwork\LAUNCH.LNK mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog mRun: [TP4EX] tp4ex.exe mRun: [<NO NAME>] mRun: [TpShocks] TpShocks.exe mRun: [Mouse Suite 98 Daemon] ICO.EXE mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe mRun: [LPMailChecker] c:\progra~1\thinkv~2\prdctr\LPMLCHK.exe mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" StartupFolder: c:\docume~1\jaddison\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe mPolicies-system: AllowMultipleTSSessions = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll Notify: psfus - c:\windows\system32\psqlpwd.dll Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll LSA: Notification Packages = scecli ACGina psqlpwd ============= SERVICES / DRIVERS =============== R0 Shockprf;Shockprf;c:\windows\system32\drivers\Apsx86.sys [2008-5-14 114728] R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-5-14 19496] R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2008-9-8 11520] R1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\drivers\IBMBLDID.sys [2008-9-8 4224] R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984] R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896] R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2007-6-9 4442] R2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" [2007-7-6 574808] R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2005-12-21 177824] R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.EXE [2008-9-8 94208] R2 PrivateDisk;PrivateDisk;\??\c:\program files\lenovo\safeguard privatedisk\PrivateDiskM.sys [2006-3-13 58368] R2 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2006-5-27 169200] R2 smi2;smi2;\??\c:\program files\smi2\smi2.sys [2006-11-9 3968] R2 smihlp2;SMI Helper Driver (smihlp2);\??\c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-8-14 10896] R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2006-5-27 1757936] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-10-4 24652] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-7 99376] R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081204.003\naveng.sys [2008-12-4 89104] R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081204.003\navex15.sys [2008-12-4 876112] R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2007-6-9 57344] S2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2005-12-21 186016] S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccPwdSvc.exe" [2005-12-21 83616] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-4 38496] S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\pelmouse.sys [2007-8-5 16384] S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [2007-8-5 9216] =============== Created Last 30 ================ 2008-12-04 20:19 <DIR> --d----- c:\program files\Enigma Software Group 2008-12-04 16:44 <DIR> --d----- c:\program files\Trend Micro 2008-12-04 16:29 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2008-12-04 16:29 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy) 2008-12-04 16:28 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2008-12-04 15:53 <DIR> --d----- c:\docume~1\jaddison\applic~1\Malwarebytes 2008-12-04 15:53 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2008-12-04 15:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes ==================== Find3M ==================== ============= FINISH: 22:29:06.71 =============== I got Attach.txt to upload after compressing it to a .zip. Sorry about that! Thanks again, J. Addison Last edited by amateur; 12-04-2008 at 09:09 PM. Reason: two posts merged to retain 0-reply status |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
12-06-2008, 05:48 AM
|
#2 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,341
OS: N/A
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/comb...o-use-combofix Post the log from ComboFix when you've accomplished that. |
|
|
|
|
12-06-2008, 10:26 AM
|
#3 (permalink) |
|
Registered User
Join Date: Dec 2008
Posts: 11
OS: Microsoft XP SP2
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
Here you are.
For the record, I'm sure you can tell from these diagnostics that I'm running uTorrent, which you ask in the forum rules that I delete. However, I am a musician and use this application for new music distribution, not the other way around. At any rate, I wanted to make it clear that I don't use it for acquiring files of a dubious nature. Best, J. Addison ComboFix 08-12-05.06 - jaddison 2008-12-06 12:02:17.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1299 [GMT -5:00] Running from: c:\documents and settings\jaddison\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV.SYS ((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-06-21 23:38 30,280 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll 2007-06-21 23:38 79,432 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll 2007-06-21 23:38 71,240 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll 2007-06-21 23:38 140,872 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll 2007-06-21 23:39 38,472 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll 2007-06-21 23:39 46,664 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll 2007-06-21 23:39 34,376 ----a-w c:\program files\mozilla firefox\plugins\logging.dll 2007-06-21 23:39 685,640 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll 2007-06-21 23:40 30,280 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 67,752 2006-12-22 11:29:56 c:\program files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe ----a-w 925,696 2005-05-20 13:11:06 c:\program files\Analog Devices\Core\bak\smax4pnp.exe ----a-w 716,800 2005-05-06 19  12 c:\program files\Analog Devices\SoundMAX\bak\Smax4.exe----a-w 90,112 2006-05-10 15:12:06 c:\program files\ATI Technologies\ATI.ACE\bak\CLIStart.exe ----a-w 1,197,648 2006-10-17 01:40:00 c:\program files\Canon\MyPrinter\bak\BJMyPrt.exe ----a-w 2,321,600 2007-08-05 13:21:15 c:\program files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe ----a-w 2,321,600 2007-03-01 03 56 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe----a-w 81,920 2005-02-16 20:15:20 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe ----a-w 221,184 2004-07-27 20:50:42 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe ----a-w 536,576 2006-12-10 23:36:32 c:\program files\Common Files\Lenovo\Scheduler\bak\scheduler_proxy.exe ----a-w 487,424 2008-03-04 15:34:20 c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe ----a-w 185,896 2006-09-28 17:16:20 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe ----a-w 48,800 2005-12-21 16:33:28 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe ----a-w 48,800 2005-12-21 16:33:28 c:\program files\Common Files\Symantec Shared\ccApp.exe ----a-w 271,672 2007-07-31 22:44:42 c:\program files\iTunes\bak\iTunesHelper.exe ----a-w 289,576 2008-10-01 22:57:12 c:\program files\iTunes\iTunesHelper.exe ----a-w 36,975 2005-11-10 17:03:52 c:\program files\Java\jre1.5.0_06\bin\bak\jusched.exe ----a-w 2,341,632 2006-11-09 18:15:16 c:\program files\Lenovo\Client Security Solution\bak\cssauth.exe ----a-w 94,208 2006-10-02 15:19:48 c:\program files\Lenovo\PkgMgr\HOTKEY\bak\TPHKMGR.exe ----a-r 41,472 2006-03-13 20:38:56 c:\program files\Lenovo\SafeGuard PrivateDisk\bak\pdservice.exe ----a-w 31,016 2006-10-27 04:47:42 c:\program files\Microsoft Office\Office12\bak\GrooveMonitor.exe ----a-w 33,648 2007-08-24 11:00:48 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe ----a-w 286,720 2007-06-29 10:24:52 c:\program files\QuickTime\bak\qttask.exe ----a-w 413,696 2008-09-06 19:09:14 c:\program files\QuickTime\QTTask.exe ----a-w 75,304 2006-10-11 16:45:12 c:\program files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe ----a-w 1,592 2007-10-03 21:09:59 c:\program files\Steam\bak\ClientRegistry.blob ----a-w 546,136 2008-08-24 23:05:44 c:\program files\Steam\ClientRegistry.blob ----a-w 1,258,744 2007-08-05 01:20:45 c:\program files\Steam\bak\Steam.exe ----a-w 1,271,032 2008-04-06 19:53:30 c:\program files\Steam\Steam.exe ----a-w 29,826 2007-10-03 21:09:59 c:\program files\Steam\bak\Steamexe__237340__2007_10_3T21_9_59C3109.mdmp ----a-w 85,744 2006-05-27 20 20 c:\program files\Symantec AntiVirus\bak\VPTray.exe----a-w 85,744 2006-05-27 20 20 c:\program files\Symantec AntiVirus\VPTray.exe----a-w 512,000 2006-02-14 18:16:28 c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe ----a-w 110,592 2006-02-14 18:17:28 c:\program files\Synaptics\SynTP\bak\SynTPLpr.exe ----a-w 243,248 2006-11-29 06:30:00 c:\program files\ThinkPad\Utilities\bak\EzEjMnAp.Exe ------w 242,976 2008-06-05 06:36:00 c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE ----a-w 856,064 2006-06-03 02:00:18 c:\program files\ThinkPad\Utilities\bak\TpKmapAp.exe ----a-w 120,368 2007-02-02 07:01:00 c:\program files\ThinkVantage\PrdCtr\bak\LPMGR.exe ------w 165,208 2008-06-09 07:00:00 c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE ----a-w 31,232 2006-04-25 23:03:42 c:\program files\ThinkVantage Fingerprint Software\bak\launcher.exe ----a-w 48,904 2007-08-14 19:32:42 c:\program files\ThinkVantage Fingerprint Software\launcher.exe ----a-w 1,014,272 2007-08-15 08:48:34 c:\program files\Tunebite\bak\tunebite.exe ----a-w 1,014,272 2007-08-15 08:48:34 c:\program files\Tunebite\tunebite.exe ----a-w 122,940 2006-02-02 09:20:00 c:\windows\system32\DLA\bak\DLACTRLW.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "tunebite.exe"="c:\program files\Tunebite\tunebite.exe" [2007-08-15 1014272] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "vidxhp"="c:\documents and settings\jaddison\Application Data\Google\ggqjh22510678.exe" [2008-12-04 124416] "Google Update"="c:\documents and settings\jaddison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-05 133104] "Aim6"="" [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IUWORK"="c:\iuwork\LAUNCH.LNK" [N/A] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-07-29 331776] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-07-29 208896] "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976] "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-07-05 425984] "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-07-04 143360] "LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2008-06-09 165208] "LPMailChecker"="c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2008-06-09 124248] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "TP4EX"="tp4ex.exe" [2005-10-17 c:\windows\system32\TP4EX.exe] "TpShocks"="TpShocks.exe" [2008-06-06 c:\windows\system32\TpShocks.exe] "Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 c:\windows\system32\ico.exe] c:\documents and settings\jaddison\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-18 561213] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-08 50688] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "AllowMultipleTSSessions"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2007-08-14 14:54 89600 c:\windows\system32\psqlpwd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2006-09-06 15:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2008-03-17 15:02 34080 c:\program files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli ACGina psqlpwd [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Steam\\SteamApps\\matrix@moscowmail.com\\counter-strike source\\hl2.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\Spadester\\spades.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Ruckus Player\\Ruckus.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"= "c:\\Program Files\\MoRUN.net\\Sticker Lite\\sticker.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "2967:UDP"= 2967:UDP:Symantec AntiVirus Managed Client (2967:UDP) "7001:UDP"= 7001:UDP:AFS CacheManager Callback (7001:UDP) "2967:TCP"= 2967:TCP:Symantec AntiVirus Managed Client (2967:TCP) "7001:TCP"= 7001:TCP:AFS CacheManager Callback (7001:TCP) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) "AllowInboundTimestampRequest"= 1 (0x1) "AllowInboundMaskRequest"= 1 (0x1) "AllowInboundRouterRequest"= 1 (0x1) "AllowOutboundDestinationUnreachable"= 1 (0x1) "AllowOutboundSourceQuench"= 1 (0x1) "AllowOutboundParameterProblem"= 1 (0x1) "AllowOutboundTimeExceeded"= 1 (0x1) "AllowRedirect"= 1 (0x1) "AllowOutboundPacketTooBig"= 1 (0x1) . Contents of the 'Scheduled Tasks' folder 2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2008-12-06 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\documents and settings\jaddison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-05 20:52] 2008-12-06 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-07-29 00:43] . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-06 12:07:50 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv] "ImagePath"="\??\c:\windows\TEMP\mc21.tmp" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys] "imagepath"="\systemroot\system32\drivers\TDSSuerhqfhx.sys" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1164) c:\windows\system32\vrlogon.dll c:\windows\system32\Ati2evxx.dll c:\windows\system32\psqlpwd.dll c:\program files\ThinkVantage Fingerprint Software\homefus2.dll c:\program files\ThinkVantage Fingerprint Software\infra.dll c:\program files\ThinkVantage Fingerprint Software\homepass.dll c:\program files\ThinkVantage Fingerprint Software\bio.dll c:\program files\ThinkVantage Fingerprint Software\ps2css.dll c:\program files\ThinkVantage Fingerprint Software\remote.dll c:\program files\Lenovo\HOTKEY\tphklock.dll c:\program files\ThinkVantage Fingerprint Software\pscssint.dll c:\program files\ThinkVantage Fingerprint Software\crypto.dll - - - - - - - > 'lsass.exe'(1220) c:\program files\ThinkPad\ConnectUtilities\ACGina.dll c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\program files\ThinkPad\ConnectUtilities\ACON.dll c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll c:\windows\system32\psqlpwd.dll c:\program files\ThinkVantage Fingerprint Software\homefus2.dll c:\program files\ThinkVantage Fingerprint Software\infra.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ibmpmsvc.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe c:\windows\system32\acs.exe c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\progra~1\PHAROS~1\Core\CTskMstr.exe c:\program files\Symantec AntiVirus\SavRoam.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe c:\windows\system32\TPHDEXLG.exe c:\windows\system32\TpKmpSvc.exe c:\program files\Lenovo\Client Security Solution\tvttcsd.exe c:\program files\Lenovo\Rescue and Recovery\rrservice.exe c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe c:\program files\Viewpoint\Common\ViewpointService.exe c:\program files\ThinkPad\Utilities\PWMDBSVC.exe c:\program files\Lenovo\System Update\SUService.exe c:\program files\Common Files\Lenovo\Logger\logmon.exe c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe c:\windows\system32\rundll32.exe c:\windows\system32\FSRremoS.EXE c:\program files\Lenovo\HOTKEY\TPONSCR.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\Lenovo\ZOOM\TpScrex.exe c:\program files\iPod\bin\iPodService.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe . ************************************************************************** . Completion time: 2008-12-06 12:16:18 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-06 17:16:15 Pre-Run: 32,238,750,208 bytes free Post-Run: 33,454,929,920 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 257 --- E O F --- 2008-11-13 21:05:43 Last edited by sUBs; 12-06-2008 at 10:51 AM. |
|
|
|
|
12-06-2008, 11:01 AM
|
#4 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,341
OS: N/A
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
Open NOTEPAD and copy/paste the text in the quotebox below into it:
Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/320337-false-security-alerts-pop-ups-alleged-sinowal-trojan-suspicious-links.html AWF:: C:\program files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe C:\program files\Analog Devices\Core\bak\smax4pnp.exe C:\program files\Analog Devices\SoundMAX\bak\Smax4.exe C:\program files\ATI Technologies\ATI.ACE\bak\CLIStart.exe C:\program files\Canon\MyPrinter\bak\BJMyPrt.exe C:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe C:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe C:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe C:\program files\Java\jre1.5.0_06\bin\bak\jusched.exe C:\program files\Lenovo\Client Security Solution\bak\cssauth.exe C:\program files\Lenovo\PkgMgr\HOTKEY\bak\TPHKMGR.exe C:\program files\Lenovo\SafeGuard PrivateDisk\bak\pdservice.exe C:\program files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe C:\program files\Synaptics\SynTP\bak\SynTPEnh.exe C:\program files\Synaptics\SynTP\bak\SynTPLpr.exe C:\program files\ThinkPad\Utilities\bak\TpKmapAp.exe C:\windows\system32\DLA\bak\DLACTRLW.EXE Folder:: C:\program files\Common Files\Adobe\Updater5\bak C:\program files\Common Files\Lenovo\Scheduler\bak C:\program files\Common Files\Symantec Shared\bak C:\program files\iTunes\bak C:\program files\Microsoft Office\Office12\bak C:\program files\QuickTime\bak C:\program files\Symantec AntiVirus\bak C:\program files\ThinkPad\Utilities\bak C:\program files\ThinkVantage Fingerprint Software\bak C:\program files\ThinkVantage\PrdCtr\bak C:\program files\Tunebite\bak Collect:: c:\documents and settings\jaddison\Application Data\Google\ggqjh22510678.exe Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "vidxhp"=- "Aim6"=- [-HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]  Referring to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4 --------------- Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400 Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator. **Note** To optimize scanning time and produce a more sensible report for review:
Click Accept, when prompted to download and install the program files and database of malware definitions.
--------------- In your next post, please include fresh logs from:
|
|
|
|
|
12-06-2008, 04:46 PM
|
#5 (permalink) |
|
Registered User
Join Date: Dec 2008
Posts: 11
OS: Microsoft XP SP2
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
The computer is no longer receiving these popups, although my clock is now acting a little funny (it's showing military time). Also, my ability to use my browsers has been restored. Thank you very much for your help!
Here are the logs you've requested. First, the Scan Report from Kaspersky: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Saturday, December 6, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, December 06, 2008 15:46:32 Records in database: 1440480 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Files scanned: 134099 Threat name: 5 Infected objects: 7 Suspicious objects: 0 Duration of the scan: 01:48:42 File name / Threat name / Threats count C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06840000\4FBC4609.VBN Infected: Backdoor.Win32.TDSS.blh 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B900000.VBN Infected: Trojan.Win32.Agent.arvz 1 C:\Documents and Settings\jaddison\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1 C:\Documents and Settings\jaddison\Desktop\SmitfraudFix(5).exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1 C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1 C:\WINDOWS\crazaa.exe Infected: not-a-virus:Porn-Tool.Win32.Porn2Peer.d 1 C:\WINDOWS\system32\mi2.exe Infected: not-a-virus:AdWare.Win32.Mostofate.j 1 The selected area was scanned. Next, the second ComboFix log: ComboFix 08-12-06.01 - jaddison 2008-12-06 13:34:09.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1350 [GMT -5:00] Running from: c:\documents and settings\jaddison\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\jaddison\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-06-21 23:38 30,280 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll 2007-06-21 23:38 79,432 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll 2007-06-21 23:38 71,240 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll 2007-06-21 23:38 140,872 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll 2007-06-21 23:39 38,472 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll 2007-06-21 23:39 46,664 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll 2007-06-21 23:39 34,376 ----a-w c:\program files\mozilla firefox\plugins\logging.dll 2007-06-21 23:39 685,640 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll 2007-06-21 23:40 30,280 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 67,752 2006-12-22 11:29:56 c:\program files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe ----a-w 925,696 2005-05-20 13:11:06 c:\program files\Analog Devices\Core\bak\smax4pnp.exe ----a-w 716,800 2005-05-06 19 12 c:\program files\Analog Devices\SoundMAX\bak\Smax4.exe----a-w 90,112 2006-05-10 15:12:06 c:\program files\ATI Technologies\ATI.ACE\bak\CLIStart.exe ----a-w 1,197,648 2006-10-17 01:40:00 c:\program files\Canon\MyPrinter\bak\BJMyPrt.exe ----a-w 2,321,600 2007-08-05 13:21:15 c:\program files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe ----a-w 2,321,600 2007-03-01 03 56 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe----a-w 81,920 2005-02-16 20:15:20 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe ----a-w 221,184 2004-07-27 20:50:42 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe ----a-w 536,576 2006-12-10 23:36:32 c:\program files\Common Files\Lenovo\Scheduler\bak\scheduler_proxy.exe ----a-w 487,424 2008-03-04 15:34:20 c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe ----a-w 185,896 2006-09-28 17:16:20 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe ----a-w 48,800 2005-12-21 16:33:28 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe ----a-w 48,800 2005-12-21 16:33:28 c:\program files\Common Files\Symantec Shared\ccApp.exe ----a-w 271,672 2007-07-31 22:44:42 c:\program files\iTunes\bak\iTunesHelper.exe ----a-w 289,576 2008-10-01 22:57:12 c:\program files\iTunes\iTunesHelper.exe ----a-w 36,975 2005-11-10 17:03:52 c:\program files\Java\jre1.5.0_06\bin\bak\jusched.exe ----a-w 2,341,632 2006-11-09 18:15:16 c:\program files\Lenovo\Client Security Solution\bak\cssauth.exe ----a-w 94,208 2006-10-02 15:19:48 c:\program files\Lenovo\PkgMgr\HOTKEY\bak\TPHKMGR.exe ----a-r 41,472 2006-03-13 20:38:56 c:\program files\Lenovo\SafeGuard PrivateDisk\bak\pdservice.exe ----a-w 31,016 2006-10-27 04:47:42 c:\program files\Microsoft Office\Office12\bak\GrooveMonitor.exe ----a-w 33,648 2007-08-24 11:00:48 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe ----a-w 286,720 2007-06-29 10:24:52 c:\program files\QuickTime\bak\qttask.exe ----a-w 413,696 2008-09-06 19:09:14 c:\program files\QuickTime\QTTask.exe ----a-w 75,304 2006-10-11 16:45:12 c:\program files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe ----a-w 1,592 2007-10-03 21:09:59 c:\program files\Steam\bak\ClientRegistry.blob ----a-w 546,136 2008-08-24 23:05:44 c:\program files\Steam\ClientRegistry.blob ----a-w 1,258,744 2007-08-05 01:20:45 c:\program files\Steam\bak\Steam.exe ----a-w 1,271,032 2008-04-06 19:53:30 c:\program files\Steam\Steam.exe ----a-w 29,826 2007-10-03 21:09:59 c:\program files\Steam\bak\Steamexe__237340__2007_10_3T21_9_59C3109.mdmp ----a-w 85,744 2006-05-27 20 20 c:\program files\Symantec AntiVirus\bak\VPTray.exe----a-w 85,744 2006-05-27 20 20 c:\program files\Symantec AntiVirus\VPTray.exe----a-w 512,000 2006-02-14 18:16:28 c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe ----a-w 110,592 2006-02-14 18:17:28 c:\program files\Synaptics\SynTP\bak\SynTPLpr.exe ----a-w 243,248 2006-11-29 06:30:00 c:\program files\ThinkPad\Utilities\bak\EzEjMnAp.Exe ------w 242,976 2008-06-05 06:36:00 c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE ----a-w 856,064 2006-06-03 02:00:18 c:\program files\ThinkPad\Utilities\bak\TpKmapAp.exe ----a-w 120,368 2007-02-02 07:01:00 c:\program files\ThinkVantage\PrdCtr\bak\LPMGR.exe ------w 165,208 2008-06-09 07:00:00 c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE ----a-w 31,232 2006-04-25 23:03:42 c:\program files\ThinkVantage Fingerprint Software\bak\launcher.exe ----a-w 48,904 2007-08-14 19:32:42 c:\program files\ThinkVantage Fingerprint Software\launcher.exe ----a-w 1,014,272 2007-08-15 08:48:34 c:\program files\Tunebite\bak\tunebite.exe ----a-w 1,014,272 2007-08-15 08:48:34 c:\program files\Tunebite\tunebite.exe ----a-w 122,940 2006-02-02 09:20:00 c:\windows\system32\DLA\bak\DLACTRLW.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "tunebite.exe"="c:\program files\Tunebite\tunebite.exe" [2007-08-15 1014272] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Google Update"="c:\documents and settings\jaddison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-05 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IUWORK"="c:\iuwork\LAUNCH.LNK" [N/A] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-07-29 331776] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-07-29 208896] "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976] "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-07-05 425984] "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-07-04 143360] "LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2008-06-09 165208] "LPMailChecker"="c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2008-06-09 124248] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "TP4EX"="tp4ex.exe" [2005-10-17 c:\windows\system32\TP4EX.exe] "TpShocks"="TpShocks.exe" [2008-06-06 c:\windows\system32\TpShocks.exe] "Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 c:\windows\system32\ico.exe] c:\documents and settings\jaddison\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-18 561213] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-08 50688] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "AllowMultipleTSSessions"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2007-08-14 14:54 89600 c:\windows\system32\psqlpwd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2006-09-06 15:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2008-03-17 15:02 34080 c:\program files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli ACGina psqlpwd [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Steam\\SteamApps\\matrix@moscowmail.com\\counter-strike source\\hl2.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\Spadester\\spades.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Ruckus Player\\Ruckus.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"= "c:\\Program Files\\MoRUN.net\\Sticker Lite\\sticker.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "2967:UDP"= 2967:UDP:Symantec AntiVirus Managed Client (2967:UDP) "7001:UDP"= 7001:UDP:AFS CacheManager Callback (7001:UDP) "2967:TCP"= 2967:TCP:Symantec AntiVirus Managed Client (2967:TCP) "7001:TCP"= 7001:TCP:AFS CacheManager Callback (7001:TCP) . Contents of the 'Scheduled Tasks' folder 2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2008-12-06 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\documents and settings\jaddison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-05 20:52] 2008-12-06 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-07-29 00:43] . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-06 13:40:37 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv] "ImagePath"="\??\c:\windows\TEMP\mc21.tmp" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys] "imagepath"="\systemroot\system32\drivers\TDSSuerhqfhx.sys" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1164) c:\windows\system32\vrlogon.dll c:\windows\system32\Ati2evxx.dll c:\windows\system32\psqlpwd.dll c:\program files\ThinkVantage Fingerprint Software\homefus2.dll c:\program files\ThinkVantage Fingerprint Software\infra.dll c:\program files\ThinkVantage Fingerprint Software\homepass.dll c:\program files\ThinkVantage Fingerprint Software\bio.dll c:\program files\ThinkVantage Fingerprint Software\ps2css.dll c:\program files\ThinkVantage Fingerprint Software\remote.dll c:\program files\Lenovo\HOTKEY\tphklock.dll c:\program files\ThinkVantage Fingerprint Software\pscssint.dll c:\program files\ThinkVantage Fingerprint Software\crypto.dll - - - - - - - > 'lsass.exe'(1220) c:\program files\ThinkPad\ConnectUtilities\ACGina.dll c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\program files\ThinkPad\ConnectUtilities\ACON.dll c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll c:\windows\system32\psqlpwd.dll c:\program files\ThinkVantage Fingerprint Software\homefus2.dll c:\program files\ThinkVantage Fingerprint Software\infra.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ibmpmsvc.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe c:\windows\system32\acs.exe c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\progra~1\PHAROS~1\Core\CTskMstr.exe c:\program files\Symantec AntiVirus\SavRoam.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe c:\windows\system32\TPHDEXLG.exe c:\windows\system32\TpKmpSvc.exe c:\program files\Lenovo\Client Security Solution\tvttcsd.exe c:\program files\Lenovo\Rescue and Recovery\rrservice.exe c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe c:\program files\Viewpoint\Common\ViewpointService.exe c:\program files\ThinkPad\Utilities\PWMDBSVC.exe c:\program files\Lenovo\System Update\SUService.exe c:\program files\Common Files\Lenovo\Logger\logmon.exe c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe c:\windows\system32\rundll32.exe c:\windows\system32\FSRremoS.EXE c:\program files\Lenovo\HOTKEY\TPONSCR.exe c:\program files\Lenovo\ZOOM\TpScrex.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\iPod\bin\iPodService.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe . ************************************************************************** . Completion time: 2008-12-06 13:48:50 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-06 18:48:46 ComboFix2.txt 2008-12-06 17:16:19 Pre-Run: 33,428,838,912 bytes free Post-Run: 33,412,136,448 bytes free 233 --- E O F --- 2008-11-13 21:05:43 Sincerely, J. Addison |
|
|
|
|
12-06-2008, 06:28 PM
|
#6 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,341
OS: N/A
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
The ComboFix log appears erroneous
Please locate this file - C:\QooBox\CFScript_used_Date@Time.txt Then attach it (not posted) to your next reply |
|
|
|
|
12-06-2008, 07:47 PM
|
#8 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,341
OS: N/A
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
Looks correct. Strange that it didnt run as planned.
Let's give it another go. This one is slightly different Open NOTEPAD and copy/paste the text in the quotebox below into it: Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/320337-false-security-alerts-pop-ups-alleged-sinowal-trojan-suspicious-links.html AWF:: C:\program files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe C:\program files\Analog Devices\Core\bak\smax4pnp.exe C:\program files\Analog Devices\SoundMAX\bak\Smax4.exe C:\program files\ATI Technologies\ATI.ACE\bak\CLIStart.exe C:\program files\Canon\MyPrinter\bak\BJMyPrt.exe C:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe C:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe C:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe C:\program files\Java\jre1.5.0_06\bin\bak\jusched.exe C:\program files\Lenovo\Client Security Solution\bak\cssauth.exe C:\program files\Lenovo\PkgMgr\HOTKEY\bak\TPHKMGR.exe C:\program files\Lenovo\SafeGuard PrivateDisk\bak\pdservice.exe C:\program files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe C:\program files\Synaptics\SynTP\bak\SynTPEnh.exe C:\program files\Synaptics\SynTP\bak\SynTPLpr.exe C:\program files\ThinkPad\Utilities\bak\TpKmapAp.exe C:\windows\system32\DLA\bak\DLACTRLW.EXE Folder:: C:\program files\Common Files\Adobe\Updater5\bak C:\program files\Common Files\Lenovo\Scheduler\bak C:\program files\Common Files\Symantec Shared\bak C:\program files\iTunes\bak C:\program files\Microsoft Office\Office12\bak C:\program files\QuickTime\bak C:\program files\Symantec AntiVirus\bak C:\program files\ThinkPad\Utilities\bak C:\program files\ThinkVantage Fingerprint Software\bak C:\program files\ThinkVantage\PrdCtr\bak C:\program files\Tunebite\bak Collect:: c:\documents and settings\jaddison\Application Data\Google\ggqjh22510678.exe FILE:: C:\WINDOWS\crazaa.exe C:\WINDOWS\system32\mi2.exe C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06840000\4FBC4609.VBN C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B900000.VBN Referring to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip Please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4 |
|
|
|
|
12-07-2008, 09:06 AM
|
#9 (permalink) |
|
Registered User
Join Date: Dec 2008
Posts: 11
OS: Microsoft XP SP2
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
Here you are!
ComboFix 08-12-06.06 - jaddison 2008-12-07 10:42:54.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.588 [GMT -5:00] Running from: c:\documents and settings\jaddison\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\jaddison\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . ----- BITS: Possible infected sites ----- hxxp://au.downloj+|Cv+@J:NGD_DQ{zGD_DQ{zGD_DQ{zGD_DQ{z+@J:Nj+|Cvison\LOCALS~1\Temp\GUR224.exeGoogle Update . ((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-06-21 23:38 30,280 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll 2007-06-21 23:38 79,432 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll 2007-06-21 23:38 71,240 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll 2007-06-21 23:38 140,872 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll 2007-06-21 23:39 38,472 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll 2007-06-21 23:39 46,664 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll 2007-06-21 23:39 34,376 ----a-w c:\program files\mozilla firefox\plugins\logging.dll 2007-06-21 23:39 685,640 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll 2007-06-21 23:40 30,280 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll . ((((((((((((((((((((((((((((( snapshot@2008-12-06_12.14.03.36 ))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 67,752 2006-12-22 11:29:56 c:\program files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe ----a-w 925,696 2005-05-20 13:11:06 c:\program files\Analog Devices\Core\bak\smax4pnp.exe ----a-w 716,800 2005-05-06 19 12 c:\program files\Analog Devices\SoundMAX\bak\Smax4.exe----a-w 90,112 2006-05-10 15:12:06 c:\program files\ATI Technologies\ATI.ACE\bak\CLIStart.exe ----a-w 1,197,648 2006-10-17 01:40:00 c:\program files\Canon\MyPrinter\bak\BJMyPrt.exe ----a-w 2,321,600 2007-08-05 13:21:15 c:\program files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe ----a-w 2,321,600 2007-03-01 03 56 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe----a-w 81,920 2005-02-16 20:15:20 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe ----a-w 221,184 2004-07-27 20:50:42 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe ----a-w 536,576 2006-12-10 23:36:32 c:\program files\Common Files\Lenovo\Scheduler\bak\scheduler_proxy.exe ----a-w 487,424 2008-03-04 15:34:20 c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe ----a-w 185,896 2006-09-28 17:16:20 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe ----a-w 48,800 2005-12-21 16:33:28 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe ----a-w 48,800 2005-12-21 16:33:28 c:\program files\Common Files\Symantec Shared\ccApp.exe ----a-w 271,672 2007-07-31 22:44:42 c:\program files\iTunes\bak\iTunesHelper.exe ----a-w 289,576 2008-10-01 22:57:12 c:\program files\iTunes\iTunesHelper.exe ----a-w 36,975 2005-11-10 17:03:52 c:\program files\Java\jre1.5.0_06\bin\bak\jusched.exe ----a-w 2,341,632 2006-11-09 18:15:16 c:\program files\Lenovo\Client Security Solution\bak\cssauth.exe ----a-w 94,208 2006-10-02 15:19:48 c:\program files\Lenovo\PkgMgr\HOTKEY\bak\TPHKMGR.exe ----a-r 41,472 2006-03-13 20:38:56 c:\program files\Lenovo\SafeGuard PrivateDisk\bak\pdservice.exe ----a-w 31,016 2006-10-27 04:47:42 c:\program files\Microsoft Office\Office12\bak\GrooveMonitor.exe ----a-w 33,648 2007-08-24 11:00:48 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe ----a-w 286,720 2007-06-29 10:24:52 c:\program files\QuickTime\bak\qttask.exe ----a-w 413,696 2008-09-06 19:09:14 c:\program files\QuickTime\QTTask.exe ----a-w 75,304 2006-10-11 16:45:12 c:\program files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe ----a-w 1,592 2007-10-03 21:09:59 c:\program files\Steam\bak\ClientRegistry.blob ----a-w 546,136 2008-08-24 23:05:44 c:\program files\Steam\ClientRegistry.blob ----a-w 1,258,744 2007-08-05 01:20:45 c:\program files\Steam\bak\Steam.exe ----a-w 1,271,032 2008-04-06 19:53:30 c:\program files\Steam\Steam.exe ----a-w 29,826 2007-10-03 21:09:59 c:\program files\Steam\bak\Steamexe__237340__2007_10_3T21_9_59C3109.mdmp ----a-w 85,744 2006-05-27 20 20 c:\program files\Symantec AntiVirus\bak\VPTray.exe----a-w 85,744 2006-05-27 20 20 c:\program files\Symantec AntiVirus\VPTray.exe----a-w 512,000 2006-02-14 18:16:28 c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe ----a-w 110,592 2006-02-14 18:17:28 c:\program files\Synaptics\SynTP\bak\SynTPLpr.exe ----a-w 243,248 2006-11-29 06:30:00 c:\program files\ThinkPad\Utilities\bak\EzEjMnAp.Exe ------w 242,976 2008-06-05 06:36:00 c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE ----a-w 856,064 2006-06-03 02:00:18 c:\program files\ThinkPad\Utilities\bak\TpKmapAp.exe ----a-w 120,368 2007-02-02 07:01:00 c:\program files\ThinkVantage\PrdCtr\bak\LPMGR.exe ------w 165,208 2008-06-09 07:00:00 c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE ----a-w 31,232 2006-04-25 23:03:42 c:\program files\ThinkVantage Fingerprint Software\bak\launcher.exe ----a-w 48,904 2007-08-14 19:32:42 c:\program files\ThinkVantage Fingerprint Software\launcher.exe ----a-w 1,014,272 2007-08-15 08:48:34 c:\program files\Tunebite\bak\tunebite.exe ----a-w 1,014,272 2007-08-15 08:48:34 c:\program files\Tunebite\tunebite.exe ----a-w 122,940 2006-02-02 09:20:00 c:\windows\system32\DLA\bak\DLACTRLW.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "tunebite.exe"="c:\program files\Tunebite\tunebite.exe" [2007-08-15 1014272] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Google Update"="c:\documents and settings\jaddison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-05 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IUWORK"="c:\iuwork\LAUNCH.LNK" [N/A] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-07-29 331776] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-07-29 208896] "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976] "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-07-05 425984] "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-07-04 143360] "LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2008-06-09 165208] "LPMailChecker"="c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2008-06-09 124248] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "TP4EX"="tp4ex.exe" [2005-10-17 c:\windows\system32\TP4EX.exe] "TpShocks"="TpShocks.exe" [2008-06-06 c:\windows\system32\TpShocks.exe] "Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 c:\windows\system32\ico.exe] c:\documents and settings\jaddison\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-18 561213] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-08 50688] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "AllowMultipleTSSessions"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2007-08-14 14:54 89600 c:\windows\system32\psqlpwd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2006-09-06 15:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2008-03-17 15:02 34080 c:\program files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli ACGina psqlpwd [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Steam\\SteamApps\\matrix@moscowmail.com\\counter-strike source\\hl2.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\Spadester\\spades.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Ruckus Player\\Ruckus.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"= "c:\\Program Files\\MoRUN.net\\Sticker Lite\\sticker.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "2967:UDP"= 2967:UDP:Symantec AntiVirus Managed Client (2967:UDP) "7001:UDP"= 7001:UDP:AFS CacheManager Callback (7001:UDP) "2967:TCP"= 2967:TCP:Symantec AntiVirus Managed Client (2967:TCP) "7001:TCP"= 7001:TCP:AFS CacheManager Callback (7001:TCP) . Contents of the 'Scheduled Tasks' folder 2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2008-12-07 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\documents and settings\jaddison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-05 20:52] 2008-12-07 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-07-29 00:43] . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-07 10:54:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv] "ImagePath"="\??\c:\windows\TEMP\mc21.tmp" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys] "imagepath"="\systemroot\system32\drivers\TDSSuerhqfhx.sys" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1164) c:\windows\system32\vrlogon.dll c:\windows\system32\Ati2evxx.dll c:\windows\system32\psqlpwd.dll c:\program files\ThinkVantage Fingerprint Software\homefus2.dll c:\program files\ThinkVantage Fingerprint Software\infra.dll c:\program files\ThinkVantage Fingerprint Software\homepass.dll c:\program files\ThinkVantage Fingerprint Software\bio.dll c:\program files\ThinkVantage Fingerprint Software\ps2css.dll c:\program files\ThinkVantage Fingerprint Software\remote.dll c:\program files\Lenovo\HOTKEY\tphklock.dll c:\program files\ThinkVantage Fingerprint Software\pscssint.dll c:\program files\ThinkVantage Fingerprint Software\crypto.dll - - - - - - - > 'lsass.exe'(1220) c:\program files\ThinkPad\ConnectUtilities\ACGina.dll c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\program files\ThinkPad\ConnectUtilities\ACON.dll c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll c:\windows\system32\psqlpwd.dll c:\program files\ThinkVantage Fingerprint Software\homefus2.dll c:\program files\ThinkVantage Fingerprint Software\infra.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ibmpmsvc.exe c:\windows\system32\ati2evxx.exe c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe c:\windows\system32\ati2evxx.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe c:\windows\system32\acs.exe c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\progra~1\PHAROS~1\Core\CTskMstr.exe c:\program files\Symantec AntiVirus\SavRoam.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe c:\windows\system32\TPHDEXLG.exe c:\windows\system32\TpKmpSvc.exe c:\program files\Lenovo\Client Security Solution\tvttcsd.exe c:\program files\Lenovo\Rescue and Recovery\rrservice.exe c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe c:\program files\Viewpoint\Common\ViewpointService.exe c:\program files\ThinkPad\Utilities\PWMDBSVC.exe c:\program files\Lenovo\System Update\SUService.exe c:\program files\Common Files\Lenovo\Logger\logmon.exe c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe c:\windows\system32\rundll32.exe c:\windows\system32\FSRremoS.EXE c:\program files\Lenovo\HOTKEY\TPONSCR.exe c:\program files\Lenovo\ZOOM\TpScrex.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\iPod\bin\iPodService.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe . ************************************************************************** . Completion time: 2008-12-07 11:03:11 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-07 16:03:08 ComboFix2.txt 2008-12-06 18:48:51 ComboFix3.txt 2008-12-06 17:16:19 Pre-Run: 33,251,172,352 bytes free Post-Run: 33,325,950,464 bytes free 242 --- E O F --- 2008-11-13 21:05:43 |
|
|
|
|
12-07-2008, 02:46 PM
|
#10 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,341
OS: N/A
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
Something wierd is going on. Please post a fresh gmer log
|
|
|
|
|
12-12-2008, 11:57 AM
|
#11 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,341
OS: N/A
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
Due to the lack of feedback, this Topic is closed.
__________________
Question - what have you done for the community today? |
|
|
|
|
12-14-2008, 11:22 AM
|
#12 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,341
OS: N/A
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
Thread re-activated at user's behest
__________________
Question - what have you done for the community today? |
|
|
|
|
12-14-2008, 03:50 PM
|
#13 (permalink) |
|
Registered User
Join Date: Dec 2008
Posts: 11
OS: Microsoft XP SP2
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
OK, here's the situation. The fake "Security Center Alert" popups went away for awhile but now they've returned complaining of a different trojan (Win32.NetSky.Q). It's the same sort of nonsense--it tries to link you to a website with rogue antivirus software. I can no longer use Mozilla Firefox, Mozilla Thunderbird, Google Chrome, or Microsoft Internet Explorer. I'm writing via Safari, and even Safari isn't running that smoothly. It seems to crash at times when I'm doing something RAM-intensive. Here's the new GMer log you requested as an attachment.
Thank you so much! |
|
|
|
|
12-14-2008, 04:21 PM
|
#14 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,341
OS: N/A
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
That's what happens when there's a delay in between replies. Malware isn't going to sit quietly waiting for you to come get them. They send out invites to their buddies to come join the party.
We'll need to do this from scratch again. Please delete your copy existing copy of ComboFix.exe. Download/Run an updated copy & post the log it produces.
__________________
Question - what have you done for the community today? |
|
|
|
|
12-15-2008, 01:24 PM
|
#15 (permalink) |
|
Registered User
Join Date: Dec 2008
Posts: 11
OS: Microsoft XP SP2
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
Here's the ComboFix log. Also, use of applications has been restored, apparently.
ComboFix 08-12-14.05 - jaddison 2008-12-15 13:36:27.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1463 [GMT -5:00] Running from: c:\documents and settings\jaddison\Desktop\ComboFix.exe * Created a new restore point . The following files were disabled during the run: c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSserv.sys ((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-06-21 23:38 30,280 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll 2007-06-21 23:38 79,432 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll 2007-06-21 23:38 71,240 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll 2007-06-21 23:38 140,872 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll 2007-06-21 23:39 38,472 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll 2007-06-21 23:39 46,664 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll 2007-06-21 23:39 34,376 ----a-w c:\program files\mozilla firefox\plugins\logging.dll 2007-06-21 23:39 685,640 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll 2007-06-21 23:40 30,280 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll . ((((((((((((((((((((((((((((( snapshot@2008-12-06_12.14.03.36 ))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 67,752 2006-12-22 11:29:56 c:\program files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe ----a-w 925,696 2005-05-20 13:11:06 c:\program files\Analog Devices\Core\bak\smax4pnp.exe ----a-w 716,800 2005-05-06 19 12 c:\program files\Analog Devices\SoundMAX\bak\Smax4.exe----a-w 90,112 2006-05-10 15:12:06 c:\program files\ATI Technologies\ATI.ACE\bak\CLIStart.exe ----a-w 1,197,648 2006-10-17 01:40:00 c:\program files\Canon\MyPrinter\bak\BJMyPrt.exe ----a-w 2,321,600 2007-08-05 13:21:15 c:\program files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe ----a-w 2,356,088 2008-12-08 00:12:24 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe ----a-w 81,920 2005-02-16 20:15:20 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe ----a-w 221,184 2004-07-27 20:50:42 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe ----a-w 536,576 2006-12-10 23:36:32 c:\program files\Common Files\Lenovo\Scheduler\bak\scheduler_proxy.exe ----a-w 487,424 2008-03-04 15:34:20 c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe ----a-w 185,896 2006-09-28 17:16:20 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe ----a-w 48,800 2005-12-21 16:33:28 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe ----a-w 48,800 2005-12-21 16:33:28 c:\program files\Common Files\Symantec Shared\ccApp.exe ----a-w 271,672 2007-07-31 22:44:42 c:\program files\iTunes\bak\iTunesHelper.exe ----a-w 289,576 2008-10-01 22:57:12 c:\program files\iTunes\iTunesHelper.exe ----a-w 36,975 2005-11-10 17:03:52 c:\program files\Java\jre1.5.0_06\bin\bak\jusched.exe ----a-w 2,341,632 2006-11-09 18:15:16 c:\program files\Lenovo\Client Security Solution\bak\cssauth.exe ----a-w 94,208 2006-10-02 15:19:48 c:\program files\Lenovo\PkgMgr\HOTKEY\bak\TPHKMGR.exe ----a-r 41,472 2006-03-13 20:38:56 c:\program files\Lenovo\SafeGuard PrivateDisk\bak\pdservice.exe ----a-w 31,016 2006-10-27 04:47:42 c:\program files\Microsoft Office\Office12\bak\GrooveMonitor.exe ----a-w 33,648 2007-08-24 11:00:48 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe ----a-w 286,720 2007-06-29 10:24:52 c:\program files\QuickTime\bak\qttask.exe ----a-w 413,696 2008-09-06 19:09:14 c:\program files\QuickTime\QTTask.exe ----a-w 75,304 2006-10-11 16:45:12 c:\program files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe ----a-w 1,592 2007-10-03 21:09:59 c:\program files\Steam\bak\ClientRegistry.blob ----a-w 546,136 2008-08-24 23:05:44 c:\program files\Steam\ClientRegistry.blob ----a-w 1,258,744 2007-08-05 01:20:45 c:\program files\Steam\bak\Steam.exe ----a-w 1,271,032 2008-04-06 19:53:30 c:\program files\Steam\Steam.exe ----a-w 29,826 2007-10-03 21:09:59 c:\program files\Steam\bak\Steamexe__237340__2007_10_3T21_9_59C3109.mdmp ----a-w 85,744 2006-05-27 20 20 c:\program files\Symantec AntiVirus\bak\VPTray.exe----a-w 85,744 2006-05-27 20 20 c:\program files\Symantec AntiVirus\VPTray.exe----a-w 512,000 2006-02-14 18:16:28 c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe ----a-w 110,592 2006-02-14 18:17:28 c:\program files\Synaptics\SynTP\bak\SynTPLpr.exe ----a-w 243,248 2006-11-29 06:30:00 c:\program files\ThinkPad\Utilities\bak\EzEjMnAp.Exe ------w 242,976 2008-06-05 06:36:00 c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE ----a-w 856,064 2006-06-03 02:00:18 c:\program files\ThinkPad\Utilities\bak\TpKmapAp.exe ----a-w 120,368 2007-02-02 07:01:00 c:\program files\ThinkVantage\PrdCtr\bak\LPMGR.exe ------w 165,208 2008-06-09 07:00:00 c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE ----a-w 31,232 2006-04-25 23:03:42 c:\program files\ThinkVantage Fingerprint Software\bak\launcher.exe ----a-w 48,904 2007-08-14 19:32:42 c:\program files\ThinkVantage Fingerprint Software\launcher.exe ----a-w 1,014,272 2007-08-15 08:48:34 c:\program files\Tunebite\bak\tunebite.exe ----a-w 1,014,272 2007-08-15 08:48:34 c:\program files\Tunebite\tunebite.exe ----a-w 122,940 2006-02-02 09:20:00 c:\windows\system32\DLA\bak\DLACTRLW.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "tunebite.exe"="c:\program files\Tunebite\tunebite.exe" [2007-08-15 1014272] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Google Update"="c:\documents and settings\jaddison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-05 133104] "windpipe"="c:\documents and settings\jaddison\Application Data\Google\fhexj6825097.exe" [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IUWORK"="c:\iuwork\LAUNCH.LNK" [N/A] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-07-29 331776] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-07-29 208896] "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976] "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-07-05 425984] "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-07-04 143360] "LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2008-06-09 165208] "LPMailChecker"="c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2008-06-09 124248] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "TP4EX"="tp4ex.exe" [2005-10-17 c:\windows\system32\TP4EX.exe] "TpShocks"="TpShocks.exe" [2008-06-06 c:\windows\system32\TpShocks.exe] "Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 c:\windows\system32\ico.exe] c:\documents and settings\jaddison\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-18 561213] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-08 50688] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "AllowMultipleTSSessions"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2007-08-14 14:54 89600 c:\windows\system32\psqlpwd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2006-09-06 15:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2008-03-17 15:02 34080 c:\program files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli ACGina psqlpwd [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Steam\\SteamApps\\matrix@moscowmail.com\\counter-strike source\\hl2.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\Spadester\\spades.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Ruckus Player\\Ruckus.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"= "c:\\Program Files\\MoRUN.net\\Sticker Lite\\sticker.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "2967:UDP"= 2967:UDP:Symantec AntiVirus Managed Client (2967:UDP) "7001:UDP"= 7001:UDP:AFS CacheManager Callback (7001:UDP) "2967:TCP"= 2967:TCP:Symantec AntiVirus Managed Client (2967:TCP) "7001:TCP"= 7001:TCP:AFS CacheManager Callback (7001:TCP) . Contents of the 'Scheduled Tasks' folder 2008-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2008-12-15 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\documents and settings\jaddison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-05 20:52] 2008-12-15 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-07-29 00:43] . . ------- Supplementary Scan ------- . uStart Page = uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-15 14:39:07 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv] "ImagePath"="\??\c:\windows\TEMP\mc21.tmp" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1132) c:\windows\system32\vrlogon.dll c:\windows\system32\Ati2evxx.dll c:\windows\system32\psqlpwd.dll c:\program files\ThinkVantage Fingerprint Software\homefus2.dll c:\program files\ThinkVantage Fingerprint Software\infra.dll c:\program files\ThinkVantage Fingerprint Software\homepass.dll c:\program files\ThinkVantage Fingerprint Software\bio.dll c:\program files\ThinkVantage Fingerprint Software\ps2css.dll c:\program files\ThinkVantage Fingerprint Software\remote.dll c:\program files\Lenovo\HOTKEY\tphklock.dll c:\program files\ThinkVantage Fingerprint Software\pscssint.dll c:\program files\ThinkVantage Fingerprint Software\crypto.dll - - - - - - - > 'lsass.exe'(1188) c:\program files\ThinkPad\ConnectUtilities\ACGina.dll c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\program files\ThinkPad\ConnectUtilities\ACON.dll c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll c:\windows\system32\psqlpwd.dll c:\program files\ThinkVantage Fingerprint Software\homefus2.dll c:\program files\ThinkVantage Fingerprint Software\infra.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ibmpmsvc.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe c:\windows\system32\acs.exe c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\progra~1\PHAROS~1\Core\CTskMstr.exe c:\program files\Symantec AntiVirus\SavRoam.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe c:\windows\system32\TPHDEXLG.exe c:\windows\system32\TpKmpSvc.exe c:\program files\Lenovo\Client Security Solution\tvttcsd.exe c:\program files\Lenovo\Rescue and Recovery\rrservice.exe c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe c:\program files\Viewpoint\Common\ViewpointService.exe c:\program files\ThinkPad\Utilities\PWMDBSVC.exe c:\program files\Lenovo\System Update\SUService.exe c:\program files\Common Files\Lenovo\Logger\logmon.exe c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe c:\windows\system32\rundll32.exe c:\windows\system32\FSRremoS.EXE c:\program files\Lenovo\HOTKEY\TPONSCR.exe c:\program files\Lenovo\ZOOM\TpScrex.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\iPod\bin\iPodService.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe . ************************************************************************** . Completion time: 2008-12-15 14:47:26 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-15 19:47:22 ComboFix2.txt 2008-12-07 16:03:13 ComboFix3.txt 2008-12-06 18:48:51 ComboFix4.txt 2008-12-06 17:16:19 Pre-Run: 32,610,398,720 bytes free Post-Run: 32,618,114,048 bytes free 256 --- E O F --- 2008-12-12 21:57:59 |
|
|
|
|
12-15-2008, 02:33 PM
|
#16 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,341
OS: N/A
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
Something about this machine still doesn't appear kosher to me. Stay with me till I give you the green light.
Open NOTEPAD and copy/paste the text in the quotebox below into it: Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/320337-false-security-alerts-pop-ups-alleged-sinowal-trojan-suspicious-links.html#post1859487 Suspect:: c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL AWF:: C:\program files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe C:\program files\Analog Devices\Core\bak\smax4pnp.exe C:\program files\Analog Devices\SoundMAX\bak\Smax4.exe C:\program files\ATI Technologies\ATI.ACE\bak\CLIStart.exe C:\program files\Canon\MyPrinter\bak\BJMyPrt.exe C:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe C:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe C:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe C:\program files\Java\jre1.5.0_06\bin\bak\jusched.exe C:\program files\Lenovo\Client Security Solution\bak\cssauth.exe C:\program files\Lenovo\PkgMgr\HOTKEY\bak\TPHKMGR.exe C:\program files\Lenovo\SafeGuard PrivateDisk\bak\pdservice.exe C:\program files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe C:\program files\Synaptics\SynTP\bak\SynTPEnh.exe C:\program files\Synaptics\SynTP\bak\SynTPLpr.exe C:\program files\ThinkPad\Utilities\bak\TpKmapAp.exe C:\windows\system32\DLA\bak\DLACTRLW.EXE FOLDER:: C:\program files\ThinkPad\Utilities\bak C:\program files\Common Files\Adobe\Updater5\bak C:\program files\Common Files\Lenovo\Scheduler\bak C:\program files\ThinkVantage Fingerprint Software\bak C:\program files\ThinkVantage\PrdCtr\bak C:\program files\Tunebite\bak C:\program files\Microsoft Office\Office12\bak C:\program files\QuickTime\bak C:\program files\Steam\bak C:\program files\Symantec AntiVirus\bak C:\program files\Common Files\Symantec Shared\bak C:\program files\iTunes\bak REGISTRY:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "windpipe"=- Referring to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4
__________________
Question - what have you done for the community today? |
|
|
|
|
12-15-2008, 02:39 PM
|
#17 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,341
OS: N/A
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
In addition the above, I shall also require the following
1) a fresh GMER log 2) Delete your existing copy of DDS. Download a fresh copy from here >http://www.techsupportforum.com/sect...Bs/dds/dds.exe Don't run DDS just yet. Instead, open NOTEPAD.exe and copy/paste the text in the quotebox below into it: Code:
Start DDS.exe /Ihatewhitelists It should look like this:  Double click on Run.bat & allow it to run When done, DDS will open two (2) logs:
__________________
Question - what have you done for the community today? |
|
|
|
|
12-15-2008, 08:24 PM
|
#18 (permalink) |
|
Registered User
Join Date: Dec 2008
Posts: 11
OS: Microsoft XP SP2
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
For the record, the "PHAROS" thing that the ComboFix is suspicious of is actually a perfectly legitimate application for printing on campus printers. It allows me to print to the school print servers from my laptop without having to use a computer lab computer.
Here's the ComboFix log (the other requested files are attached): ComboFix 08-12-14.05 - jaddison 2008-12-15 21:47:57.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1282 [GMT -5:00] Running from: c:\documents and settings\jaddison\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\jaddison\Desktop\CFScript.txt * Created a new restore point . The following files were disabled during the run: c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL ((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-06-21 23:38 30,280 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll 2007-06-21 23:38 79,432 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll 2007-06-21 23:38 71,240 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll 2007-06-21 23:38 140,872 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll 2007-06-21 23:39 38,472 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll 2007-06-21 23:39 46,664 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll 2007-06-21 23:39 34,376 ----a-w c:\program files\mozilla firefox\plugins\logging.dll 2007-06-21 23:39 685,640 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll 2007-06-21 23:40 30,280 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll . ((((((((((((((((((((((((((((( snapshot@2008-12-06_12.14.03.36 ))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "tunebite.exe"="c:\program files\Tunebite\tunebite.exe" [2007-08-15 1014272] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Google Update"="c:\documents and settings\jaddison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-05 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-07-29 331776] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-07-29 208896] "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976] "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-07-05 425984] "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-07-04 143360] "LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2008-06-09 165208] "LPMailChecker"="c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2008-06-09 124248] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "TP4EX"="tp4ex.exe" [2005-10-17 c:\windows\system32\TP4EX.exe] "TpShocks"="TpShocks.exe" [2008-06-06 c:\windows\system32\TpShocks.exe] "Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 c:\windows\system32\ico.exe] c:\documents and settings\jaddison\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-18 561213] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-08 50688] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "AllowMultipleTSSessions"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2007-08-14 14:54 89600 c:\windows\system32\psqlpwd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2006-09-06 15:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2008-03-17 15:02 34080 c:\program files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli ACGina psqlpwd [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Steam\\SteamApps\\matrix@moscowmail.com\\counter-strike source\\hl2.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\Spadester\\spades.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Ruckus Player\\Ruckus.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"= "c:\\Program Files\\MoRUN.net\\Sticker Lite\\sticker.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "2967:UDP"= 2967:UDP:Symantec AntiVirus Managed Client (2967:UDP) "7001:UDP"= 7001:UDP:AFS CacheManager Callback (7001:UDP) "2967:TCP"= 2967:TCP:Symantec AntiVirus Managed Client (2967:TCP) "7001:TCP"= 7001:TCP:AFS CacheManager Callback (7001:TCP) . Contents of the 'Scheduled Tasks' folder 2008-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2008-12-16 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\documents and settings\jaddison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-05 20:52] 2008-12-16 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-07-29 00:43] . - - - - ORPHANS REMOVED - - - - HKLM-Run-IUWORK - c:\iuwork\LAUNCH.LNK . ------- Supplementary Scan ------- . uStart Page = uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-15 21:54:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv] "ImagePath"="\??\c:\windows\TEMP\mc21.tmp" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1132) c:\windows\system32\vrlogon.dll c:\windows\system32\Ati2evxx.dll c:\windows\system32\psqlpwd.dll c:\program files\ThinkVantage Fingerprint Software\homefus2.dll c:\program files\ThinkVantage Fingerprint Software\infra.dll c:\program files\ThinkVantage Fingerprint Software\homepass.dll c:\program files\ThinkVantage Fingerprint Software\bio.dll c:\program files\ThinkVantage Fingerprint Software\ps2css.dll c:\program files\ThinkVantage Fingerprint Software\remote.dll c:\program files\Lenovo\HOTKEY\tphklock.dll c:\program files\ThinkVantage Fingerprint Software\pscssint.dll c:\program files\ThinkVantage Fingerprint Software\crypto.dll - - - - - - - > 'lsass.exe'(1188) c:\program files\ThinkPad\ConnectUtilities\ACGina.dll c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\program files\ThinkPad\ConnectUtilities\ACON.dll c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll c:\windows\system32\psqlpwd.dll c:\program files\ThinkVantage Fingerprint Software\homefus2.dll c:\program files\ThinkVantage Fingerprint Software\infra.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ibmpmsvc.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe c:\windows\system32\acs.exe c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\progra~1\PHAROS~1\Core\CTskMstr.exe c:\program files\Symantec AntiVirus\SavRoam.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe c:\windows\system32\TPHDEXLG.exe c:\windows\system32\TpKmpSvc.exe c:\program files\Lenovo\Client Security Solution\tvttcsd.exe c:\program files\Lenovo\Rescue and Recovery\rrservice.exe c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe c:\program files\Viewpoint\Common\ViewpointService.exe c:\program files\Common Files\Lenovo\Logger\logmon.exe c:\program files\ThinkPad\Utilities\PWMDBSVC.exe c:\program files\Lenovo\System Update\SUService.exe c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe c:\windows\system32\rundll32.exe c:\windows\system32\FSRremoS.EXE c:\program files\Lenovo\HOTKEY\TPONSCR.exe c:\program files\Lenovo\ZOOM\TpScrex.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\iPod\bin\iPodService.exe c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe . ************************************************************************** . Completion time: 2008-12-15 22:02:38 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-16 03:02:31 ComboFix2.txt 2008-12-15 19:47:27 ComboFix3.txt 2008-12-07 16:03:13 ComboFix4.txt 2008-12-06 18:48:51 ComboFix5.txt 2008-12-16 02:46:49 Pre-Run: 32,570,634,240 bytes free Post-Run: 32,548,646,400 bytes free 205 --- E O F --- 2008-12-12 21:57:59 |
|
|
|
|
12-15-2008, 08:30 PM
|
#19 (permalink) | |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,341
OS: N/A
|
Re: False Security Alerts (pop-ups) for alleged "Sinowal.Trojan"; suspicious links
Quote:
For once, your logs are looking clean. How is the machine now?
__________________
Question - what have you done for the community today? |
|
|
|
|
| Thread Tools | |
|
|
