Help Please....TrojanSPM/LX

View previous topic View next topic Go down

Help Please....TrojanSPM/LX

Post by ohdeucey on Fri Jan 29, 2010 12:15 am

Hi,

It just started this morning...the red circle with "x" in the taskbar and the annoying popup telling me my PC is at risk. Did Malwarebytes and CClear and Virus Scan to no avail (actually, malwarebytes removed something but it came back).

Anyway, here's my HJT log.

Thansk for looking.

-Deuce


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:46 PM, on 1/28/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CFdesign 2010\CFdServ.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\CFdesign 2010\smpd.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Dimension\CatalystEX 4.0\nt\ModelServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SolidWorks_CheckForUpdates] "C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - [You must be registered and logged in to see this link.] Files\proeWildfire 2.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = andover.polycom.com
O17 - HKLM\Software\..\Telephony: DomainName = andover.polycom.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = andover.polycom.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = andover.polycom.com,milpitas.polycom.com,austin.polycom.com,emea.polycom.com,asia.polycom.com,atlanta.polycom.com,westminster.polycom.com,polycom.com,spectralink.com,polycom.sqa
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = andover.polycom.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = andover.polycom.com,milpitas.polycom.com,austin.polycom.com,emea.polycom.com,asia.polycom.com,atlanta.polycom.com,westminster.polycom.com,polycom.com,spectralink.com,polycom.sqa
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = andover.polycom.com,milpitas.polycom.com,austin.polycom.com,emea.polycom.com,asia.polycom.com,atlanta.polycom.com,westminster.polycom.com,polycom.com,spectralink.com,polycom.sqa
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CFdesign 2010 Server - Blue Ridge Numerics, Inc. - C:\Program Files\CFdesign 2010\CFdServ.exe
O23 - Service: SW Distributed TS Coordinator Service (CoordinatorServiceHost) - Dassault Systèmes SolidWorks Corp. - C:\Program Files\SolidWorks Corp\SolidWorks (2)\swScheduler\DTSCoordinatorService.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: Dimension 3D Printers Service (ModelServerWinServiceP) - Stratasys, Inc. - C:\Program Files\Dimension\CatalystEX 4.0\nt\ModelServer.exe
O23 - Service: MPICH2 Process Manager, Argonne National Lab (mpich2_smpd) - Argonne National Lab - C:\Program Files\CFdesign 2010\smpd.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Solver for Flow Simulation 2010 - Mentor Graphics Corporation - C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12924 bytes

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please....TrojanSPM/LX

Post by Belahzur on Fri Jan 29, 2010 12:24 am

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please....TrojanSPM/LX

Post by ohdeucey on Fri Jan 29, 2010 1:09 am

here you go......thanks

Malwarebytes' Anti-Malware 1.44
Database version: 3654
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/28/2010 7:57:54 PM
mbam-log-2010-01-28 (19-57-54).txt

Scan type: Quick Scan
Objects scanned: 130249
Time elapsed: 8 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\secfile (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\flabuski\Local Settings\Temporary Internet Files\Content.IE5\85U78LAJ\0001134[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\flabuski\Local Settings\Temporary Internet Files\Content.IE5\85U78LAJ\0001134[2].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\000005a6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00000e68.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\0000149e.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00002333.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00002ab7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\000035e1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00003b25.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\0000580f.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00005f31.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00006ac9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00007eb5.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\IS15.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please....TrojanSPM/LX

Post by Belahzur on Fri Jan 29, 2010 1:11 am

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please....TrojanSPM/LX

Post by ohdeucey on Fri Jan 29, 2010 1:59 am

ComboFix 10-01-28.04 - flabuski 01/28/2010 20:37:20.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1518 [GMT -5:00]
Running from: c:\documents and settings\flabuski\My Documents\My Downloads\ComboFix\Combo-Fix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\data
c:\data\flabuski.dat
c:\data\testflag.dat
C:\s
c:\windows\Fonts\MyriadPro-Regular.otf
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\6334.exe
c:\windows\system32\uninstall.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-29 )))))))))))))))))))))))))))))))
.

2010-01-28 21:19 . 2010-01-28 21:19 -------- d-----w- c:\program files\Trend Micro
2010-01-28 15:28 . 2010-01-28 15:28 -------- d-----w- C:\spoolerlogs
2010-01-26 21:29 . 2010-01-26 21:29 -------- d-----w- c:\documents and settings\flabuski\Application Data\Polycom
2010-01-26 21:28 . 2010-01-26 21:28 -------- d-----w- c:\program files\Polycom
2010-01-26 21:27 . 2010-01-26 21:32 -------- d-----w- c:\documents and settings\flabuski\Local Settings\Application Data\Downloaded Installations
2010-01-21 18:07 . 2010-01-29 01:50 -------- d-----w- c:\documents and settings\flabuski\Tracing
2010-01-21 18:06 . 2010-01-27 20:43 -------- d-----w- c:\program files\Microsoft Office Communicator
2010-01-18 20:16 . 2010-01-18 20:16 -------- d-----w- c:\documents and settings\flabuski\Application Data\McAfee
2010-01-08 21:03 . 2010-01-29 01:46 -------- d-----w- c:\program files\CFdesign 2010
2010-01-08 12:05 . 2010-01-08 14:06 -------- d-----w- C:\SolidWorks Data (2)
2010-01-03 23:46 . 2010-01-03 23:46 -------- d-----w- c:\program files\Apoint
2010-01-03 23:46 . 2005-09-29 01:57 113847 ----a-r- c:\windows\system32\drivers\Apfiltr.sys
2010-01-03 23:46 . 2005-03-05 01:31 95511 ----a-r- c:\windows\system32\Vxdif.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-29 01:48 . 2009-10-27 16:48 -------- d-----w- c:\documents and settings\flabuski\Application Data\IM
2010-01-29 00:46 . 2009-10-27 19:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-29 00:46 . 2009-10-27 19:42 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-29 00:24 . 2009-10-28 17:02 -------- d-----w- c:\documents and settings\flabuski\Application Data\SolidWorks
2010-01-29 00:17 . 2009-10-23 02:17 110653 ----a-w- c:\windows\system32\nvModes.dat
2010-01-27 03:57 . 2009-11-30 21:02 405376 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-27 01:31 . 2009-10-23 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-01-26 22:52 . 2009-11-24 12:09 79488 ----a-w- c:\documents and settings\flabuski\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-26 16:09 . 2009-12-02 07:53 -------- d-----w- c:\documents and settings\flabuski\Application Data\vlc
2010-01-18 20:12 . 2009-11-23 11:58 5271445 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\EPOAGENT3000\Install\0409\FramePkg.exe
2010-01-18 18:41 . 2010-01-18 18:41 87360 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\VIRUSCAN8700\HotFix\2\0000\setup.exe
2010-01-13 22:29 . 2009-10-27 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-08 12:56 . 2009-10-28 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-08 12:52 . 2009-10-27 17:21 -------- d-----w- c:\program files\SolidWorks Corp
2010-01-08 12:49 . 2009-10-27 17:23 -------- d-----w- c:\program files\Common Files\SolidWorks Shared
2010-01-08 12:06 . 2009-10-27 16:49 -------- d-----w- c:\program files\Common Files\SolidWorks Installation Manager
2010-01-07 21:07 . 2009-10-27 19:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-10-27 19:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 16:35 . 2009-11-02 17:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-03 23:46 . 2009-10-23 01:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-26 01:39 . 2009-10-28 18:51 -------- d-----w- c:\documents and settings\flabuski\Application Data\Apple Computer
2009-12-26 01:35 . 2009-10-28 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-23 20:08 . 2009-12-02 17:19 -------- d-----w- c:\program files\Dell
2009-12-23 19:29 . 2009-10-27 16:37 81296 ----a-w- c:\documents and settings\flabuski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-23 19:11 . 2009-12-23 18:01 3452 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-12-23 19:11 . 2009-12-23 18:01 3452 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-12-23 19:11 . 2009-12-23 18:01 88 --sh--r- c:\documents and settings\All Users\Application Data\8D679D458B.sys
2009-12-23 19:11 . 2009-12-23 18:01 88 --sh--r- c:\documents and settings\All Users\Application Data\8D679D458B.sys
2009-12-23 18:06 . 2009-12-23 18:01 -------- d-----w- c:\documents and settings\flabuski\Application Data\Corel
2009-12-23 18:04 . 2009-12-23 18:04 -------- d-----w- c:\documents and settings\flabuski\Application Data\dvdcss
2009-12-23 16:17 . 2009-12-23 16:17 -------- d-----w- c:\program files\Corel
2009-12-22 12:47 . 2009-12-22 12:47 -------- d-----w- c:\documents and settings\flabuski\Application Data\Alibre Design
2009-12-22 12:34 . 2009-12-22 12:33 -------- d-----w- c:\program files\Alibre Design
2009-12-22 12:34 . 2009-12-22 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Alibre Design
2009-12-22 05:21 . 2008-04-14 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-21 13:29 . 2009-12-21 13:29 60744 ----a-w- c:\documents and settings\flabuski\g2mdlhlpx.exe
2009-12-10 13:23 . 2009-12-10 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SkyGolf
2009-12-10 13:23 . 2009-12-10 13:23 -------- d-----w- c:\documents and settings\flabuski\Application Data\SkyGolf
2009-12-10 13:22 . 2009-12-10 13:22 -------- d-----w- c:\program files\SkyGolf
2009-12-02 17:19 . 2009-12-02 17:19 -------- d-----w- c:\documents and settings\flabuski\Application Data\Dell
2009-12-02 17:19 . 2009-12-02 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2009-12-02 07:50 . 2009-12-02 07:50 -------- d-----w- c:\program files\VideoLAN
2009-12-02 03:56 . 2009-12-02 03:56 -------- d-----w- c:\documents and settings\flabuski\Application Data\EDrawings
2009-11-23 19:31 . 2009-11-23 19:31 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-11-23 19:30 . 2009-11-23 19:30 152576 ----a-w- c:\documents and settings\flabuski\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-08 23:10 . 2009-11-08 23:10 161632 ----a-w- c:\documents and settings\flabuski\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
2009-11-08 23:09 . 2009-11-08 23:09 291696 ----a-w- c:\documents and settings\flabuski\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
2009-11-08 23:09 . 2009-10-27 22:53 36948 ----a-w- c:\documents and settings\flabuski\Application Data\Juniper Networks\Setup\uninstall.exe
2009-11-08 17:35 . 2009-12-07 12:02 171412 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-11-08 17:33 . 2009-10-23 01:04 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-05 17:20 . 2009-11-02 17:16 1162776 ----a-w- C:\Polycom_Global_Q209.msi
2009-11-03 19:33 . 2009-11-03 19:33 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-09-01 01:07 . 2010-01-18 18:48 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-23 7561216]
"nwiz"="nwiz.exe" [2006-03-23 1519616]
"NVHotkey"="nvHotkey.dll" [2006-03-23 73728]
"NvMediaCenter"="NvMCTray.dll" [2006-03-23 86016]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-10-16 124224]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2009-07-29 7320872]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-23 148888]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2009-12-12 5114208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-27 809488]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 20:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2722\Scripts\Logoff\0\0]
"Script"=lo1.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2722\Scripts\Logon\0\0]
"Script"=bigfixclient.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2722\Scripts\Logon\1\0]
"Script"=evclient.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2722\Scripts\Logon\2\0]
"Script"=li1.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2924\Scripts\Logoff\0\0]
"Script"=lo1.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2924\Scripts\Logon\0\0]
"Script"=\\andover.polycom.com\sysvol\andover.polycom.com\scripts\LDInstall.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2924\Scripts\Logon\1\0]
"Script"=bigfixclient.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2924\Scripts\Logon\2\0]
"Script"=evclient.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-2077806209-725345543-2924\Scripts\Logon\3\0]
"Script"=li1.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LANDesk Policy Invoker"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dimension\\CatalystEX 4.0\\nt\\CatalystEX.exe"=
"c:\\Program Files\\proeWildfire 2.0\\i486_nt\\nms\\nmsd.exe"=
"c:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\pro_comm_msg.exe"=
"c:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\xtop.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\CFdesign 2010\\SMPD.EXE"=
"c:\\Program Files\\Polycom\\Polycom CMA Desktop\\vvsys.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 CFdesign 2010 Server;CFdesign 2010 Server;c:\program files\CFdesign 2010\CFdServ.exe [12/15/2009 6:38 PM 439664]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [10/27/2009 6:04 PM 10384]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [8/31/2009 8:07 PM 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/27/2009 9:03 AM 70728]
R2 ModelServerWinServiceP;Dimension 3D Printers Service;c:\program files\Dimension\CatalystEX 4.0\nt\ModelServer.exe [1/16/2009 2:11 PM 442368]
R2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files\CFdesign 2010\SMPD.EXE [11/16/2009 9:52 AM 724992]
R2 Remote Solver for Flow Simulation 2010;Remote Solver for Flow Simulation 2010;c:\program files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [9/11/2009 7:46 PM 144680]
S0 cerc6;cerc6; [x]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks (2)\swScheduler\DTSCoordinatorService.exe [10/15/2009 6:51 AM 87336]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/27/2009 9:03 AM 65448]
S4 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [10/27/2009 8:42 AM 139264]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 6:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} - [You must be registered and logged in to see this link.] files\proeWildfire 2.0\i486_nt\obj\pvx_install.exe
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\flabuski\Application Data\Mozilla\Firefox\Profiles\eaiicgw0.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ENGINEER Release Wildfire 2.0 Datecode M280 - g:\program files\proeWildfire 2.0\uninstall\i486_nt\obj\psuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-28 20:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(848)
c:\windows\system32\nview.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\nvwddi.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\BigFix Enterprise\BES Client\BESClient.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\windows\system32\CBA\pds.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RunDLL32.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2010-01-28 20:56:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-29 01:55

Pre-Run: 56,637,493,248 bytes free
Post-Run: 56,804,397,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 242863385B79D8820430BCFB17862B7D

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please....TrojanSPM/LX

Post by Belahzur on Fri Jan 29, 2010 2:13 am

Hello.
Is this some kind of school machine? I noticed a few remote/LAN items, along with set policies.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please....TrojanSPM/LX

Post by ohdeucey on Fri Jan 29, 2010 2:20 am

work....I was actually unable to stop the virus scan prior to combo-fix, but it seems to be working fine at the moment

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please....TrojanSPM/LX

Post by Belahzur on Fri Jan 29, 2010 5:37 pm

Hello.
The one policy I see set has Task Manager disabled, but problem is, I've no idea who set that, your boss or the malware.

Was that already there before the infection hit?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please....TrojanSPM/LX

Post by ohdeucey on Sat Jan 30, 2010 7:24 pm

Hi again...

Sorry but I just saw your reply today.

I'm not sure why the task manager is disabled, it has never been before. Perhaps it is the malware, I don't know.

Is there anything I should do??

Thanks.

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please....TrojanSPM/LX

Post by Belahzur on Sat Jan 30, 2010 7:40 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :reg
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please....TrojanSPM/LX

Post by ohdeucey on Sat Jan 30, 2010 7:49 pm

========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\ deleted successfully.

OTM by OldTimer - Version 3.1.7.1 log created on 01302010_144751

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please....TrojanSPM/LX

Post by Belahzur on Sat Jan 30, 2010 8:35 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help Please....TrojanSPM/LX

Post by ohdeucey on Sat Jan 30, 2010 8:47 pm

seems to be running fine....do you need to see anything else??

Thanks!

ohdeucey
Intermediate
Intermediate

Posts Posts : 66
Joined Joined : 2010-01-28
Gender Gender : Male
OS OS : Windows XP
Points Points : 25939
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help Please....TrojanSPM/LX

Post by Belahzur on Sun Jan 31, 2010 8:14 pm

Nope, this should be fine now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum