Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.
Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
I've uninstalled combofix, but I'm not sure how to read the directions above for OTMoveIt. I doubleclick OTMoveIt, but the only option is gives me is to "Run" or "Cancel". I don't see a "Cleanup" option. Am I opening it correctly?
I have not seen the virus warning pop up since the ComboFix advice.
That's good then
Reboot your machine and then do the following
Please download OTCleanup from HERE
Click the OTC.exe icon and then click the CleanUp button.
If you get any pop ups asking if it is OK let the program proceed. At the end the program may ask to let it reboot the computer. Let it do so.
Let me know if there were any problems with OT CleanIt
Comments
Apparently, I spoke too soon. It appeared again this evening after about 10 hours of usuage without the pop up. Same exact warning message.
Any suggestions?
Here is the new combofix log.
ComboFix 09-05-30.01 - Owner 05/30/2009 10:07.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.483 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\virus\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090529-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.
2009-05-28 23:44 . 2009-05-28 23:44 2855 ----a-w c:\windows\system32\winlogon.PIF
2009-05-28 23:43 . 2009-05-28 23:43
d--h--w c:\windows\PIF
2009-05-28 14:23 . 2009-05-28 14:23 2087279 ----a-w C:\OneCareSupportData.zip
2009-05-27 02:10 . 2009-05-27 02:10
d
w C:\_OTM
2009-05-26 05:06 . 2009-05-26 05:21
d
w c:\documents and settings\Owner\.SunDownloadManager
2009-05-26 05:00 . 2009-05-26 05:00
d
w c:\program files\Common Files\Adobe AIR
2009-05-26 04:50 . 2009-05-26 05:35
d
w c:\documents and settings\All Users\Application Data\NOS
2009-05-26 04:49 . 2009-05-26 05:35
d
w c:\program files\NOS
2009-05-25 21:58 . 2008-06-20 00:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-05-25 21:58 . 2009-05-25 21:58
d
w c:\program files\Panda Security
2009-05-25 19:12 . 2009-05-25 19:12
d
w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-25 19:12 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-25 19:12 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-25 19:12 . 2009-05-25 19:12
d
w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-25 19:12 . 2009-05-25 19:12
d
w c:\program files\Malwarebytes' Anti-Malware
2009-05-25 18:56 . 2009-05-25 19:11
d
w C:\USBNoRisk
2009-05-25 00:51 . 2009-05-25 00:51
d
w C:\rsit
2009-05-24 19:23 . 2009-05-24 19:23
d
w c:\program files\Trend Micro
2009-05-24 18:57 . 2009-05-24 18:57
d
w c:\documents and settings\All Users\Application Data\CA
2009-05-24 18:42 . 2009-05-24 18:42
d-sh--w c:\documents and settings\Owner\IECompatCache
2009-05-23 18:59 . 2009-05-23 19:04
d
w c:\program files\Exterminate It!
2009-05-20 21:54 . 2009-05-20 21:54 34062 ----a-w c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\Uninst.exe
2009-05-14 22:16 . 2009-03-09 18:34 971776 ----a-w c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\uqa971ad.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
2009-05-09 18:05 . 2009-05-09 18:05
d-sh--w c:\documents and settings\Owner\PrivacIE
2009-05-09 18:05 . 2009-05-09 18:05
d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-09 18:02 . 2009-05-09 18:02
d-sh--w c:\documents and settings\Owner\IETldCache
2009-05-09 17:48 . 2009-05-09 17:48
d
w c:\windows\ie8updates
2009-05-09 17:47 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-09 17:44 . 2009-05-09 17:47
dc-h--w c:\windows\ie8
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-29 21:48 . 2008-06-05 20:03
d
w c:\program files\Microsoft Windows OneCare Live
2009-05-26 05:24 . 2008-08-12 04:10
d
w c:\program files\Java
2009-05-26 04:59 . 2008-03-23 00:35
d
w c:\program files\Common Files\Adobe
2009-05-20 21:56 . 2008-01-26 02:46
d
w c:\documents and settings\Owner\Application Data\Move Networks
2009-05-15 01:27 . 2007-06-04 15:11 72112 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 05:07 . 2008-01-22 20:51
d
w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-09 17:29 . 2008-01-22 20:56
d
w c:\program files\Microsoft Works
2009-03-25 20:24 . 2009-03-25 20:24 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2009-03-10 21:01 . 2008-12-18 00:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-09 17:29 . 2009-03-09 17:29 97144 ----a-w c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-03-09 17:29 . 2009-03-09 17:29 1010552 ----a-w c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\qsp2ie071303000006.dll
2009-03-08 11:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 06:59 . 2009-03-25 20:28 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 06:59 . 2007-09-07 17:41 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
.
((((((((((((((((((((((((((((( [EMAIL="SnapShot@2009-05-25_20.27.54"]SnapShot@2009-05-25_20.27.54[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-30 15:51 . 2009-05-30 15:51 16384 c:\windows\Temp\Perflib_Perfdata_908.dat
+ 2009-05-30 15:49 . 2009-05-30 15:49 16384 c:\windows\Temp\Perflib_Perfdata_320.dat
- 2009-05-25 18:38 . 2009-05-25 18:38 16384 c:\windows\Temp\Perflib_Perfdata_320.dat
- 2007-06-01 18:54 . 2008-07-16 23:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-01 18:54 . 2009-05-26 04:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-01 18:54 . 2008-07-16 23:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-06-01 18:54 . 2009-05-26 04:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-06-01 18:54 . 2009-05-26 04:50 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-06-01 18:54 . 2008-07-16 23:19 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-04 12:00 . 2008-11-26 22:35 507904 c:\windows\system32\winlogon.exe
+ 2004-08-04 12:00 . 2008-04-14 00:12 507904 c:\windows\system32\winlogon.exe
+ 2004-08-04 12:00 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\winlogon.exe
+ 2009-04-17 15:59 . 2009-04-17 15:59 128256 c:\windows\Downloaded Program Files\as2stubie.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 442368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-22 344064]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-12-20 159744]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-06 442368]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"QuickCare2.2"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 198184]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-03-29 181808]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-6-4 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 21:37 34344 ----a-w c:\program files\Lenovo\HOTKEY\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 16:06 28672 ----a-w c:\program files\Lenovo\HOTKEY\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-05-17 16:41 32768 ----a-w c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/25/2009 2:58 PM 28544]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [3/2/2007 3:49 PM 100656]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/2/2007 3:47 PM 19760]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [6/4/2007 8:46 AM 14848]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/13/2008 2:25 PM 111184]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [6/4/2007 10:51 AM 16384]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [6/4/2007 8:49 AM 4442]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/13/2008 2:25 PM 20560]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [3/22/2009 10:59 AM 24936]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [6/4/2007 8:46 AM 6528]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
2007-06-04 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2007-06-04 06:38]
2009-05-30 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]
2009-05-30 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-06-04 06:14]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\uqa971ad.default\
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\uqa971ad.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Real\Rave\nprave529.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-30 10:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(916)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
- - - - - - - > 'lsass.exe'(972)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
- - - - - - - > 'explorer.exe'(3208)
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-05-30 10:12
ComboFix-quarantined-files.txt 2009-05-30 17:11
ComboFix2.txt 2009-05-29 14:28
ComboFix3.txt 2009-05-25 20:30
Pre-Run: 11,945,566,208 bytes free
Post-Run: 11,975,512,064 bytes free
226 --- E O F --- 2009-05-14 05:07
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Here are the results from the most recent combo fix logs. Please let me know what I need to do next.
Thanks,
ComboFix 09-05-31.02 - Owner 05/31/2009 15:01.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.485 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090531-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
file zipped: c:\windows\system32\winlogon.PIF
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\winlogon.PIF
.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.
2009-05-28 23:43 . 2009-05-28 23:43
d--h--w- c:\windows\PIF
2009-05-28 14:23 . 2009-05-28 14:23 2087279 ----a-w- C:\OneCareSupportData.zip
2009-05-27 02:10 . 2009-05-27 02:10
d
w- C:\_OTM
2009-05-26 05:06 . 2009-05-26 05:21
d
w- c:\documents and settings\Owner\.SunDownloadManager
2009-05-26 05:00 . 2009-05-26 05:00
d
w- c:\program files\Common Files\Adobe AIR
2009-05-26 04:50 . 2009-05-26 05:35
d
w- c:\documents and settings\All Users\Application Data\NOS
2009-05-26 04:49 . 2009-05-26 05:35
d
w- c:\program files\NOS
2009-05-25 21:58 . 2008-06-20 00:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-05-25 21:58 . 2009-05-25 21:58
d
w- c:\program files\Panda Security
2009-05-25 19:12 . 2009-05-25 19:12
d
w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-25 19:12 . 2009-04-06 22:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-25 19:12 . 2009-04-06 22:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-25 19:12 . 2009-05-25 19:12
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-25 19:12 . 2009-05-25 19:12
d
w- c:\program files\Malwarebytes' Anti-Malware
2009-05-25 18:56 . 2009-05-25 19:11
d
w- C:\USBNoRisk
2009-05-25 00:51 . 2009-05-25 00:51
d
w- C:\rsit
2009-05-24 19:23 . 2009-05-24 19:23
d
w- c:\program files\Trend Micro
2009-05-24 18:57 . 2009-05-24 18:57
d
w- c:\documents and settings\All Users\Application Data\CA
2009-05-24 18:42 . 2009-05-24 18:42
d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-05-23 18:59 . 2009-05-23 19:04
d
w- c:\program files\Exterminate It!
2009-05-20 21:54 . 2009-05-20 21:54 34062 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\Uninst.exe
2009-05-14 22:16 . 2009-03-09 18:34 971776 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\uqa971ad.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
2009-05-09 18:05 . 2009-05-09 18:05
d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-05-09 18:05 . 2009-05-09 18:05
d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-05-09 18:02 . 2009-05-09 18:02
d-sh--w- c:\documents and settings\Owner\IETldCache
2009-05-09 17:48 . 2009-05-09 17:48
d
w- c:\windows\ie8updates
2009-05-09 17:47 . 2009-04-25 05:30 102400 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-05-09 17:44 . 2009-05-09 17:47
dc-h--w- c:\windows\ie8
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 21:06 . 2008-06-05 20:03
d
w- c:\program files\Microsoft Windows OneCare Live
2009-05-26 05:24 . 2008-08-12 04:10
d
w- c:\program files\Java
2009-05-26 04:59 . 2008-03-23 00:35
d
w- c:\program files\Common Files\Adobe
2009-05-20 21:56 . 2008-01-26 02:46
d
w- c:\documents and settings\Owner\Application Data\Move Networks
2009-05-15 01:27 . 2007-06-04 15:11 72112 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 05:07 . 2008-01-22 20:51
d
w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-09 17:29 . 2008-01-22 20:56
d
w- c:\program files\Microsoft Works
2009-03-25 20:24 . 2009-03-25 20:24 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2009-03-10 21:01 . 2008-12-18 00:51 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-09 17:29 . 2009-03-09 17:29 97144 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-03-09 17:29 . 2009-03-09 17:29 1010552 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\qsp2ie071303000006.dll
2009-03-08 11:34 . 2004-08-04 12:00 914944 ----a-w- c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-08-04 12:00 43008 ----a-w- c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2004-08-04 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2004-08-04 12:00 72704 ----a-w- c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-08-04 12:00 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2004-08-04 12:00 34816 ----a-w- c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2004-08-04 12:00 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2004-08-04 12:00 45568 ----a-w- c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2004-08-04 12:00 156160 ----a-w- c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w- c:\windows\system32\pdh.dll
2009-03-06 06:59 . 2009-03-25 20:28 1900544 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-03-06 06:59 . 2007-09-07 17:41 36864 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\PIF ----
((((((((((((((((((((((((((((( [EMAIL="SnapShot@2009-05-25_20.27.54"]SnapShot@2009-05-25_20.27.54[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-31 19:59 . 2009-05-31 19:59 16384 c:\windows\Temp\Perflib_Perfdata_98c.dat
+ 2009-05-31 19:57 . 2009-05-31 19:57 16384 c:\windows\Temp\Perflib_Perfdata_30c.dat
+ 2007-06-01 18:54 . 2009-05-26 04:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-01 18:54 . 2008-07-16 23:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-01 18:54 . 2008-07-16 23:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-06-01 18:54 . 2009-05-26 04:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-06-01 18:54 . 2009-05-26 04:50 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-06-01 18:54 . 2008-07-16 23:19 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-04 12:00 . 2008-11-26 22:35 507904 c:\windows\system32\winlogon.exe
+ 2004-08-04 12:00 . 2008-04-14 00:12 507904 c:\windows\system32\winlogon.exe
+ 2004-08-04 12:00 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\winlogon.exe
+ 2009-04-17 15:59 . 2009-04-17 15:59 128256 c:\windows\Downloaded Program Files\as2stubie.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 442368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-22 344064]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-12-20 159744]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-06 442368]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"QuickCare2.2"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 198184]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-03-29 181808]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-6-4 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 21:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 16:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-05-17 16:41 32768 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/25/2009 2:58 PM 28544]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [3/2/2007 3:49 PM 100656]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/2/2007 3:47 PM 19760]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [6/4/2007 8:46 AM 14848]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/13/2008 2:25 PM 111184]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [6/4/2007 10:51 AM 16384]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [6/4/2007 8:49 AM 4442]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/13/2008 2:25 PM 20560]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [3/22/2009 10:59 AM 24936]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [6/4/2007 8:46 AM 6528]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
2007-06-04 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2007-06-04 06:38]
2009-05-31 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]
2009-05-31 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-06-04 06:14]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\uqa971ad.default\
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\uqa971ad.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Real\Rave\nprave529.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 15:04
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(916)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
- - - - - - - > 'lsass.exe'(972)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
Completion time: 2009-05-31 15:06
ComboFix-quarantined-files.txt 2009-05-31 22:05
ComboFix2.txt 2009-05-30 17:12
ComboFix3.txt 2009-05-29 14:28
ComboFix4.txt 2009-05-25 20:30
Pre-Run: 11,931,250,688 bytes free
Post-Run: 11,928,580,096 bytes free
225 --- E O F --- 2009-05-14 05:07
Upload was successful
It's possible that OneCare is finding Ursnif in the Combofix backup files.
Let's remove them and then you can run another OneCae scan
Uninstall Combofix
Uninstall OTMoveIt (OTM.exe)
Run OneCare and let's see if we've sorted it
Give it 24 hours before you reply, let's make sure it doesn't come back like last time.
- Open OTMoveIt Click Cleanup,
- When a box pops up click YES.
Hi Katana,I've uninstalled combofix, but I'm not sure how to read the directions above for OTMoveIt. I doubleclick OTMoveIt, but the only option is gives me is to "Run" or "Cancel". I don't see a "Cleanup" option. Am I opening it correctly?
When I select Run nothing happens. I get the hourglass icon as if it is thinking, but then nothing else.
On a side note, I have not seen the virus warning pop up since the ComboFix advice. What should I do next?
Thanks,
That's good then
Reboot your machine and then do the following
Please download OTCleanup from HERE
Click the OTC.exe icon and then click the CleanUp button.
If you get any pop ups asking if it is OK let the program proceed. At the end the program may ask to let it reboot the computer. Let it do so.
Let me know if there were any problems with OT CleanIt