Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Cleaning up an infection
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 04-12-2009, 08:48 PM   #1 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 21
OS: windowsxp2


Cleaning up an infection
Previous thread here: SpywareRemover2009 Infection

GMER now runs, but blue screens halfway through the scan. This is true for the original GMER as well as for the special one in the linked thread. I ran malwarebytes and cleared up several infections, but the system is still slow. Attach attached.

DDS (Ver_09-03-16.01) - NTFSx86
Run by CHAN_KRIS at 22:47:19.40 on Sun 04/12/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2014.1327 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\CHAN_KRIS\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.meebo.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: ViewerHelper Class: {78104a01-8e71-4f30-9a36-3793799615b4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
TB: Net Snippets: {67970b26-f57d-4455-8262-81c3ae3b8b5e} - c:\progra~1\netsni~1\NetSnip.dll
EB: Net Snippets: {f9c00ef7-b192-4609-b2b8-d705ace341ff} - c:\progra~1\netsni~1\NetSnip.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnlite\PsnLite.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 1 = b95702b.exe
uPolicies-disallowrun: 2 = bla.exe
uPolicies-disallowrun: 3 = complaint.scr
uPolicies-disallowrun: 4 = complaint.zip
uPolicies-disallowrun: 5 = fbtre6.exe
uPolicies-disallowrun: 6 = flash_update.exe
uPolicies-disallowrun: 7 = Ipssvc.exe
uPolicies-disallowrun: 8 = kjzna1562565.exe
uPolicies-disallowrun: 9 = klnxv19819115.exe
uPolicies-disallowrun: 10 = mstre6.exe
uPolicies-disallowrun: 11 = TrendAV.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: disablecad = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
IE: Add to Net Snippets - c:\progra~1\netsni~1\res\Clipper.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
IE: {7130DF06-BBC1-4e16-83D4-1F875E65B695} - {F9C00EF7-B192-4609-B2B8-D705ACE341FF} - c:\progra~1\netsni~1\NetSnip.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - {78104A01-8E71-4F30-9A36-3793799615B4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Trusted Zone: bentley.edu\stheno.gold.ad
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194497433109
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194497423765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B70D738E-B839-413B-9555-D108643E05B9} - hxxp://deploy.bentley.edu/controls/BentleyUpdate07.CAB
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
Filter: application/msword - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-excel - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-powerpoint - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Handler: rmh - {23C585BB-48FF-4865-8934-185F0A7EB84C} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
AppInit_DLLs: ,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-3-2 100656]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-3-2 19760]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2007-6-20 4442]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-6-6 116928]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-27 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081219.005\naveng.sys [2008-12-20 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081219.005\navex15.sys [2008-12-20 876112]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-3-26 33176]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-6-6 1821376]

=============== Created Last 30 ================

2009-04-08 12:10 <DIR> --d----- c:\docume~1\chan_k~1\applic~1\Malwarebytes
2009-04-08 12:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-08 12:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-07 05:42 <DIR> --d----- c:\docume~1\chan_k~1\applic~1\Messenger
2009-04-07 03:57 <DIR> --d----- c:\docume~1\chan_k~1\applic~1\Twain
2009-03-19 20:35 <DIR> --d----- c:\program files\Pidgin
2009-03-15 00:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\espionServerData

==================== Find3M ====================

0000-00-00 00:00 23,552 a--sh--- c:\windows\system32\mizotufu.exe

============= FINISH: 22:48:12.30 ===============
Attached Files
File Type: zip Attach.zip (2.1 KB, 3 views)
abckrist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 04-13-2009, 06:30 AM   #2 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Cleaning up an infection
Hello abckrist.

We'll try one more rootkit scan: The Avenger
Download The Avenger by Swandog46 from here
  • Unzip/extract it to a folder on your desktop.
  • Right-click on avenger.exe & choose Run as Administrator to run The Avenger
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Click the Execute button.
  • You will be asked No script has been entered. Do you want to execute a rootkit scan only?
  • Click Yes
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?
  • Click Yes
  • Your PC will now be rebooted.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-14-2009, 12:26 AM   #3 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 21
OS: windowsxp2


Re: Cleaning up an infection
I was unable to run it as an administrator, but the user on this computer has administrator privileges.

-=-=-=-=-=-=-

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.
abckrist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-14-2009, 05:50 AM   #4 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Cleaning up an infection
Hello again, abckrist.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-18-2009, 12:05 PM   #5 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 21
OS: windowsxp2


Re: Cleaning up an infection
Log attached; the computer user wanted to hold off on running comboxfix until today, I apologize for the delay. A new symptom appeared before running: Google results would redirect to random video sites. I'm not sure if this is still the case. Combofix also took several attempts to run successfully, possibly because I was unable to completely terminate Symantec AntiVirus.

ComboFix 09-04-19.01 - CHAN_KRIS 04/18/2009 13:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2014.1398 [GMT -4:00]
Running from: c:\documents and settings\CHAN_KRIS\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 08:2009-04-07 08:03 03:50 . c:\program files\mozilla firefox\components\dfff.dll
1601-01-01 00:12 . 1601-01-01 00:12 57344 --sha-w c:\windows\system32\duwiwuse.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 23552 --sha-w c:\windows\system32\mizotufu.exe
1601-01-01 00:12 . 1601-01-01 00:12 57344 --sha-w c:\windows\system32\tamowevu.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 57344 --sha-w c:\windows\system32\yewiluyo.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-10 8495104]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-21 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-21 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-23 120368]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 58416]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-10 81920]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-10 1626112]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-03-29 181808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-04-10 3900776]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-11 50688]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= b95702b.exe
"2"= bla.exe
"3"= complaint.scr
"4"= complaint.zip
"5"= fbtre6.exe
"6"= flash_update.exe
"7"= Ipssvc.exe
"8"= kjzna1562565.exe
"9"= klnxv19819115.exe
"10"= mstre6.exe
"11"= TrendAV.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 20:37 34344 ----a-w c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 15:06 28672 ----a-w c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= ,

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\stheno.gold.ad.bentley.edu\installers$\STUDENT_INVENTORY\elevated_launch.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\blue.ad.bentley.edu\SysVol\blue.ad.bentley.edu\scripts\SMS3.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=\\blue.ad.bentley.edu\SysVol\blue.ad.bentley.edu\scripts\maplab_copy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=script.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229846427-2226813820-890958922-28342\Scripts\Logon\0\0]
"Script"=\\blue.ad.bentley.edu\sysvol\blue.ad.bentley.edu\scripts\loginscript2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=

R2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-06-06 116928]
R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]
S0 Shockprf;Shockprf;c:\windows\System32\DRIVERS\Apsx86.sys [2007-03-02 100656]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2007-03-02 19760]
S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2007-09-21 4442]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-16 101936]

.
Contents of the 'Scheduled Tasks' folder

2009-04-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]

2009-04-18 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-06-20 06:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.meebo.com/
IE: Add to Net Snippets - c:\progra~1\NETSNI~1\Res\Clipper.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: **{7130DF06-BBC1-4e16-83D4-1F875E65B695} - {F9C00EF7-B192-4609-B2B8-D705ACE341FF} - c:\progra~1\NETSNI~1\NetSnip.dll
Trusted Zone: bentley.edu\stheno.gold.ad
DPF: {B70D738E-B839-413B-9555-D108643E05B9} - hxxp://deploy.bentley.edu/controls/BentleyUpdate07.CAB
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 14:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(3764)
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\browselc.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\windows\System32\DLA\DLASHX_W.DLL
c:\windows\system32\DLAAPI_W.DLL
c:\windows\System32\DLA\DLACResW.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2009-04-18 14:04
ComboFix-quarantined-files.txt 2009-04-18 18:04

Pre-Run: 66,371,305,472 bytes free
Post-Run: 66,995,490,816 bytes free

154 --- E O F --- 2009-03-27 00:23
Attached Files
File Type: txt log.txt (8.9 KB, 1 views)
Last edited by chemist; 04-18-2009 at 12:21 PM.
abckrist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-18-2009, 12:20 PM   #6 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Cleaning up an infection
Please run The Avenger again as you did in post #2 above and post the log in your next reply.

------------------------------------------------------

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
Last edited by chemist; 04-18-2009 at 12:23 PM.
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-18-2009, 07:45 PM   #7 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 21
OS: windowsxp2


Re: Cleaning up an infection
Avenger Log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.


C:\QooBox\Add-Remove Programs.txt is blank. QooBox's log could not be attached.
Attached Files
File Type: txt avenger.txt (888 Bytes, 0 views)
abckrist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-18-2009, 08:11 PM   #8 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Cleaning up an infection
Hello again, abckrist. When you go Start > Control Panel > Add or Remove Programs, do you see your installed programs?

Please go to: VirusTotal
  • On the page you'll find a Browse button.
  • Next to the Browse button you'll see a box to enter text.
  • Please copy/paste the following bolded text into the box:

    c:\program files\mozilla firefox\components\dfff.dll

  • Then click the Send File button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analysed: click Reanalyse file now
  • Once scanned, copy and paste the results in your next reply.
------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-19-2009, 12:19 AM   #9 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 21
OS: windowsxp2


Re: Cleaning up an infection
Status update: the mouse is moving very jerkily, though nothing else seems to be affected. The Add/Remove programs list is populated. The only result (in the event formatting makes difficult to read) is that Prevx1 V2 found "Medium Risk Malware." Thank you for your help thusfar Chemist.


Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.19 -
AhnLab-V3 5.0.0.2 2009.04.18 -
AntiVir 7.9.0.148 2009.04.18 -
Antiy-AVL 2.0.3.1 2009.04.17 -
Authentium 5.1.2.4 2009.04.19 -
Avast 4.8.1335.0 2009.04.18 -
AVG 8.5.0.287 2009.04.18 -
BitDefender 7.2 2009.04.19 -
CAT-QuickHeal 10.00 2009.04.18 -
ClamAV 0.94.1 2009.04.19 -
Comodo 1120 2009.04.18 -
DrWeb 4.44.0.09170 2009.04.19 -
eSafe 7.0.17.0 2009.04.13 -
eTrust-Vet 31.6.6455 2009.04.14 -
F-Prot 4.4.4.56 2009.04.19 -
F-Secure 8.0.14470.0 2009.04.19 -
Fortinet 3.117.0.0 2009.04.18 -
GData 19 2009.04.19 -
Ikarus T3.1.1.49.0 2009.04.19 -
K7AntiVirus 7.10.707 2009.04.17 -
Kaspersky 7.0.0.125 2009.04.19 -
McAfee 5588 2009.04.18 -
McAfee+Artemis 5588 2009.04.18 -
McAfee-GW-Edition 6.7.6 2009.04.19 -
Microsoft 1.4502 2009.04.19 -
NOD32 4019 2009.04.18 -
Norman 6.00.06 2009.04.17 -
nProtect 2009.1.8.0 2009.04.19 -
Panda 10.0.0.14 2009.04.18 -
PCTools 4.4.2.0 2009.04.17 -
Prevx1 V2 2009.04.19 Medium Risk Malware
Rising 21.25.60.00 2009.04.19 -
Sophos 4.40.0 2009.04.19 -
Sunbelt 3.2.1858.2 2009.04.18 -
Symantec 1.4.4.12 2009.04.19 -
TheHacker 6.3.4.0.309 2009.04.16 -
TrendMicro 8.700.0.1004 2009.04.17 -
VBA32 3.12.10.2 2009.04.12 -
ViRobot 2009.4.18.1685 2009.04.18 -
VirusBuster 4.6.5.0 2009.04.18 -
Additional information
File size: 211968 bytes
MD5...: 6bd020533f58aec6f047355bdf6fe230
SHA1..: 2d3f1d760995fde4a8beee85c5dc4c5c07f58b76
SHA256: ac70b104dea05b68822b32543af70729c15d8e08028400f7b3cb89f0db52e2df
SHA512: 1c767c2de79f90ad247a787bbb3335d0f59fd7f87baaec60a6f7715361aa095b
30474ccccc2d4f7d7ef464dde54fbdeeda635ca340f2ed3eb2eb13e566a1a145
ssdeep: 3072:bR3kMQvwexjW7irfnN4zrmkYQWjC3/prl/Zoos8wil5sIB5DmzOO:UvbxjW
7iDnN4TWjCPprlRoo7wifr
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xf133
timedatestamp.....: 0x49bfc224 (Tue Mar 17 15:30:44 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x21636 0x21800 6.60 3d8b860ec06899c727be6a4465098fd1
.rdata 0x23000 0x86b1 0x8800 5.29 be5c9329c63b4aa456cac1cb7df5bcd8
.data 0x2c000 0x6d18 0x2200 4.05 6298213780abf0d5688db78f06b3f616
.rsrc 0x33000 0x4d0 0x600 4.55 075cc25a07b6577b9a6d2a607abb7d43
.reloc 0x34000 0x6ece 0x7000 2.68 e139cea835ccbda9394c3aea496d450c

( 9 imports )
> xpcom.dll: NS_CStringCloneData, NS_CStringContainerFinish, NS_CStringContainerInit, NS_UTF16ToCString, NS_Alloc, NS_Free, NS_GetServiceManager, NS_StringContainerInit, NS_StringContainerFinish
> KERNEL32.dll: DeleteCriticalSection, TlsFree, GetCurrentThreadId, SetErrorMode, lstrcmpA, lstrlenA, GetCurrentProcessId, InterlockedIncrement, GetVersionExA, lstrcmpW, LoadLibraryA, LocalReAlloc, GlobalFindAtomW, GlobalAddAtomW, GlobalFlags, GetModuleHandleA, HeapAlloc, GetSystemTimeAsFileTime, GetCommandLineA, HeapFree, HeapReAlloc, RtlUnwind, RaiseException, HeapSize, Sleep, ExitProcess, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetStdHandle, GetModuleFileNameA, VirtualFree, VirtualAlloc, HeapCreate, HeapDestroy, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, SetStdHandle, InitializeCriticalSectionAndSpinCount, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, FreeLibrary, InterlockedDecrement, GetModuleHandleW, GetProcAddress, GetModuleFileNameW, GetCurrentProcess, CloseHandle, FlushFileBuffers, SetFilePointer, WriteFile, LoadLibraryW, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageW, LocalFree, GetLastError, SetLastError, lstrlenW, WideCharToMultiByte, GetComputerNameW, LockResource, MultiByteToWideChar, SizeofResource, LoadResource, FindResourceW, GlobalDeleteAtom
> USER32.dll: ClientToScreen, TabbedTextOutW, DrawTextW, DrawTextExW, GrayStringW, DestroyMenu, PostQuitMessage, WinHelpW, GetCapture, GetClassLongW, GetClassNameW, SetPropW, GetPropW, RemovePropW, IsWindow, GetForegroundWindow, GetDlgItem, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetMenu, SetForegroundWindow, GetClientRect, PostMessageW, CreateWindowExW, GetClassInfoExW, GetClassInfoW, RegisterClassW, AdjustWindowRectEx, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcW, CallWindowProcW, GetMenu, SetWindowLongW, SetWindowPos, SystemParametersInfoA, IsIconic, GetWindowPlacement, GetWindowRect, GetWindow, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, GetFocus, ModifyMenuW, EnableMenuItem, CheckMenuItem, LoadCursorW, GetDC, ReleaseDC, GetSysColor, GetSysColorBrush, GetWindowThreadProcessId, GetParent, GetWindowLongW, GetLastActivePopup, IsWindowEnabled, EnableWindow, MessageBoxW, GetWindowTextW, UnregisterClassW, SetWindowsHookExW, CallNextHookEx, DispatchMessageW, SendMessageW, GetKeyState, PeekMessageW, ValidateRect, UnhookWindowsHookEx, GetSystemMetrics, GetMenuState, GetMenuItemID, GetMenuItemCount, GetSubMenu, SetWindowTextW, LoadIconW, EnumWindows, SendMessageTimeoutW, FindWindowExW, RegisterWindowMessageW, LoadBitmapW
> SHLWAPI.dll: PathFindFileNameW, SHGetValueA, PathFindExtensionW
> OLEACC.dll: CreateStdAccessibleObject, LresultFromObject
> nspr4.dll: PR_AtomicDecrement, PR_AtomicIncrement
> GDI32.dll: DeleteObject, SaveDC, RestoreDC, GetClipBox, SetWindowExtEx, SetMapMode, ScaleViewportExtEx, SetBkColor, DeleteDC, Escape, GetStockObject, ExtTextOutW, TextOutW, RectVisible, PtVisible, SetTextColor, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, CreateBitmap, ScaleWindowExtEx, GetDeviceCaps, SelectObject
> WINSPOOL.DRV: OpenPrinterW, DocumentPropertiesW, ClosePrinter
> OLEAUT32.dll: -, -, -

( 1 exports )
NSGetModule
RDS...: NSRL Reference Data Set
-
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=EAB7D4C3005510503C8A0311182BF80092FBDE0C' target='_blank'>http://info.prevx.com/aboutprogramte...2BF80092FBDE0C</a>
abckrist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-19-2009, 09:13 AM   #10 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Cleaning up an infection
Hello again, abckrist.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/366136-cleaning-up-infection.html#post2088390

Collect::
c:\windows\system32\duwiwuse.dll.tmp
c:\windows\system32\mizotufu.exe
c:\windows\system32\tamowevu.dll.tmp
c:\windows\system32\yewiluyo.dll.tmp

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

------------------------------------------------------

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------

If you already have HijackThis installed:
  • Double-click on HijackThis.exe to run it.
  • Click Open the Misc Tools section and click the button labeled Open Uninstall Manager...
  • Click the Save List... button and Save it to your Desktop.
  • Close HijackThis now.
  • Post uninstall_list.txt in your next reply.
------------------------------------------------------

If you don't have HijackThis installed:

Please download HijackThis and Save it to your Desktop.

Alternate link

Double-click on the file you just downloaded. Click 'Run' or 'Install' and follow the prompts to install.

It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.
  • Click Open the Misc Tools section and click the button labeled Open Uninstall Manager...
  • Click the Save List... button and Save it to your Desktop.
  • Close HijackThis now.
  • Post uninstall_list.txt in your next reply.
------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-19-2009, 12:01 PM   #11 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 21
OS: windowsxp2


Re: Cleaning up an infection
I was unable to upload the file. Combofix did not have a popup when it displayed the log. The folder C:\QooBox\Quarantine\ did not have any zip files. There was a file CFScript_used_2009-04-19@13.46.txt in \QooBox\ that had the exact same text as the script you asked me to run. I've attached both logs, as well as posted them.

ComboFix Log:
ComboFix 09-04-19.01 - CHAN_KRIS 04/19/2009 13:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2014.1151 [GMT -4:00]
Running from: c:\documents and settings\CHAN_KRIS\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\CHAN_KRIS\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 08:2009-04-07 08:03 03:50 . c:\program files\mozilla firefox\components\dfff.dll
1601-01-01 00:12 . 1601-01-01 00:12 57344 --sha-w c:\windows\system32\duwiwuse.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 57344 --sha-w c:\windows\system32\tamowevu.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 57344 --sha-w c:\windows\system32\yewiluyo.dll.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-04-18_18.01.34 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-10 8495104]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-21 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-21 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-23 120368]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 58416]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-10 81920]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-10 1626112]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-03-29 181808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-04-10 3900776]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-11 50688]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 20:37 34344 ----a-w c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 15:06 28672 ----a-w c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\stheno.gold.ad.bentley.edu\installers$\STUDENT_INVENTORY\elevated_launch.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\blue.ad.bentley.edu\SysVol\blue.ad.bentley.edu\scripts\SMS3.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=\\blue.ad.bentley.edu\SysVol\blue.ad.bentley.edu\scripts\maplab_copy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=script.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229846427-2226813820-890958922-28342\Scripts\Logon\0\0]
"Script"=\\blue.ad.bentley.edu\sysvol\blue.ad.bentley.edu\scripts\loginscript2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=

R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]
S0 Shockprf;Shockprf;c:\windows\System32\DRIVERS\Apsx86.sys [2007-03-02 100656]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2007-03-02 19760]
S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2007-09-21 4442]
S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-06-06 116928]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-04-06 38496]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ERASERUTILDRV10910
*NewlyCreated* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]

2009-04-19 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-06-20 06:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.meebo.com/
IE: Add to Net Snippets - c:\progra~1\NETSNI~1\Res\Clipper.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: **{7130DF06-BBC1-4e16-83D4-1F875E65B695} - {F9C00EF7-B192-4609-B2B8-D705ACE341FF} - c:\progra~1\NETSNI~1\NetSnip.dll
Trusted Zone: bentley.edu\stheno.gold.ad
DPF: {B70D738E-B839-413B-9555-D108643E05B9} - hxxp://deploy.bentley.edu/controls/BentleyUpdate07.CAB
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 13:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(3296)
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL
c:\windows\system32\nview.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-19 13:49
ComboFix-quarantined-files.txt 2009-04-19 17:49
ComboFix2.txt 2009-04-19 17:40
ComboFix3.txt 2009-04-18 18:04

Pre-Run: 66,570,907,648 bytes free
Post-Run: 66,557,722,624 bytes free

143 --- E O F --- 2009-04-19 02:16



Uninstall List
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Access Help
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Premiere Elements 3.0.2
Adobe Premiere Elements 3.0.2
Adobe Premiere Elements 3.0.2 Templates
Adobe Reader 8.1.0
Adobe Shockwave Player
AOL Instant Messenger
ClearType Tuning Control Panel Applet
Critical Update for Windows Media Player 11 (KB959772)
Diskeeper Lite
DivX Web Player
Graboid Video 1.3
GTK+ Runtime 2.14.7 rev a (remove only)
Help Center
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB889816)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB909667)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB918837)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935192)
Hotfix for Windows XP (KB952287)
Intel(R) PRO Network Connections 12.0.40.0
Intel(R) PROSet/Wireless Software
InterVideo WinDVD
InterVideo WinDVD Creator 3
Java(TM) SE Runtime Environment 6 Update 1
LiveUpdate 3.1 (Symantec Corporation)
Malwarebytes' Anti-Malware
mCore
mDriver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Communicator 2005
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel 2007 Get Started Tab
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint 2007 Get Started Tab
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word 2007 Get Started Tab
Microsoft Office Word MUI (English) 2007
Microsoft Outlook Web Access S/MIME
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
mMHouse
Mozilla ActiveX Control v1.7.12
Mozilla Firefox (3.0.8)
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
mWlsSafe
Net Snippets
NVIDIA Drivers
On Screen Display
Pharos
Pidgin
Post-it® Software Notes Lite
Presentation Director
Productivity Center Supplement for ThinkPad
QuickTime
RDC
RealPlayer
RecordNow Audio
RecordNow Copy
RecordNow Data
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Rights Management Add-on for Internet Explorer
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Sonic DLA
Sonic Express Labeler
Sonic Update Manager
SoundMAX
Spelling Dictionaries Support For Adobe Reader 8
Symantec AntiVirus
System Update
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Keyboard Customizer Utility
ThinkPad Modem
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad UltraNav Driver
ThinkPad UltraNav Utility
ThinkVantage Active Protection System
ThinkVantage Productivity Center
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office InfoPath 2007 Help (KB957243)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908521)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB916846)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB923845)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoLAN VLC media player 0.8.6d
WIMGAPI
Windows Defender
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WS_FTP 5.08
Attached Files
File Type: txt CF log.txt (8.6 KB, 1 views)
File Type: txt uninstall_list.txt (12.2 KB, 0 views)
abckrist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-19-2009, 12:43 PM   #12 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Cleaning up an infection
Hello again, abckrist. It appears you ran ComboFix twice that last time.

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\QooBox\ComboFix2.txt

A text file should open. Please post the contents of that file in your next reply.

------------------------------------------------------

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\QooBox\ComboFix-quarantined-files.txt

A text file should open. Please post the contents of that file in your next reply.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-19-2009, 01:02 PM   #13 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 21
OS: windowsxp2


Re: Cleaning up an infection
I ran it twice, mostly in the event that I did something wrong the first time.

Combofix2:
ComboFix 09-04-19.01 - CHAN_KRIS 04/19/2009 13:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2014.1037 [GMT -4:00]
Running from: c:\documents and settings\CHAN_KRIS\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\CHAN_KRIS\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 08:2009-04-07 08:03 03:50 . c:\program files\mozilla firefox\components\dfff.dll
1601-01-01 00:12 . 1601-01-01 00:12 57344 --sha-w c:\windows\system32\duwiwuse.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 57344 --sha-w c:\windows\system32\tamowevu.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 57344 --sha-w c:\windows\system32\yewiluyo.dll.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-04-18_18.01.34 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-10 8495104]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-21 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-21 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-23 120368]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 58416]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-10 81920]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-10 1626112]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-03-29 181808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-04-10 3900776]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-11 50688]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 20:37 34344 ----a-w c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 15:06 28672 ----a-w c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\stheno.gold.ad.bentley.edu\installers$\STUDENT_INVENTORY\elevated_launch.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\blue.ad.bentley.edu\SysVol\blue.ad.bentley.edu\scripts\SMS3.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=\\blue.ad.bentley.edu\SysVol\blue.ad.bentley.edu\scripts\maplab_copy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=script.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229846427-2226813820-890958922-28342\Scripts\Logon\0\0]
"Script"=\\blue.ad.bentley.edu\sysvol\blue.ad.bentley.edu\scripts\loginscript2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=

R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]
S0 Shockprf;Shockprf;c:\windows\System32\DRIVERS\Apsx86.sys [2007-03-02 100656]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2007-03-02 19760]
S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2007-09-21 4442]
S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-06-06 116928]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-04-06 38496]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ERASERUTILDRV10910
*NewlyCreated* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]

2009-04-19 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-06-20 06:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.meebo.com/
IE: Add to Net Snippets - c:\progra~1\NETSNI~1\Res\Clipper.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: **{7130DF06-BBC1-4e16-83D4-1F875E65B695} - {F9C00EF7-B192-4609-B2B8-D705ACE341FF} - c:\progra~1\NETSNI~1\NetSnip.dll
Trusted Zone: bentley.edu\stheno.gold.ad
DPF: {B70D738E-B839-413B-9555-D108643E05B9} - hxxp://deploy.bentley.edu/controls/BentleyUpdate07.CAB
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 13:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(2044)
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2009-04-19 13:40
ComboFix-quarantined-files.txt 2009-04-19 17:39
ComboFix2.txt 2009-04-18 18:04

Pre-Run: 66,539,061,248 bytes free
Post-Run: 66,594,238,464 bytes free

143 --- E O F --- 2009-04-19 02:16



ComboFix-Quarantined-Files.Txt

2009-04-18 17:59:12 . 2009-04-19 17:47:55 14,138 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-04-18 17:22:02 . 2009-04-19 17:45:28 348 ----a-w C:\Qoobox\Quarantine\catchme.log
abckrist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-19-2009, 01:48 PM   #14 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Cleaning up an infection
Hello again, abckrist. You will have to do it again.

Quote:
I ran it twice, mostly in the event that I did something wrong the first time.
Please don't do that. If something doesn't work, let me know and we will proceed from there.

It didn't work either time. You must not be doing something correctly. Make sure you copy/paste ALL the text in the codebox into Notepad.

Are you disabling Symantec? It doesn't look like it from the logs:

Quote:
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
If you are having trouble disabling Symantec's On-access scanning, please follow the instructions on pages 24-25 here:

http://csit.uniud.it/fileadmin/istru...i/navce76u.pdf

------------------------------------------------------

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

If CFScript.txt is still on your desktop, please delete it.

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/366136-cleaning-up-infection.html#post2088390

Collect::
c:\windows\system32\duwiwuse.dll.tmp
c:\windows\system32\mizotufu.exe
c:\windows\system32\tamowevu.dll.tmp
c:\windows\system32\yewiluyo.dll.tmp

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

------------------------------------------------------

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-19-2009, 02:54 PM   #15 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 21
OS: windowsxp2


Re: Cleaning up an infection
I managed to fully disable Symantec through MSConfig/Services.msc, however, no dialogue box appears, and no file appears in the quarantine folder.
CFScript_used_2009-04-19@16.43.txt reads

Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/366136-cleaning-up-infection.html#post2088390

Collect::
c:\windows\system32\duwiwuse.dll.tmp
c:\windows\system32\mizotufu.exe
c:\windows\system32\tamowevu.dll.tmp
c:\windows\system32\yewiluyo.dll.tmp

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
Log attached, and reads

ComboFix 09-04-19.01 - CHAN_KRIS 04/19/2009 16:43.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2014.1455 [GMT -4:00]
Running from: c:\documents and settings\CHAN_KRIS\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\CHAN_KRIS\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 08:2009-04-07 08:03 03:50 . c:\program files\mozilla firefox\components\dfff.dll
1601-01-01 00:12 . 1601-01-01 00:12 57344 --sha-w c:\windows\system32\duwiwuse.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 57344 --sha-w c:\windows\system32\tamowevu.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 57344 --sha-w c:\windows\system32\yewiluyo.dll.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-04-18_18.01.34 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-10 8495104]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-21 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-21 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-23 120368]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 58416]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-10 81920]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-10 1626112]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-03-29 181808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-04-10 3900776]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-11 50688]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 20:37 34344 ----a-w c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 15:06 28672 ----a-w c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\stheno.gold.ad.bentley.edu\installers$\STUDENT_INVENTORY\elevated_launch.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\blue.ad.bentley.edu\SysVol\blue.ad.bentley.edu\scripts\SMS3.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=\\blue.ad.bentley.edu\SysVol\blue.ad.bentley.edu\scripts\maplab_copy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=script.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1229846427-2226813820-890958922-28342\Scripts\Logon\0\0]
"Script"=\\blue.ad.bentley.edu\sysvol\blue.ad.bentley.edu\scripts\loginscript2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=

R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-04-06 38496]
R4 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-06-06 116928]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S0 Shockprf;Shockprf;c:\windows\System32\DRIVERS\Apsx86.sys [2007-03-02 100656]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2007-03-02 19760]
S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2007-09-21 4442]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-06 101936]

.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]

2009-04-19 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-06-20 06:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.meebo.com/
IE: Add to Net Snippets - c:\progra~1\NETSNI~1\Res\Clipper.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: **{7130DF06-BBC1-4e16-83D4-1F875E65B695} - {F9C00EF7-B192-4609-B2B8-D705ACE341FF} - c:\progra~1\NETSNI~1\NetSnip.dll
Trusted Zone: bentley.edu\stheno.gold.ad
DPF: {B70D738E-B839-413B-9555-D108643E05B9} - hxxp://deploy.bentley.edu/controls/BentleyUpdate07.CAB
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 16:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(2508)
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2009-04-19 16:50
ComboFix-quarantined-files.txt 2009-04-19 20:49
ComboFix2.txt 2009-04-19 17:49
ComboFix3.txt 2009-04-19 17:40
ComboFix4.txt 2009-04-18 18:04

Pre-Run: 66,576,400,384 bytes free
Post-Run: 66,563,162,112 bytes free

142 --- E O F --- 2009-04-19 02:16
Attached Files
File Type: txt CFlog.txt (8.6 KB, 2 views)
Last edited by abckrist; 04-19-2009 at 02:55 PM.
abckrist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-19-2009, 04:09 PM   #16 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Cleaning up an infection
Hello again, abckrist. Please delete ComboFix.exe from your desktop.

Download ComboFix and save it to your desktop.

Try dragging and dropping CFScript.txt onto ComboFix.exe again.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-19-2009, 04:22 PM   #17 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 21
OS: windowsxp2


Re: Cleaning up an infection
Redownloaded, still no file generated, no popup.
Attached Files
File Type: txt log.txt (8.7 KB, 1 views)
abckrist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-19-2009, 05:55 PM   #18 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Cleaning up an infection
Hello again, abckrist. Not sure why it isn't working. Let's try a different approach.

First, did you create this key and entries, and then remove them? They aren't showing in your last few logs.

Quote:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= b95702b.exe
"2"= bla.exe
"3"= complaint.scr
"4"= complaint.zip
"5"= fbtre6.exe
"6"= flash_update.exe
"7"= Ipssvc.exe
"8"= kjzna1562565.exe
"9"= klnxv19819115.exe
"10"= mstre6.exe
"11"= TrendAV.exe
------------------------------------------------------
  • Right-click on avenger.exe & choose Run as Administrator to run The Avenger
  • Click OK
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy/paste the following text in the codebox below into the 'Input script here:' box.

    Code:
    Files to delete:
c:\windows\system32\duwiwuse.dll.tmp
c:\windows\system32\mizotufu.exe
c:\windows\system32\tamowevu.dll.tmp
c:\windows\system32\yewiluyo.dll.tmp

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows | AppInit_DLLs
  • Click Execute
  • Click Yes
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?
  • Click Yes
  • Your PC will now be rebooted.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
------------------------------------------------------

Go Start > Run and copy/paste the following into the Run box and click OK:

"c:\documents and settings\CHAN_KRIS\Desktop\ComboFix.exe" /f3m

Post the ComboFix.txt log in your next reply.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
Last edited by chemist; 04-19-2009 at 06:17 PM.
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-19-2009, 06:22 PM   #19 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 21
OS: windowsxp2


Re: Cleaning up an infection
Running avenger, but getting the error "Error: Invalid registry syntax in command: "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\exploer\dissallowrun"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program. Skipping line. (Registry key deletion mode).

I can't run as a sys admin, but the current user has administrator privileges. Should I run the rest of the script (it will skip that line)?
abckrist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-19-2009, 06:23 PM   #20 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,641
OS: XP SP3


Re: Cleaning up an infection
Sorry about that. I thought I edited that out the first time. I fixed it. You can re-input the script.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 08:52 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85