Infected with Bloodhound.Exploit.196

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages
1
2
→

You cannot start a new topic
You cannot reply to this topic

Infected with Bloodhound.Exploit.196 Symantec quarantine is growing (got to 25G) and was low on disk space

#1 Wdave37

Member

Group: Members
Posts: 20
Joined: 10-March 09

Posted 13 June 2009 - 10:59 AM

DDS (Ver_09-05-14.01) - NTFSx86
Run by David at 11:52:04.18 on Sat 06/13/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2030.772 [GMT -4:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Users\David\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
c:\Windows\system32\Macromed\Flash\FlashUtil9d.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\David\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://lenovo.live.com
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.espn.go.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\compan~1\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\compan~1\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\compan~1\installs\cpn\yt.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\david\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [AdobeUpdater6] "c:\program files\common files\adobe\updater6\Adobe_Updater.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TpShocks] TpShocks.exe
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli psqlpwd ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\users\david\appdata\roaming\mozilla\firefox\profiles\qg5090k0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.espn.go.com/
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\users\david\appdata\local\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\users\david\appdata\roaming\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\users\david\appdata\roaming\mozilla\firefox\profiles\qg5090k0.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\users\david\appdata\roaming\mozilla\plugins\npgoogletalk.dll

============= SERVICES / DRIVERS ===============

R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-6-6 220696]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2007-2-19 13744]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWR32V.SYS [2008-5-12 12080]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-3-15 11152]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-7 101936]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-3-4 4232704]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-06-12 22:51 <DIR> --d----- c:\program files\iPod
2009-06-12 22:51 <DIR> --d----- c:\program files\iTunes
2009-06-09 22:28 2,033,152 a------- c:\windows\system32\win32k.sys
2009-06-09 22:28 636,928 a------- c:\windows\system32\localspl.dll
2009-06-09 22:28 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-06-07 11:34 <DIR> --d----- C:\SDFix
2009-06-06 08:02 <DIR> --d----- c:\program files\WinDirStat
2009-06-05 23:25 <DIR> --d----- c:\users\david\DoctorWeb
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts
2009-05-17 06:51 <DIR> --d----- c:\users\david\appdata\roaming\IObit
2009-05-17 06:51 <DIR> --d----- c:\program files\IObit
2009-05-15 08:54 <DIR> --d----- c:\users\david\appdata\roaming\Intel
2009-05-15 08:54 <DIR> --d----- c:\users\david\Roaming
2009-05-15 08:54 <DIR> --d----- c:\programdata\Roaming
2009-05-15 08:54 <DIR> --d----- c:\progra~2\Roaming
2009-05-15 08:52 <DIR> --d----- c:\program files\Cisco
2009-05-15 08:52 <DIR> --d----- c:\program files\common files\Intel
2009-05-15 08:52 <DIR> --d----- c:\programdata\Intel

==================== Find3M ====================

2009-06-13 11:03 118,227 a------- c:\programdata\nvModes.dat
2009-06-13 11:03 118,227 a------- c:\progra~2\nvModes.dat
2009-06-12 22:41 51,200 a------- c:\windows\inf\infpub.dat
2009-06-12 22:41 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-12 22:41 86,016 a------- c:\windows\inf\infstor.dat
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-03-16 23:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 23:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 23:38 24,064 a------- c:\windows\system32\amxread.dll
2008-12-08 14:36 96,907 a------- c:\users\david\appdata\roaming\nvModes.dat
2008-06-11 03:08 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-10 12:57 148 a------- c:\users\david\NetworkDrives.bat
2008-01-20 22:41 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-09-02 17:02 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-09-02 17:02 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-09-02 17:02 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 11:52:55.39 ===============

Attached File(s)

Attach.txt (7.79K)
Number of downloads: 12

#2 Net_Surfer

Forum Addict

Group: Banned
Posts: 2,154
Joined: 27-April 08
Gender:Male

Posted 22 June 2009 - 01:35 AM

Hello and to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.
-----------------------------------------------------------
We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Kind regards
Net_Surfer

#3 Wdave37

Member

Group: Members
Posts: 20
Joined: 10-March 09

Posted 22 June 2009 - 08:03 PM

My Symantec is giving me a Bloodhound.Exploit.196 detection. The files that it quarantines kept growing at a rapid pace and filled up my hard drive as I ran out of space (the folder got over 20GB). I've already used ATF Cleaner and SuperAntiSpyware Free but those did not solve the problem. Here are my logs and attachments.

DDS (Ver_09-05-14.01) - NTFSx86
Run by David at 20:55:59.39 on Mon 06/22/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2030.786 [GMT -4:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Users\David\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office12\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
c:\Windows\system32\Macromed\Flash\FlashUtil9d.exe
c:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\David\Desktop\dds(2).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://lenovo.live.com
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.espn.go.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\compan~1\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\compan~1\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\compan~1\installs\cpn\yt.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\david\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TpShocks] TpShocks.exe
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli psqlpwd ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\users\david\appdata\roaming\mozilla\firefox\profiles\qg5090k0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.espn.go.com/
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\users\david\appdata\local\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\users\david\appdata\roaming\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\users\david\appdata\roaming\mozilla\firefox\profiles\qg5090k0.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\users\david\appdata\roaming\mozilla\plugins\npgoogletalk.dll

============= SERVICES / DRIVERS ===============

R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-6-6 220696]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2007-2-19 13744]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWR32V.SYS [2008-5-12 12080]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-3-15 11152]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-7 101936]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-3-4 4232704]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-06-12 22:51 <DIR> --d----- c:\program files\iPod
2009-06-12 22:51 <DIR> --d----- c:\program files\iTunes
2009-06-09 22:28 2,033,152 a------- c:\windows\system32\win32k.sys
2009-06-09 22:28 636,928 a------- c:\windows\system32\localspl.dll
2009-06-09 22:28 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-06-07 11:34 <DIR> --d----- C:\SDFix
2009-06-06 08:02 <DIR> --d----- c:\program files\WinDirStat
2009-06-05 23:25 <DIR> --d----- c:\users\david\DoctorWeb
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-06-22 20:21 118,227 a------- c:\programdata\nvModes.dat
2009-06-22 20:21 118,227 a------- c:\progra~2\nvModes.dat
2009-06-12 22:41 51,200 a------- c:\windows\inf\infpub.dat
2009-06-12 22:41 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-12 22:41 86,016 a------- c:\windows\inf\infstor.dat
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2008-12-08 14:36 96,907 a------- c:\users\david\appdata\roaming\nvModes.dat
2008-06-11 03:08 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-10 12:57 148 a------- c:\users\david\NetworkDrives.bat
2008-01-20 22:41 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-09-02 17:02 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-09-02 17:02 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-09-02 17:02 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 20:56:50.75 ===============

Attached File(s)

Attach.txt (7.65K)
Number of downloads: 5

#4 screen317

Forum Regular

Group: Malware Response Team
Posts: 207
Joined: 09-July 07
Gender:Male
Location:Los Angeles

Posted 22 June 2009 - 08:49 PM

Hello,

Where is Symantec finding these infected files?

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

After that, please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Next, download my Security Check from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

#5 Wdave37

Member

Group: Members
Posts: 20
Joined: 10-March 09

Posted 25 June 2009 - 04:44 AM

The files are being found in Users\David\AppData\Local\Temp

Malwarebytes' Anti-Malware 1.34
Database version: 1832
Windows 6.0.6001 Service Pack 1

6/24/2009 10:02:32 PM
mbam-log-2009-06-24 (22-02-31).txt

Scan type: Quick Scan
Objects scanned: 71524
Time elapsed: 2 hour(s), 15 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, June 25, 2009
Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, June 25, 2009 01:49:55
Records in database: 2387782
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 130325
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 04:01:23

No malware has been detected. The scan area is clean.
The selected area was scanned.

Results of screen317's Security Check version 0.98.4
Windows Vista Service Pack 1
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````
Windows Firewall Enabled!
SymantecAntiVirus
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````
Ad-Aware
SUPERAntiSpyware Free Edition
Malwarebytes' Anti-Malware
CCleaner (remove only)
Java™ 6 Update 13
Java™ 6 Update 2
Java™ 6 Update 5
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
Norton ccSvcHst.exe
Windows Defender MSASCui.exe
Windows Defender MsMpEng.exe is disabled!
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
Symantec AntiVirus VPTray.exe
Symantec AntiVirus SavUI.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````
GREAT! (Very random)

Scan took 1 seconds.
`````````End of Log```````````

I don't know why nothing comes up in these reports, but my quarantine is continuously getting bigger. Was there nothing suspicious in my HJT output?

Thanks,

Dave

#6 screen317

Forum Regular

Group: Malware Response Team
Posts: 207
Joined: 09-July 07
Gender:Male
Location:Los Angeles

Posted 27 June 2009 - 04:52 PM

Hi Dave,

Please update your Symantec Antivirus via LiveUpdate.

Next, disconnect from the Internet.

Run a full scan with your Symantec Antivirus.

Quarantine anything found.

Restart your computer, clear your quarantine.

Reconnect to the Internet and see if you're still getting files quarantined from your Temp folder.

If so, we'll use ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

After that, please download JavaRa and unzip it to your Desktop.

Double click JavaRa.exe then click Remove Older Versions.

Follow any prompts; a log will popup (JavaRa.log)-- please post the contents of this log.

Next, open JavaRa.exe again, and select Search For Updates.

Select Update Using Sun Java's Website --> Search, and continue the instructions for downloading and installing the latest Java version.

-screen317

#7 Wdave37

Member

Group: Members
Posts: 20
Joined: 10-March 09

Posted 28 June 2009 - 10:29 AM

Screen,

I don't know why, but the way the files are found is kind of random it seems to me. When I scan, I don't get anything. But at any point...maybe hours or days later, it will randomly start finding files. Conversely, sometimes immediately when I log in it will immediately find more files. I used JavaRa to remove older versions and it found several versions to remove, but a log never opened and one was never saved where it said it should be.

Here are the remaining logs you wanted:

ComboFix 09-06-26.02 - David 06/27/2009 19:40.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2030.1014 [GMT -4:00]
Running from: c:\users\David\Desktop\ComboFix.exe
AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.

2009-06-13 02:51 . 2009-06-13 02:51 -------- d-----w- c:\program files\iPod
2009-06-13 02:51 . 2009-06-13 02:51 -------- d-----w- c:\program files\iTunes
2009-06-13 02:46 . 2009-06-13 02:47 -------- d-----w- c:\program files\QuickTime
2009-06-10 02:28 . 2009-04-21 11:55 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-06-10 02:28 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
2009-06-10 02:28 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-06-07 15:34 . 2008-11-06 06:03 -------- d-----w- C:\SDFix
2009-06-06 12:02 . 2009-06-06 12:02 -------- d-----w- c:\program files\WinDirStat
2009-06-06 03:25 . 2009-06-06 03:25 -------- d-----w- c:\users\David\DoctorWeb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 04:41 . 2008-06-07 19:40 680 ----a-w- c:\users\David\AppData\Local\d3d9caps.dat
2009-06-13 02:51 . 2008-05-25 01:55 -------- d-----w- c:\program files\Common Files\Apple
2009-05-30 23:42 . 2009-03-10 10:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-17 10:53 . 2009-05-17 10:51 -------- d-----w- c:\program files\IObit
2009-05-15 12:52 . 2009-05-15 12:52 -------- d-----w- c:\program files\Cisco
2009-05-15 12:52 . 2009-05-15 12:52 -------- d-----w- c:\program files\Common Files\Intel
2009-05-15 12:52 . 2008-05-13 02:54 -------- d-----w- c:\program files\Intel
2009-04-24 16:05 . 2009-06-10 02:27 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-10 02:27 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-10 02:27 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-02-27 08:08 . 2009-02-18 00:30 3969312 --sha-w- c:\windows\System32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"Google Update"="c:\users\David\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-25 133104]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 419112]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 124200]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-09 2630968]
"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2007-10-24 33304]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2007-12-06 324896]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-12-08 107112]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-08-05 135568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-09 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"TpShocks"="TpShocks.exe" - c:\windows\System32\TpShocks.exe [2007-11-22 181536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-15 05:17 89600 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^David^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9BE2BB76-D4C5-404A-A6A5-2A600528475C}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{D17D71BC-3648-4CA0-A875-7306F8663E36}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{7BBD3EF4-67AE-47E5-AD92-9D6FA3FB1290}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{64A82D71-4015-4147-8F5C-CDEDFC7FF250}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{9FC4BF3B-F936-42E7-A1A2-0CF80E4E2C6A}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"UDP Query User{7D9CEE8E-F155-4517-97B5-066EF7699BF7}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{C01AF1EB-B52C-44B3-998C-ACB7B72F6EA1}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"{A5794B7C-28FC-4098-AD53-0E7CBDC8CE25}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{25B573BB-67CA-4824-A1A8-361BDD885C22}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{6C67FEBC-0CCF-4FB1-ADBE-592206C88C6D}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{493EA481-F911-41B4-81B0-7FE5AEA764A1}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{DAE6593F-C8B8-47A2-94EE-4F102C347466}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{B4E60AEA-749E-42CC-9D8C-79DC4266914F}c:\\program files\\aim\\aim pro\\aimpro.exe"= UDP:c:\program files\aim\aim pro\aimpro.exe:AIM Pro
"UDP Query User{77752EB7-321F-4742-8E76-0554E0D2BA37}c:\\program files\\aim\\aim pro\\aimpro.exe"= TCP:c:\program files\aim\aim pro\aimpro.exe:AIM Pro
"{CBB70D96-3643-4A01-AD61-D892358B2FA4}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{65C1427A-8457-4D93-B027-B278C8440CDF}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{12EFB8A1-28D4-449F-9646-3E81EBCCF821}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{F069F40D-4B5A-4588-9F8F-9F6F84A9AFA6}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{1FA405EE-8592-40FB-8429-0B711230F448}"= c:\program files\PharosSystems\Core\CTskMstr.exe:Pharos Com Task Master
"TCP Query User{8F5AAA1B-7089-4F83-AEA7-0275F234214C}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{4F079DFF-FB80-43EF-A892-4D56B46C7F28}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{0BC49CDF-7D8D-402B-B2D9-6B91BB361E07}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{825F9BC4-0ACE-4C4F-A8F9-3100675234E3}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{4347FB01-1A36-4CF1-B0AA-D8DD01C07F81}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{15751E51-2015-415B-9EE2-CB9FF764B02C}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{9AF49190-DB24-4D50-A11F-0B72569F0D4B}"= UDP:c:\users\David\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{C9970133-E721-4D45-A132-EDCB0C3AD9F6}"= TCP:c:\users\David\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{F624F718-F394-4E2C-B5B2-D1312B8BDF05}"= UDP:c:\users\David\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"{4C9C59DF-EBDB-43D4-B1D0-06E3428104C8}"= TCP:c:\users\David\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"TCP Query User{912069C5-CBF2-49F2-97BB-D306AD70201E}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{8ED7DD32-EB92-4239-9233-7EA647FDA163}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{748B0F3E-33B1-448C-8844-CF5ADB0FAF6D}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{FC90D17D-C98E-416A-8613-D65E4882E538}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\System32\drivers\iaNvStor.sys [6/6/2008 11:23 PM 220696]
R0 Shockprf;Shockprf;c:\windows\System32\drivers\ApsX86.sys [10/16/2007 9:33 PM 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\System32\drivers\ApsHM86.sys [10/16/2007 9:32 PM 19504]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\System32\drivers\smiif32.sys [2/19/2007 12:12 AM 13744]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2009 11:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R1 TPPWRIF;TPPWRIF;c:\windows\System32\drivers\TPPWR32V.SYS [5/12/2008 10:05 PM 12080]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [1/11/2008 8:50 PM 30312]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/5/2007 5:29 PM 121744]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/15/2007 1:10 AM 11152]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [7/9/2007 2:23 AM 55936]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/7/2009 11:37 AM 101936]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [3/4/2009 10:49 AM 4232704]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [1/8/2007 11:03 PM 569344]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 11:31 PM 29263712]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
*Deregistered* - SysPlant
*Deregistered* - WPS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
%SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2009-06-28 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-05-17 01:22]

2009-06-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]

2009-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2107215369-2078948122-415125840-1005.job
- c:\users\David\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-25 04:58]

2009-06-15 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-05-17 22:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.espn.go.com/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-28 10:51
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc2C84D.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll

- - - - - - - > 'Explorer.exe'(6104)
c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll
c:\program files\Lenovo\Client Security Solution\tvt_passwordmanager.dll
c:\program files\Lenovo\Client Security Solution\css_banner.dll
c:\program files\Lenovo\Client Security Solution\csswait.dll
c:\windows\system32\cssuserdatadispatcher.dll
c:\program files\Lenovo\Client Security Solution\css_dlgcustompolicy.dll
c:\windows\system32\tvttsp.dll
c:\windows\system32\tcsrpc.dll
c:\program files\Common Files\Lenovo\tvt_think_res.dll
c:\program files\Lenovo\Client Security Solution\css_think_res.dll
c:\windows\system32\btncopy.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\ibmpmsvc.exe
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\ThinkVantage Fingerprint Software\upeksvr.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\wlanext.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\System32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\System32\AEADISRV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\progra~1\PHAROS~1\Core\CTskMstr.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe
c:\windows\System32\rundll32.exe
c:\program files\Symantec AntiVirus\VPTray.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lenovo\Client Security Solution\tvtpwm_tray.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-06-28 10:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-28 14:59

Pre-Run: 23,015,288,832 bytes free
Post-Run: 30,008,139,776 bytes free

266 --- E O F --- 2009-06-26 00:02

DDS (Ver_09-06-26.01) - NTFSx86
Run by David at 11:05:58.84 on Sun 06/28/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2030.645 [GMT -4:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\system32\taskeng.exe
C:\Users\David\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\David\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.espn.go.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\compan~1\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\compan~1\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\compan~1\installs\cpn\yt.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\david\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TpShocks] TpShocks.exe
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\users\david\appdata\roaming\mozilla\firefox\profiles\qg5090k0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.espn.go.com/
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\users\david\appdata\local\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\users\david\appdata\roaming\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\users\david\appdata\roaming\mozilla\firefox\profiles\qg5090k0.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\users\david\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-6-6 220696]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2007-2-19 13744]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWR32V.SYS [2008-5-12 12080]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-8-5 121744]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-3-15 11152]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2007-7-9 55936]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-7 101936]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-3-4 4232704]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-1-8 569344]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-06-27 19:38 161,792 a------- c:\windows\SWREG.exe
2009-06-27 19:38 155,136 a------- c:\windows\PEV.exe
2009-06-27 19:38 98,816 a------- c:\windows\sed.exe
2009-06-12 22:51 <DIR> --d----- c:\program files\iPod
2009-06-12 22:51 <DIR> --d----- c:\program files\iTunes
2009-06-09 22:28 2,033,152 a------- c:\windows\system32\win32k.sys
2009-06-09 22:28 636,928 a------- c:\windows\system32\localspl.dll
2009-06-09 22:28 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-06-07 11:34 <DIR> --d----- C:\SDFix
2009-06-06 08:02 <DIR> --d----- c:\program files\WinDirStat
2009-06-05 23:25 <DIR> --d----- c:\users\david\DoctorWeb

==================== Find3M ====================

2009-06-28 10:50 118,227 a------- c:\programdata\nvModes.dat
2009-06-28 10:50 118,227 a------- c:\progra~2\nvModes.dat
2009-06-12 22:41 51,200 a------- c:\windows\inf\infpub.dat
2009-06-12 22:41 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-12 22:41 86,016 a------- c:\windows\inf\infstor.dat
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2008-12-08 14:36 96,907 a------- c:\users\david\appdata\roaming\nvModes.dat
2008-06-11 03:08 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-10 12:57 148 a------- c:\users\david\NetworkDrives.bat
2008-01-20 22:41 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-09-02 17:02 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-09-02 17:02 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-09-02 17:02 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 11:06:33.13 ===============

I was able to download the latest Sun JRE as well.

Thanks!

Attached File(s)

Attach.txt (7.56K)
Number of downloads: 9

#8 screen317

Forum Regular

Group: Malware Response Team
Posts: 207
Joined: 09-July 07
Gender:Male
Location:Los Angeles

Posted 01 July 2009 - 06:08 PM

Hello,

Sorry for the delay..

When Symantec detects any Bloodhound.Exploit, it is an heuristic detection and not a detection based on a malware signature. As such, it has the potential to be a false positive. Next time it asks to quarantine something, ignore it, but be sure to write down which file it is; we will examine it afterward.

In addition, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quotebox below into Notepad:

Quote

Driver::
mchInjDrv
File::
c:\windows\TEMP\mc2C84D.tmp
Reglock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

After that, please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

-screen317

#9 Wdave37

Member

Group: Members
Posts: 20
Joined: 10-March 09

Posted 03 July 2009 - 01:59 PM

These are the names of some of the files, there are a lot more as the list keeps growing:

DWHF366.tmp
DWHC4F8.tmp
DWH5B5P.tmp

ComboFix 09-07-02.02 - David 07/03/2009 6:58.3 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2030.944 [GMT -4:00]
Running from: c:\users\David\Desktop\ComboFix.exe
Command switches used :: c:\users\David\Desktop\CFScript.txt
AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\TEMP\mc2C84D.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\Installer\78d57.msp
c:\windows\Installer\81fa8.msi

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV
-------\Service_mchInjDrv
-------\Legacy_MCHINJDRV

((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-06-28 15:26 . 2009-06-28 15:26 -------- d-----w- c:\program files\JavaFX
2009-06-28 15:24 . 2009-06-28 15:24 -------- d-----w- c:\program files\Sun
2009-06-28 15:12 . 2009-06-28 15:22 -------- d-----w- c:\users\David\.SunDownloadManager
2009-06-13 02:51 . 2009-06-13 02:51 -------- d-----w- c:\program files\iPod
2009-06-13 02:51 . 2009-06-13 02:51 -------- d-----w- c:\program files\iTunes
2009-06-13 02:46 . 2009-06-13 02:47 -------- d-----w- c:\program files\QuickTime
2009-06-10 02:28 . 2009-04-21 11:55 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-06-10 02:28 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
2009-06-10 02:28 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-06-07 15:34 . 2008-11-06 06:03 -------- d-----w- C:\SDFix
2009-06-06 12:02 . 2009-06-06 12:02 -------- d-----w- c:\program files\WinDirStat
2009-06-06 03:25 . 2009-06-06 03:25 -------- d-----w- c:\users\David\DoctorWeb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-28 15:24 . 2008-12-18 01:07 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-28 15:20 . 2008-05-13 02:33 -------- d-----w- c:\program files\Java
2009-06-14 04:41 . 2008-06-07 19:40 680 ----a-w- c:\users\David\AppData\Local\d3d9caps.dat
2009-06-13 02:51 . 2008-05-25 01:55 -------- d-----w- c:\program files\Common Files\Apple
2009-05-30 23:42 . 2009-03-10 10:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-17 10:53 . 2009-05-17 10:51 -------- d-----w- c:\program files\IObit
2009-05-15 12:52 . 2009-05-15 12:52 -------- d-----w- c:\program files\Cisco
2009-05-15 12:52 . 2009-05-15 12:52 -------- d-----w- c:\program files\Common Files\Intel
2009-05-15 12:52 . 2008-05-13 02:54 -------- d-----w- c:\program files\Intel
2009-04-24 16:05 . 2009-06-10 02:27 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-10 02:27 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-10 02:27 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-02-27 08:08 . 2009-02-18 00:30 3969312 --sha-w- c:\windows\System32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-06-28_14.51.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:56 . 2009-07-03 11:10 56248 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:03 . 2009-07-03 11:10 74230 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:03 . 2009-06-28 14:52 74230 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-07 00:05 . 2009-07-03 11:10 10186 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2107215369-2078948122-415125840-1005_UserData.bin
+ 2008-06-06 23:34 . 2009-07-03 10:50 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-06-06 23:34 . 2009-06-28 14:51 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-06-28 21:33 . 2009-06-28 21:33 61440 c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\58fb3e0f-2ca58f70-n\decora-sse.dll
+ 2009-06-28 21:33 . 2009-06-28 21:33 12800 c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\58fb3e0f-2ca58f70-n\decora-d3d.dll
+ 2008-06-06 23:34 . 2009-07-03 10:50 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-06 23:34 . 2009-06-28 14:51 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-06 23:34 . 2009-07-03 10:50 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-06 23:34 . 2009-06-28 14:51 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-28 23:35 . 2008-05-28 23:35 55296 c:\windows\Installer\a624f.msi
+ 2008-05-13 03:02 . 2008-05-13 03:02 88576 c:\windows\Installer\6497b.msi
+ 2008-07-03 19:30 . 2008-07-03 19:30 20992 c:\windows\Installer\2261663.msi
+ 2009-06-28 15:27 . 2009-06-28 15:27 10134 c:\windows\Installer\{5aa47dba-b584-4d47-a626-76e53fc2987d}\SystemFolder_msiexec.exe
- 2008-06-07 05:24 . 2009-06-27 23:49 8258 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-06-07 05:24 . 2009-07-03 10:45 8258 c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2009-06-28 14:50 . 2009-06-28 14:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-07-03 11:07 . 2009-07-03 11:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-06-28 14:50 . 2009-06-28 14:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-03 11:07 . 2009-07-03 11:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-07 11:41 . 2009-07-03 03:02 300764 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-06-28 15:24 . 2009-06-28 15:24 148888 c:\windows\System32\javaws.exe
- 2009-03-27 23:01 . 2009-03-09 09:19 148888 c:\windows\System32\javaws.exe
+ 2009-06-28 15:24 . 2009-06-28 15:24 144792 c:\windows\System32\javaw.exe
- 2009-03-27 23:01 . 2009-03-09 09:19 144792 c:\windows\System32\javaw.exe
- 2009-03-27 23:01 . 2009-03-09 09:19 144792 c:\windows\System32\java.exe
+ 2009-06-28 15:24 . 2009-06-28 15:24 144792 c:\windows\System32\java.exe
+ 2009-06-28 21:33 . 2009-06-28 21:33 348160 c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\58fb3e0f-2ca58f70-n\msvcr71.dll
+ 2009-06-28 21:33 . 2009-06-28 21:33 503808 c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\58fb3e0f-2ca58f70-n\msvcp71.dll
+ 2009-06-28 21:33 . 2009-06-28 21:33 499712 c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\58fb3e0f-2ca58f70-n\jmc.dll
+ 2008-07-30 04:44 . 2008-07-30 04:44 652800 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.msi
+ 2008-05-13 02:27 . 2008-05-13 02:27 370176 c:\windows\Installer\df0a.msi
+ 2008-05-13 02:20 . 2008-05-13 02:20 809472 c:\windows\Installer\dec9.msi
+ 2009-05-26 22:53 . 2009-05-26 22:53 579072 c:\windows\Installer\d40396b.msp
+ 2007-10-15 03:44 . 2007-10-15 03:44 324608 c:\windows\Installer\a7249bc.msp
+ 2007-10-15 03:46 . 2007-10-15 03:46 324608 c:\windows\Installer\a7249b6.msp
+ 2008-05-28 23:01 . 2008-05-28 23:01 804352 c:\windows\Installer\a7248b7.msi
+ 2008-05-28 22:57 . 2008-05-28 22:57 467456 c:\windows\Installer\a7248ae.msi
+ 2008-05-13 02:33 . 2008-05-13 02:33 404992 c:\windows\Installer\8e0ff.msi
+ 2008-05-13 02:30 . 2008-05-13 02:30 588288 c:\windows\Installer\8e0ed.msi
+ 2008-05-13 02:30 . 2008-05-13 02:30 686592 c:\windows\Installer\8e0e2.msi
+ 2008-05-13 02:30 . 2008-05-13 02:30 646656 c:\windows\Installer\8e0d1.msi
+ 2008-07-07 19:36 . 2008-07-07 19:36 124928 c:\windows\Installer\79fc4e0.msi
+ 2008-05-25 01:05 . 2008-05-25 01:05 431104 c:\windows\Installer\78d10.msi
+ 2008-05-25 01:05 . 2008-05-25 01:05 993280 c:\windows\Installer\78d0a.msi
+ 2008-05-25 01:04 . 2008-05-25 01:04 289792 c:\windows\Installer\78d06.msi
+ 2008-05-25 00:56 . 2008-05-25 00:56 435712 c:\windows\Installer\78cfc.msi
+ 2009-03-07 06:24 . 2009-03-07 06:24 140288 c:\windows\Installer\74b96c6.msi
+ 2008-07-03 19:47 . 2008-07-03 19:47 802304 c:\windows\Installer\6b34e.msi
+ 2008-05-13 02:06 . 2008-05-13 02:06 213504 c:\windows\Installer\6a4fa.msi
+ 2008-05-13 03:09 . 2008-05-13 03:09 643072 c:\windows\Installer\64a1d.msi
+ 2008-05-13 03:09 . 2008-05-13 03:09 966144 c:\windows\Installer\64a18.msi
+ 2008-05-13 03:09 . 2008-05-13 03:09 591872 c:\windows\Installer\64a13.msi
+ 2008-05-13 03:05 . 2008-05-13 03:05 501248 c:\windows\Installer\649b4.msi
+ 2008-05-13 03:05 . 2008-05-13 03:05 506880 c:\windows\Installer\649af.msi
+ 2008-05-13 03:05 . 2008-05-13 03:05 516608 c:\windows\Installer\649a9.msi
+ 2008-05-13 03:05 . 2008-05-13 03:05 513024 c:\windows\Installer\649a3.msi
+ 2008-05-13 03:04 . 2008-05-13 03:04 501248 c:\windows\Installer\6498f.msi
+ 2008-05-13 03:04 . 2008-05-13 03:04 501248 c:\windows\Installer\64985.msi
+ 2008-06-07 01:01 . 2008-06-07 01:01 501248 c:\windows\Installer\61962.msi
+ 2008-05-26 10:01 . 2008-05-26 10:01 431104 c:\windows\Installer\3ca4190.msi
+ 2009-07-03 03:03 . 2009-07-03 03:03 288768 c:\windows\Installer\3bba8bc.msi
+ 2008-01-28 18:25 . 2008-01-28 18:25 251392 c:\windows\Installer\3a58d5.msp
+ 2008-01-28 18:25 . 2008-01-28 18:25 687104 c:\windows\Installer\3a58ce.msp
+ 2009-02-27 04:49 . 2009-02-27 04:49 549888 c:\windows\Installer\2ebd7040.msi
+ 2009-02-27 04:44 . 2009-02-27 04:44 817152 c:\windows\Installer\2ebd6fd8.msi
+ 2009-02-27 04:44 . 2009-02-27 04:44 813568 c:\windows\Installer\2ebd6fae.msi
+ 2008-12-13 14:58 . 2008-12-13 14:58 754688 c:\windows\Installer\2ebd6fa7.msp
+ 2009-02-27 04:42 . 2009-02-27 04:42 648192 c:\windows\Installer\2ebd6f9d.msi
+ 2008-11-13 08:01 . 2008-11-13 08:01 432640 c:\windows\Installer\282dc5c.msi
+ 2009-01-24 03:24 . 2009-01-24 03:24 836096 c:\windows\Installer\1fcdc589.msi
+ 2009-06-28 15:27 . 2009-06-28 15:27 414720 c:\windows\Installer\1c0807.msi
+ 2009-06-28 15:25 . 2009-06-28 15:25 873472 c:\windows\Installer\1c0803.msi
+ 2009-06-28 15:24 . 2009-06-28 15:24 536576 c:\windows\Installer\1c07fe.msi
+ 2009-06-28 15:20 . 2009-06-28 15:20 417792 c:\windows\Installer\1c058f.msi
+ 2008-06-26 01:49 . 2008-06-26 01:49 532992 c:\windows\Installer\1b541307.msi
+ 2008-07-14 18:01 . 2008-07-14 18:01 289792 c:\windows\Installer\11e3bd6.msi
+ 2007-05-25 16:37 . 2007-05-25 16:37 9433600 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M929729\M929729Uninstall.msp
+ 2009-04-24 16:28 . 2009-04-24 16:28 4450816 c:\windows\Installer\fb5bcf.msp
+ 2008-06-05 17:56 . 2008-06-05 17:56 5111808 c:\windows\Installer\f39aab3.msp
+ 2008-08-08 23:36 . 2008-08-08 23:36 1549312 c:\windows\Installer\f174c48.msi
+ 2008-05-13 02:27 . 2008-05-13 02:27 8009728 c:\windows\Installer\df04.msi
+ 2008-05-13 02:26 . 2008-05-13 02:26 3060224 c:\windows\Installer\deee.msi
+ 2008-05-13 02:23 . 2008-05-13 02:23 7981568 c:\windows\Installer\ded0.msi
+ 2009-06-13 02:52 . 2009-06-13 02:52 4074496 c:\windows\Installer\d78b93c.msi
+ 2009-06-13 02:47 . 2009-06-13 02:47 1665024 c:\windows\Installer\d78b607.msi
+ 2009-06-13 02:46 . 2009-06-13 02:46 8992256 c:\windows\Installer\d78b5d5.msi
+ 2009-06-13 02:41 . 2009-06-13 02:41 3295232 c:\windows\Installer\d78b344.msi
+ 2009-05-04 11:46 . 2009-05-04 11:46 8299008 c:\windows\Installer\d403a0b.msp
+ 2009-05-04 11:47 . 2009-05-04 11:47 9124864 c:\windows\Installer\d4039e3.msp
+ 2009-04-24 16:30 . 2009-04-24 16:30 2583552 c:\windows\Installer\d4039bb.msp
+ 2009-05-07 13:17 . 2009-05-07 13:17 5026816 c:\windows\Installer\d403992.msp
+ 2009-04-24 16:29 . 2009-04-24 16:29 9013760 c:\windows\Installer\d403944.msp
+ 2008-10-26 13:36 . 2008-10-26 13:36 1948672 c:\windows\Installer\baf37d2.msi
+ 2008-09-02 15:42 . 2008-09-02 15:42 5104640 c:\windows\Installer\b8c44dd.msp
+ 2008-02-15 12:54 . 2008-02-15 12:54 9736192 c:\windows\Installer\a724ae4.msp
+ 2008-04-11 22:08 . 2008-04-11 22:08 6302720 c:\windows\Installer\a7249f1.msp
+ 2008-04-26 00:14 . 2008-04-26 00:14 5052928 c:\windows\Installer\a7249da.msp
+ 2007-07-08 15:34 . 2007-07-08 15:34 6648832 c:\windows\Installer\a7249c7.msp
+ 2007-10-15 03:43 . 2007-10-15 03:43 5749760 c:\windows\Installer\a72499a.msp
+ 2008-04-18 18:56 . 2008-04-18 18:56 6215680 c:\windows\Installer\a7248d3.msp
+ 2008-04-01 02:11 . 2008-04-01 02:11 1298432 c:\windows\Installer\a6255.msp
+ 2008-11-13 07:57 . 2008-11-13 07:57 5099520 c:\windows\Installer\9555cad.msp
+ 2008-10-20 15:18 . 2008-10-20 15:18 6474240 c:\windows\Installer\9555c86.msp
+ 2008-05-26 07:46 . 2008-05-26 07:46 1069056 c:\windows\Installer\91af837.msp
+ 2008-05-13 02:33 . 2008-05-13 02:33 1480704 c:\windows\Installer\8e0f9.msi
+ 2008-05-13 02:32 . 2008-05-13 02:32 1944064 c:\windows\Installer\8e0f3.msi
+ 2008-05-13 02:30 . 2008-05-13 02:30 1059840 c:\windows\Installer\8e0e1.msi
+ 2008-05-13 02:30 . 2008-05-13 02:30 1062400 c:\windows\Installer\8e0df.msi
+ 2008-05-13 02:30 . 2008-05-13 02:30 1084928 c:\windows\Installer\8e0dd.msi
+ 2008-05-13 02:30 . 2008-05-13 02:30 1062912 c:\windows\Installer\8e0d3.msi
+ 2008-05-13 02:30 . 2008-05-13 02:30 1021440 c:\windows\Installer\8e0d0.msi
+ 2008-12-19 19:57 . 2008-12-19 19:57 1659392 c:\windows\Installer\6c4ea3e.msi
+ 2008-05-13 02:13 . 2008-05-13 02:13 3472896 c:\windows\Installer\6a518.msi
+ 2008-05-13 02:11 . 2008-05-13 02:11 5726720 c:\windows\Installer\6a507.msi
+ 2008-05-13 02:09 . 2008-05-13 02:09 1461248 c:\windows\Installer\6a500.msi
+ 2009-02-07 03:31 . 2009-02-07 03:31 5047808 c:\windows\Installer\6a28414.msp
+ 2008-06-06 23:34 . 2008-06-06 23:34 3443712 c:\windows\Installer\68a6a.msi
+ 2008-01-11 09:52 . 2008-01-11 09:52 8517632 c:\windows\Installer\64a4e.msp
+ 2008-05-13 03:10 . 2008-05-13 03:10 1389056 c:\windows\Installer\64a23.msi
+ 2008-05-13 03:07 . 2008-05-13 03:07 1046016 c:\windows\Installer\649f1.msi
+ 2007-03-22 01:46 . 2007-03-22 01:46 2047488 c:\windows\Installer\649eb.msp
+ 2007-03-22 01:46 . 2007-03-22 01:46 8198656 c:\windows\Installer\649d8.msp
+ 2008-05-13 03:05 . 2008-05-13 03:05 1652736 c:\windows\Installer\649be.msi
+ 2008-05-13 03:05 . 2008-05-13 03:05 1652736 c:\windows\Installer\649b9.msi
+ 2008-05-13 03:04 . 2008-05-13 03:04 1640960 c:\windows\Installer\6499e.msi
+ 2008-05-13 03:04 . 2008-05-13 03:04 2022912 c:\windows\Installer\64999.msi
+ 2008-05-13 03:04 . 2008-05-13 03:04 1713152 c:\windows\Installer\64994.msi
+ 2008-05-13 03:04 . 2008-05-13 03:04 1652736 c:\windows\Installer\6498a.msi
+ 2008-05-13 03:04 . 2008-05-13 03:04 2397184 c:\windows\Installer\64980.msi
+ 2008-06-07 01:14 . 2008-06-07 01:14 1438208 c:\windows\Installer\619a4.msi
+ 2008-06-07 01:02 . 2008-06-07 01:02 1640960 c:\windows\Installer\61984.msi
+ 2008-06-07 01:01 . 2008-06-07 01:01 2319872 c:\windows\Installer\61967.msi
+ 2008-06-07 01:01 . 2008-06-07 01:01 1647616 c:\windows\Installer\6195d.msi
+ 2008-01-28 18:25 . 2008-01-28 18:25 5996544 c:\windows\Installer\3a5926.msp
+ 2008-01-28 18:24 . 2008-01-28 18:24 8575488 c:\windows\Installer\3a58fa.msp
+ 2008-07-23 04:05 . 2008-07-23 04:05 7008256 c:\windows\Installer\3a517.msi
+ 2009-05-15 12:54 . 2009-05-15 12:54 6444544 c:\windows\Installer\390eb3.msi
+ 2009-03-10 10:13 . 2009-03-10 10:13 1516544 c:\windows\Installer\33b19ca.msi
+ 2009-01-15 08:35 . 2009-01-15 08:35 4830720 c:\windows\Installer\2ebd7046.msp
+ 2009-02-27 04:47 . 2009-02-27 04:47 6643712 c:\windows\Installer\2ebd702c.msi
+ 2009-02-27 04:45 . 2009-02-27 04:45 1087488 c:\windows\Installer\2ebd6fea.msi
+ 2008-04-11 22:48 . 2008-04-11 22:48 6774272 c:\windows\Installer\2a6e9b33.msp
+ 2008-07-16 23:01 . 2008-07-16 23:01 5110272 c:\windows\Installer\2a6e9b0a.msp
+ 2008-10-20 15:19 . 2008-10-20 15:19 5100032 c:\windows\Installer\282dc98.msp
+ 2009-02-25 23:08 . 2009-02-25 23:08 8311808 c:\windows\Installer\2773ab27.msp
+ 2009-03-28 13:50 . 2009-03-28 13:50 5025792 c:\windows\Installer\2773ab01.msp
+ 2008-08-20 18:37 . 2008-08-20 18:37 5107712 c:\windows\Installer\273219b5.msp
+ 2008-05-21 04:45 . 2008-05-21 04:45 5246976 c:\windows\Installer\27321951.msp
+ 2009-05-15 21:46 . 2009-05-15 21:46 2150400 c:\windows\Installer\2232525.msp
+ 2008-11-20 19:48 . 2008-11-20 19:48 5097472 c:\windows\Installer\1e6e98c9.msp
+ 2008-07-16 03:12 . 2008-07-16 03:12 1298432 c:\windows\Installer\1cf4feca.msp
+ 2008-11-13 07:54 . 2008-11-13 07:54 9576960 c:\windows\Installer\1cae11.msp
+ 2008-10-10 11:52 . 2008-10-10 11:52 5195264 c:\windows\Installer\1cae09.msp
+ 2008-10-10 11:39 . 2008-10-10 11:39 1926144 c:\windows\Installer\1cadf9.msp
+ 2008-10-10 11:48 . 2008-10-10 11:48 9688064 c:\windows\Installer\1cade2.msp
+ 2008-11-13 07:55 . 2008-11-13 07:55 1306624 c:\windows\Installer\1cadd2.msp
+ 2009-01-08 01:25 . 2009-01-08 01:25 5046784 c:\windows\Installer\1ba220ed.msp
+ 2009-03-25 00:20 . 2009-03-25 00:20 3938816 c:\windows\Installer\1950b80.msi
+ 2008-08-23 21:39 . 2008-08-23 21:39 1997312 c:\windows\Installer\15954f.msi
+ 2008-10-05 08:12 . 2008-10-05 08:12 4784128 c:\windows\Installer\121aa01a.msp
+ 2009-06-13 15:37 . 2009-06-13 15:37 6653952 c:\windows\Installer\104236b3.msp
+ 2009-04-30 07:02 . 2009-06-30 22:51 64606960 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
+ 2008-05-13 02:25 . 2008-05-13 02:25 14072320 c:\windows\Installer\dee2.msi
+ 2008-07-30 03:20 . 2008-07-30 03:20 11767296 c:\windows\Installer\b8c44b6.msp
+ 2008-07-30 03:18 . 2008-07-30 03:18 11933184 c:\windows\Installer\b8c448f.msp
+ 2008-05-21 05:30 . 2008-05-21 05:30 14308864 c:\windows\Installer\b16ab78.msp
+ 2008-02-25 19:07 . 2008-02-25 19:07 11772416 c:\windows\Installer\a724ad2.msp
+ 2008-01-28 22:09 . 2008-01-28 22:09 11896320 c:\windows\Installer\a724abf.msp
+ 2008-01-28 22:10 . 2008-01-28 22:10 14201344 c:\windows\Installer\a724aab.msp
+ 2008-04-11 22:07 . 2008-04-11 22:07 13257728 c:\windows\Installer\a724a88.msp
+ 2007-10-15 03:43 . 2007-10-15 03:43 12743168 c:\windows\Installer\a7249ab.msp
+ 2007-10-15 03:43 . 2007-10-15 03:43 21981184 c:\windows\Installer\a72496f.msp
+ 2008-10-20 15:22 . 2008-10-20 15:22 11758592 c:\windows\Installer\9555d23.msp
+ 2008-10-20 15:21 . 2008-10-20 15:21 11937280 c:\windows\Installer\9555cfc.msp
+ 2008-10-20 15:16 . 2008-10-20 15:16 13211648 c:\windows\Installer\9555cd5.msp
+ 2008-05-13 02:30 . 2008-05-13 02:30 15356416 c:\windows\Installer\8e0cf.msi
+ 2008-01-19 20:00 . 2008-01-19 20:00 19210240 c:\windows\Installer\68ab1.msp
+ 2008-05-13 03:06 . 2008-05-13 03:06 12836864 c:\windows\Installer\649c5.msi
+ 2008-06-07 01:05 . 2008-06-07 01:05 18181632 c:\windows\Installer\61993.msi
+ 2008-05-26 10:00 . 2008-05-26 10:00 14939136 c:\windows\Installer\3ca418a.msp
+ 2008-01-28 18:24 . 2008-01-28 18:24 15945216 c:\windows\Installer\3a5910.msp
+ 2008-07-03 15:36 . 2008-07-03 15:36 11937792 c:\windows\Installer\2a6e9b87.msp
+ 2008-07-03 15:37 . 2008-07-03 15:37 11759104 c:\windows\Installer\2a6e9b60.msp
+ 2008-05-13 02:46 . 2008-05-13 02:46 18601984 c:\windows\Installer\29a62.msi
+ 2008-05-13 02:42 . 2008-05-13 02:42 24886272 c:\windows\Installer\29a45.msi
+ 2008-09-24 17:05 . 2008-09-24 17:05 16381440 c:\windows\Installer\282dc71.msp
+ 2008-08-11 15:51 . 2008-08-11 15:51 15916544 c:\windows\Installer\2732198e.msp
+ 2008-08-11 15:49 . 2008-08-11 15:49 22457344 c:\windows\Installer\27321967.msp
+ 2009-02-25 23:05 . 2009-02-25 23:05 11840000 c:\windows\Installer\218b299b.msp
+ 2009-02-25 23:07 . 2009-02-25 23:07 11646464 c:\windows\Installer\218b2974.msp
+ 2008-10-10 11:51 . 2008-10-10 11:51 14699520 c:\windows\Installer\1cae19.msp
+ 2008-10-10 11:45 . 2008-10-10 11:45 12962816 c:\windows\Installer\1cae01.msp
+ 2008-10-10 11:30 . 2008-10-10 11:30 19258880 c:\windows\Installer\1cadf2.msp
+ 2008-10-10 11:31 . 2008-10-10 11:31 18447872 c:\windows\Installer\1cadea.msp
+ 2008-10-10 11:39 . 2008-10-10 11:39 18344960 c:\windows\Installer\1cadda.msp
+ 2009-05-04 11:49 . 2009-05-04 11:49 10955776 c:\windows\Installer\18b6ae25.msp
+ 2008-05-13 02:25 . 2008-05-13 02:25 53809664 c:\windows\Installer\{29C4B08D-65A6-4D9F-BD5F-7768E8971A8C}\Diskeeper Home.msi
+ 2008-05-13 02:40 . 2008-05-13 02:40 70064128 c:\windows\Downloaded Installations\{95F21418-376B-41FA-8E95-6860B1F0B583}\Rescue and Recovery.msi
+ 2008-05-13 02:45 . 2008-05-13 02:45 58935296 c:\windows\Downloaded Installations\{1E4DA08B-E314-4B38-937A-294E4B412921}\Client Security Solution.msi
+ 2007-10-15 03:43 . 2007-10-15 03:43 229852160 c:\windows\Installer\a724968.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"Google Update"="c:\users\David\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-25 133104]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 419112]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 124200]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-09 2630968]
"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2007-10-24 33304]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2007-12-06 324896]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-12-08 107112]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-08-05 135568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-09 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-28 148888]
"TpShocks"="TpShocks.exe" - c:\windows\System32\TpShocks.exe [2007-11-22 181536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-15 05:17 89600 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^David^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9BE2BB76-D4C5-404A-A6A5-2A600528475C}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{D17D71BC-3648-4CA0-A875-7306F8663E36}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{7BBD3EF4-67AE-47E5-AD92-9D6FA3FB1290}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{64A82D71-4015-4147-8F5C-CDEDFC7FF250}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{9FC4BF3B-F936-42E7-A1A2-0CF80E4E2C6A}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"UDP Query User{7D9CEE8E-F155-4517-97B5-066EF7699BF7}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{C01AF1EB-B52C-44B3-998C-ACB7B72F6EA1}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"{A5794B7C-28FC-4098-AD53-0E7CBDC8CE25}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{25B573BB-67CA-4824-A1A8-361BDD885C22}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{6C67FEBC-0CCF-4FB1-ADBE-592206C88C6D}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{493EA481-F911-41B4-81B0-7FE5AEA764A1}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{DAE6593F-C8B8-47A2-94EE-4F102C347466}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{B4E60AEA-749E-42CC-9D8C-79DC4266914F}c:\\program files\\aim\\aim pro\\aimpro.exe"= UDP:c:\program files\aim\aim pro\aimpro.exe:AIM Pro
"UDP Query User{77752EB7-321F-4742-8E76-0554E0D2BA37}c:\\program files\\aim\\aim pro\\aimpro.exe"= TCP:c:\program files\aim\aim pro\aimpro.exe:AIM Pro
"{CBB70D96-3643-4A01-AD61-D892358B2FA4}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{65C1427A-8457-4D93-B027-B278C8440CDF}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{12EFB8A1-28D4-449F-9646-3E81EBCCF821}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{F069F40D-4B5A-4588-9F8F-9F6F84A9AFA6}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{1FA405EE-8592-40FB-8429-0B711230F448}"= c:\program files\PharosSystems\Core\CTskMstr.exe:Pharos Com Task Master
"TCP Query User{8F5AAA1B-7089-4F83-AEA7-0275F234214C}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{4F079DFF-FB80-43EF-A892-4D56B46C7F28}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{0BC49CDF-7D8D-402B-B2D9-6B91BB361E07}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{825F9BC4-0ACE-4C4F-A8F9-3100675234E3}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{4347FB01-1A36-4CF1-B0AA-D8DD01C07F81}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{15751E51-2015-415B-9EE2-CB9FF764B02C}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{9AF49190-DB24-4D50-A11F-0B72569F0D4B}"= UDP:c:\users\David\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{C9970133-E721-4D45-A132-EDCB0C3AD9F6}"= TCP:c:\users\David\AppData\Local\Google\Google Talk Plugin\googletalkplugin.dll:Google Talk Plugin
"{F624F718-F394-4E2C-B5B2-D1312B8BDF05}"= UDP:c:\users\David\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"{4C9C59DF-EBDB-43D4-B1D0-06E3428104C8}"= TCP:c:\users\David\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe:Google Talk Plugin
"TCP Query User{912069C5-CBF2-49F2-97BB-D306AD70201E}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{8ED7DD32-EB92-4239-9233-7EA647FDA163}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{748B0F3E-33B1-448C-8844-CF5ADB0FAF6D}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{FC90D17D-C98E-416A-8613-D65E4882E538}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\System32\drivers\iaNvStor.sys [6/6/2008 11:23 PM 220696]
R0 Shockprf;Shockprf;c:\windows\System32\drivers\ApsX86.sys [10/16/2007 9:33 PM 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\System32\drivers\ApsHM86.sys [10/16/2007 9:32 PM 19504]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\System32\drivers\smiif32.sys [2/19/2007 12:12 AM 13744]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2009 11:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R1 TPPWRIF;TPPWRIF;c:\windows\System32\drivers\TPPWR32V.SYS [5/12/2008 10:05 PM 12080]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [1/11/2008 8:50 PM 30312]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/5/2007 5:29 PM 121744]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/15/2007 1:10 AM 11152]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [7/9/2007 2:23 AM 55936]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/7/2009 11:37 AM 101936]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [3/4/2009 10:49 AM 4232704]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [1/8/2007 11:03 PM 569344]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 11:31 PM 29263712]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MCHINJDRV
*Deregistered* - mchInjDrv
*Deregistered* - SysPlant
*Deregistered* - WPS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
%SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-05-17 01:22]

2009-07-03 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2107215369-2078948122-415125840-1005Core.job
- c:\users\David\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-25 04:58]

2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2107215369-2078948122-415125840-1005UA.job
- c:\users\David\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-25 04:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.espn.go.com/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 07:12
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc2D123.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll

- - - - - - - > 'Explorer.exe'(3036)
c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll
c:\program files\Lenovo\Client Security Solution\tvt_passwordmanager.dll
c:\program files\Lenovo\Client Security Solution\css_banner.dll
c:\program files\Lenovo\Client Security Solution\csswait.dll
c:\windows\system32\cssuserdatadispatcher.dll
c:\program files\Lenovo\Client Security Solution\css_dlgcustompolicy.dll
c:\windows\system32\tvttsp.dll
c:\windows\system32\tcsrpc.dll
c:\program files\Common Files\Lenovo\tvt_think_res.dll
c:\program files\Lenovo\Client Security Solution\css_think_res.dll
c:\windows\system32\btncopy.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\ibmpmsvc.exe
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\ThinkVantage Fingerprint Software\upeksvr.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\wlanext.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\System32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\System32\AEADISRV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\progra~1\PHAROS~1\Core\CTskMstr.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Symantec AntiVirus\SavUI.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe
c:\windows\System32\rundll32.exe
c:\program files\Symantec AntiVirus\VPTray.exe
c:\windows\System32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lenovo\Client Security Solution\tvtpwm_tray.exe
.
**************************************************************************
.
Completion time: 2009-07-03 7:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-03 11:15
ComboFix2.txt 2009-06-28 14:59

Pre-Run: 25,820,585,984 bytes free
Post-Run: 25,691,897,856 bytes free

491 --- E O F --- 2009-07-03 03:09

DDS (Ver_09-06-26.01) - NTFSx86
Run by David at 13:13:14.20 on Fri 07/03/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2030.426 [GMT -4:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Symantec AntiVirus\DWHWIZRD.EXE
C:\Users\David\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Windows\system32\SearchProtocolHost.exe
c:\Windows\system32\Macromed\Flash\FlashUtil9d.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\David\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.espn.go.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\compan~1\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\compan~1\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\compan~1\installs\cpn\yt.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\david\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TpShocks] TpShocks.exe
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\users\david\appdata\roaming\mozilla\firefox\profiles\qg5090k0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.espn.go.com/
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\users\david\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\david\appdata\roaming\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\users\david\appdata\roaming\mozilla\firefox\profiles\qg5090k0.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\users\david\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-6-6 220696]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2007-2-19 13744]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWR32V.SYS [2008-5-12 12080]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-3-15 11152]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-7 101936]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-3-4 4232704]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-07-03 07:14 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-06-28 11:26 <DIR> --d----- c:\program files\JavaFX
2009-06-28 11:24 <DIR> --d----- c:\program files\Sun
2009-06-28 11:12 <DIR> --d----- c:\users\david\.SunDownloadManager
2009-06-27 19:38 161,792 a------- c:\windows\SWREG.exe
2009-06-27 19:38 155,136 a------- c:\windows\PEV.exe
2009-06-27 19:38 98,816 a------- c:\windows\sed.exe
2009-06-12 22:51 <DIR> --d----- c:\program files\iPod
2009-06-12 22:51 <DIR> --d----- c:\program files\iTunes
2009-06-09 22:28 2,033,152 a------- c:\windows\system32\win32k.sys
2009-06-09 22:28 636,928 a------- c:\windows\system32\localspl.dll
2009-06-09 22:28 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-06-07 11:34 <DIR> --d----- C:\SDFix
2009-06-06 08:02 <DIR> --d----- c:\program files\WinDirStat
2009-06-05 23:25 <DIR> --d----- c:\users\david\DoctorWeb

==================== Find3M ====================

2009-07-03 13:06 118,227 a------- c:\programdata\nvModes.dat
2009-07-03 13:06 118,227 a------- c:\progra~2\nvModes.dat
2009-06-28 11:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-12 22:41 51,200 a------- c:\windows\inf\infpub.dat
2009-06-12 22:41 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-12 22:41 86,016 a------- c:\windows\inf\infstor.dat
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2008-12-08 14:36 96,907 a------- c:\users\david\appdata\roaming\nvModes.dat
2008-06-11 03:08 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-10 12:57 148 a------- c:\users\david\NetworkDrives.bat
2008-01-20 22:41 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-09-02 17:02 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-09-02 17:02 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-09-02 17:02 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 13:14:25.99 ===============

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-03 14:58:22
Windows 6.0.6001 Service Pack 1

---- System - GMER 1.0.15 ----

SSDT 8FBFF310 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 3F4 81CEF9B8 4 Bytes CALL 41C20A3E
? C:\Windows\TEMP\mc2D123.tmp The system cannot find the file specified. !
? C:\Users\David\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !
? C:\Windows\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[4512] USER32.dll!DialogBoxIndirectParamW 7643BD25 5 Bytes JMP 71805BD3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4512] USER32.dll!DialogBoxParamW 76451FD5 5 Bytes JMP 71805B5D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4512] USER32.dll!DialogBoxParamA 764780B2 5 Bytes JMP 71805B98 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4512] USER32.dll!DialogBoxIndirectParamA 764783DD 5 Bytes JMP 71805C0E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4512] USER32.dll!MessageBoxIndirectA 7648D471 5 Bytes JMP 71805B19 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4512] USER32.dll!MessageBoxIndirectW 7648D56B 5 Bytes JMP 71805AD5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4512] USER32.dll!MessageBoxExA 7648D5D1 5 Bytes JMP 71805A9B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4512] USER32.dll!MessageBoxExW 7648D5F5 5 Bytes JMP 71805A61 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4512] SHELL32.dll!SHRestricted + DFD 76A78390 4 Bytes [99, 0B, 48, 61] {CDQ ; OR ECX, [EAX+0x61]}
.text C:\Program Files\Internet Explorer\iexplore.exe[4512] SHELL32.dll!SHRestricted + E05 76A78398 8 Bytes [A7, 0A, 48, 61, A4, 32, 47, ...] {CMPSD ; OR CL, [EAX+0x61]; MOVSB ; XOR AL, [EDI+0x61]}
.text C:\Program Files\Internet Explorer\iexplore.exe[4512] SHELL32.dll!SHBindToObject + 693 76A7A9B8 4 Bytes [99, 0B, 48, 61] {CDQ ; OR ECX, [EAX+0x61]}
.text C:\Program Files\Internet Explorer\iexplore.exe[4512] SHELL32.dll!SHBindToObject + 69B 76A7A9C0 4 Bytes [A7, 0A, 48, 61] {CMPSD ; OR CL, [EAX+0x61]}
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[5392] kernel32.dll!SetUnhandledExceptionFilter 75DA6E2D 5 Bytes JMP 66BA531D C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6146D537] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6146D09C] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!CopyFileW] [6146B6A1] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6146D221] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!CreateFileW] [6146BD1B] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!SearchPathW] [6146F233] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!DeleteFileW] [6146C301] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!SearchPathW] [6146F233] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6146D537] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CopyFileW] [6146B6A1] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!MoveFileW] [6146DE50] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!DeleteFileW] [6146C301] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!SetCurrentDirectoryW] [6146F49D] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!FindClose] [61470D4C] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!FindNextFileW] [6146FC09] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!FindFirstFileW] [614702A5] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6146D09C] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateFileW] [6146BD1B] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!WritePrivateProfileStringW] [6146B114] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6146D221] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetPrivateProfileStringW] [6146A970] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegQueryInfoKeyW] [6147DB0F] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegEnumValueW] [6147E479] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegOpenKeyExW] [6147CB9D] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegQueryValueExW] [6147D773] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegDeleteKeyW] [6147CEA5] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegCreateKeyExW] [6147C625] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegCloseKey] [6147CD09] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!FindClose] [61470D4C] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!FindFirstFileA] [6146FF42] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!FindNextFileA] [6146FB96] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!FindFirstFileW] [614702A5] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!FindNextFileW] [6146FC09] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!GetFileAttributesA] [614689D0] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!SetCurrentDirectoryA] [6146EBFB] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!SetFileAttributesA] [61468C26] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!CreateDirectoryA] [6146E3CB] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!RemoveDirectoryA] [6146E9A5] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!DeleteFileA] [6146C1D6] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!GetFileAttributesW] [61468AFB] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!SetCurrentDirectoryW] [6146F49D] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!SetFileAttributesW] [61468D54] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!CreateDirectoryW] [6146E4F9] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!DeleteFileW] [6146C301] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!MoveFileW] [6146DE50] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!RemoveDirectoryW] [6146EAD0] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!MoveFileA] [6146DDDD] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [6146D09C] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!CreateFileA] [6146BBD2] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!CreateFileW] [6146BD1B] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [6146D221] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6146D221] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!ReplaceFileW] [6146E151] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!WritePrivateProfileStringW] [6146B114] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetPrivateProfileStringW] [6146A970] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetPrivateProfileStringA] [6146A819] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!DeleteFileW] [6146C301] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6146D537] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SetFileAttributesW] [61468D54] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileW] [6146BD1B] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindFirstFileW] [614702A5] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindNextFileW] [6146FC09] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SearchPathW] [6146F233] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetFileAttributesW] [61468AFB] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SetFileAttributesA] [61468C26] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileA] [6146BBD2] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindFirstFileA] [6146FF42] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindNextFileA] [6146FB96] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindClose] [61470D4C] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SearchPathA] [6146EFA8] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetFileAttributesA] [614689D0] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6146D09C] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!WinHelpW] [6146CF65] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!WinHelpA] [6146CE2E] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegCloseKey] [6147CD09] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegCreateKeyExA] [6147C49D] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegDeleteKeyA] [6147CD5C] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegQueryInfoKeyA] [6147D913] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegOpenKeyExA] [6147CA25] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegCreateKeyExW] [6147C625] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegOpenKeyExW] [6147CB9D] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegEnumKeyExW] [6147E169] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegQueryValueW] [6147D437] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegDeleteKeyW] [6147CEA5] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegQueryInfoKeyW] [6147DB0F] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegQueryValueExW] [6147D773] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegEnumValueW] [6147E479] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegEnumKeyW] [6147DE75] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegEnumKeyExA] [6147DFE1] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegEnumValueA] [6147E2F1] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegEnumKeyA] [6147DD0B] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegQueryValueExA] [6147D5D3] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetPrivateProfileSectionW] [6146A460] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!FindNextFileW] [6146FC09] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!ReplaceFileW] [6146E151] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetPrivateProfileSectionNamesW] [6146A6E2] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!WritePrivateProfileSectionW] [6146AE92] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!WritePrivateProfileStringW] [6146B114] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!CreateHardLinkW] [6146C023] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!CopyFileW] [6146B6A1] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetBinaryTypeW] [61469700] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6146D537] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!MoveFileW] [6146DE50] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!FindFirstFileW] [614702A5] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!FindClose] [61470D4C] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetShortPathNameA] [61469362] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetFileAttributesA] [614689D0] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!SearchPathW] [6146F233] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetPrivateProfileIntW] [6146A1D8] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetPrivateProfileStringW] [6146A970] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!RemoveDirectoryW] [6146EAD0] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!CreateDirectoryW] [6146E4F9] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!DeleteFileW] [6146C301] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!SetFileAttributesW] [61468D54] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetFileAttributesW] [61468AFB] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!MoveFileExW] [6146DE75] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetShortPathNameW] [614694A1] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6146D221] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!CreateFileW] [6146BD1B] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetFileAttributesExW] [61468FC1] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6146D09C] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetLongPathNameW] [61469231] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!SetCurrentDirectoryW] [6146F49D] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [USER32.dll!LoadImageW] [6146C58B] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [USER32.dll!WinHelpW] [6146CF65] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [USER32.dll!PrivateExtractIconsW] [6146CA80] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyExW] [6147CB9D] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegCreateKeyExW] [6147C625] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegEnumKeyW] [6147DE75] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegEnumValueW] [6147E479] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegDeleteKeyW] [6147CEA5] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegQueryInfoKeyW] [6147DB0F] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegQueryInfoKeyA] [6147D913] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegEnumKeyExW] [6147E169] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegSetValueW] [6147D13F] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegQueryValueExW] [6147D773] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegQueryValueW] [6147D437] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyW] [6147C8E9] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegCreateKeyW] [6147C35D] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegQueryValueExA] [6147D5D3] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyExA] [6147CA25] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegCloseKey] [6147CD09] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\SHELL32.dll [ntdll.dll!NtQueryDirectoryFile] [614791AC] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!FindClose] [61470D4C] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] [614702A5] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6146D537] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!SearchPathW] [6146F233] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!DeleteFileW] [6146C301] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetShortPathNameW] [614694A1] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetFileAttributesExW] [61468FC1] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!CreateFileW] [6146BD1B] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6146D221] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetFileAttributesW] [61468AFB] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6146D09C] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegSetValueW] [6147D13F] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] [6147D28F] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegEnumKeyExW] [6147E169] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegEnumValueW] [6147E479] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegEnumKeyA] [6147DD0B] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegDeleteKeyA] [6147CD5C] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegQueryInfoKeyW] [6147DB0F] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegQueryInfoKeyA] [6147D913] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegQueryValueW] [6147D437] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegEnumKeyW] [6147DE75] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegCloseKey] [6147CD09] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegQueryValueExW] [6147D773] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyExW] [6147CB9D] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegDeleteKeyW] [6147CEA5] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] [6147C625] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegQueryValueExA] [6147D5D3] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyExA] [6147CA25] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHRegGetValueW] [61475CFD] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHRegGetValueA] [61475C9F] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!PathUnExpandEnvStringsA] [61474D95] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHDeleteKeyA] [614750AF] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHDeleteValueW] [6147519F] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!PathCreateFromUrlW] [614740A2] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHGetValueA] [61475357] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHSetValueA] [6147619F] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHGetValueW] [614753B2] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHSetValueW] [614761FA] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4512] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!PathCombineW] [61473FFB] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\HidBth
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Upgrade\HidBth

---- EOF - GMER 1.0.15 ----

Thanks!

Attached File(s)

Attach.txt (7.77K)
Number of downloads: 8

#10 screen317

Forum Regular

Group: Malware Response Team
Posts: 207
Joined: 09-July 07
Gender:Male
Location:Los Angeles

Posted 03 July 2009 - 10:54 PM

Hello,

Quote

These are the names of some of the files, there are a lot more as the list keeps growing:

DWHF366.tmp
DWHC4F8.tmp
DWH5B5P.tmp

Please go to VirusTotal, and upload those files for analysis.

Post the results in your reply.

-screen317

#11 Wdave37

Member

Group: Members
Posts: 20
Joined: 10-March 09

Posted 04 July 2009 - 01:44 PM

Unfortunately I can't open up any of the files in this folder to upload that are infected. It says "You do not have permission to open this file." Whereas if I were to try and upload a non infected file, it would allow me to upload it. Here is the folder that these files sit in if it helps: C:\Users\David\AppData\Local\Temp

Thanks,

Dave

#12 screen317

Forum Regular

Group: Malware Response Team
Posts: 207
Joined: 09-July 07
Gender:Male
Location:Los Angeles

Posted 06 July 2009 - 02:56 AM

Navigate to Start --> Run, and enter the following command:

copy /V "C:\Users\David\AppData\Local\Temp\DWHF366.tmp" "%userprofile%\desktop\test.tmp"

After that, try uploading test.tmp on your Desktop to Virustotal.

-screen317

#13 Wdave37

Member

Group: Members
Posts: 20
Joined: 10-March 09

Posted 06 July 2009 - 08:39 PM

When I try to copy the file, it gives me a "Windows cannot find 'copy'" error message. I copied and pasted the whole line that is in bold.

Thanks,

Dave

#14 Wdave37

Member

Group: Members
Posts: 20
Joined: 10-March 09

Posted 06 July 2009 - 08:49 PM

Also, for what it's worth, it seems like certain files just pop into the temp folder and then immediately get quarantined. I'm not sure what's causing it for sure, but it's not quarantining files that have been sitting in the temp folder, at least that's from what I can tell best.

I've had to restore the file from the quarantine back into the temp folder, and then I tried executing your command when it appears back in the folder.

#15 screen317

Forum Regular

Group: Malware Response Team
Posts: 207
Joined: 09-July 07
Gender:Male
Location:Los Angeles

Posted 07 July 2009 - 12:16 AM

My mistake,

Do the following instead:

Navigate to Start --> Run, and type in cmd.exe

Press enter.

A black box should open.

Now enter the command...

copy /V "C:\Users\David\AppData\Local\Temp\DWHF366.tmp" "%userprofile%\desktop\test.tmp"

...into the black box.