Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outerinfo/malwarealarm/more?


  • Please log in to reply
8 replies to this topic

#1 flavor

flavor

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 21 December 2007 - 02:21 AM

Please take a look at my log. Merry Christmas and God bless!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:42 PM, on 12/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\pnmlqyrx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\TEMP\winB76.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\RACLE~1\wowexec.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Pidgin\pidgin.exe
C:\Documents and Settings\Michele Wyman\Desktop\hijackthis_sfx.exe
C:\Documents and Settings\Michele Wyman\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Michele Wyman\Desktop\HiJackThis(2).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Narvrpzd\rhbsczaq.dll
O2 - BHO: {a28b10ae-1ed6-7268-d684-35e8716f4613} - {3164f617-8e53-486d-8627-6de1ea01b82a} - C:\WINDOWS\system32\wolsaxav.dll
O2 - BHO: (no name) - {54814FE8-85FF-40C8-AEDE-18BD9EA384FA} - C:\WINDOWS\system32\vtsqp.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9FDAA744-10F3-4B5A-D25A-3FE600F00997} - C:\WINDOWS\system32\ixxe.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ywxqilzk.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [pgtqncvg] rundll32.exe "C:\Program Files\pgtqncvg\tuhknwha.dll",Init
O4 - HKLM\..\Run: [qrqpgtkb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\qrqpgtkb.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\winB76.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvrov.dll,startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [58a8ab0d] rundll32.exe "C:\WINDOWS\system32\kfbhlkdm.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe
O4 - HKCU\..\Run: [Ebc] "C:\PROGRA~1\RACLE~1\wowexec.exe" -vt ndrv
O4 - HKCU\..\Run: [Qkxbolf] C:\WINDOWS\system32\s?stem\n?tepad.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: gos126 - gos126.tmp (file missing)
O20 - Winlogon Notify: winzzd32 - C:\WINDOWS\SYSTEM32\winzzd32.dll
O20 - Winlogon Notify: ywxqilzk - C:\WINDOWS\SYSTEM32\ywxqilzk.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\pnmlqyrx.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13597 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 21 December 2007 - 01:15 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Red2007
My name is Richie and i'll be helping you to fix your problems.

It appears you've no virus protection installed,which is somewhat suicidal.
Please download/install Avira AntiVir Personal Edition Classic[Free]:
http://www.free-av.com/
Perform a full scan with Avira and allow it to delete everything it detects.
Restart your pc when you've done.
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then copy and paste the report into your next reply.


Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.
Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 flavor

flavor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 23 December 2007 - 12:00 AM

Thank you . I had to run the AV Scan twice:


AntiVir PersonalEdition Classic
Report file date: Saturday, December 22, 2007 10:13

Scanning for 985274 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: CHADHEINRICH

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 22:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 21:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/15/2007 00:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 21:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:55:56
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 19:55:56
ANTIVIR2.VDF : 7.0.1.96 2048 Bytes 12/14/2007 19:55:56
ANTIVIR3.VDF : 7.0.1.139 186368 Bytes 12/21/2007 19:55:56
AVEWIN32.DLL : 7.6.0.46 3084800 Bytes 12/21/2007 19:55:57
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 19:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 16:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 22:16:24
AVPACK32.DLL : 7.6.0.2 360488 Bytes 12/21/2007 19:55:58
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 16:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 21:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 16:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 20:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 21:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 21:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 18:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Saturday, December 22, 2007 10:13

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'CMPWI.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdater.exe' - '1' Module(s) have been scanned
Scan process 'DLG.exe' - '1' Module(s) have been scanned
Scan process 'BTTray.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'brctrcen.exe' - '1' Module(s) have been scanned
Scan process 'cssauth.exe' - '1' Module(s) have been scanned
Scan process 'ACWLIcon.exe' - '1' Module(s) have been scanned
Scan process 'ACTray.exe' - '1' Module(s) have been scanned
Scan process 'Amsg.exe' - '1' Module(s) have been scanned
Scan process 'LPMGR.EXE' - '1' Module(s) have been scanned
Scan process 'AwaySch.EXE' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'scheduler_proxy.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'TpScrex.exe' - '1' Module(s) have been scanned
Scan process 'TPONSCR.exe' - '1' Module(s) have been scanned
Scan process 'EZEJMNAP.EXE' - '1' Module(s) have been scanned
Scan process 'TpShocks.exe' - '1' Module(s) have been scanned
Scan process 'TPOSDSVC.exe' - '1' Module(s) have been scanned
Scan process 'tpfnf7sp.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'SvcGuiHlpr.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'AcSvc.exe' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'tvtsched.exe' - '1' Module(s) have been scanned
Scan process 'rrservice.exe' - '1' Module(s) have been scanned
Scan process 'rrpservice.exe' - '1' Module(s) have been scanned
Scan process 'tvttcsd.exe' - '1' Module(s) have been scanned
Scan process 'TPHDEXLG.exe' - '1' Module(s) have been scanned
Scan process 'tvt_reg_monitor_svc.exe' - '1' Module(s) have been scanned
Scan process 'SUService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'PWIUtilityService.exe' - '1' Module(s) have been scanned
Scan process 'iviRegMgr.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'AcPrfMgrSvc.exe' - '1' Module(s) have been scanned
Scan process 'IPSSVC.EXE' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'btwdins.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ibmpmsvc.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
76 processes with 76 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '54' files ).


Starting the file scan:

Begin scan in 'C:\' <Preload>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\qoobox\Quarantine\C\WINDOWS\system32\vlmpuecj.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINDOWS\system32\vpvcmnbe.exe.vir
[DETECTION] Is the Trojan horse TR/Fotomoto.F.1
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINDOWS\system32\xbennsah.exe.vir
[DETECTION] Is the Trojan horse TR/Fotomoto.F.1
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINDOWS\system32\xftuwelp.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINDOWS\system32\fibagbia\fibagbia2.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP60\A0026089.exe
[DETECTION] Is the Trojan horse TR/Fotomoto.F.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP60\A0026090.exe
[DETECTION] Is the Trojan horse TR/Fotomoto.F.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP60\A0026094.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP60\A0026099.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP60\A0026102.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\qxcrkutr.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!


End of the scan: Saturday, December 22, 2007 11:27
Used time: 1:13:36 min

The scan has been done completely.

6439 Scanning directories
230789 Files were scanned
11 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
11 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
230778 Files not concerned
8427 Archives were scanned
2 Warnings
6 Notes



AntiVir PersonalEdition Classic
Report file date: Friday, December 21, 2007 12:23

Scanning for 985274 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: CHADHEINRICH

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 22:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 21:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/15/2007 00:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 21:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:55:56
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 19:55:56
ANTIVIR2.VDF : 7.0.1.96 2048 Bytes 12/14/2007 19:55:56
ANTIVIR3.VDF : 7.0.1.139 186368 Bytes 12/21/2007 19:55:56
AVEWIN32.DLL : 7.6.0.46 3084800 Bytes 12/21/2007 19:55:57
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 19:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 16:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 22:16:24
AVPACK32.DLL : 7.6.0.2 360488 Bytes 12/21/2007 19:55:58
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 16:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 21:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 16:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 20:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 21:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 21:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 18:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, December 21, 2007 12:23

The scan of running processes will be started
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'thunderbird.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'pidgin.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdater.exe' - '1' Module(s) have been scanned
Scan process 'DLG.exe' - '1' Module(s) have been scanned
Scan process 'BTTray.exe' - '1' Module(s) have been scanned
Scan process 'wowexec.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\PROGRA~1\RACLE~1\wowexec.exe'
Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'winB76.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\TEMP\winB76.exe'
Scan process 'regsvr32.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'brctrcen.exe' - '1' Module(s) have been scanned
Scan process 'cssauth.exe' - '1' Module(s) have been scanned
Scan process 'TpScrex.exe' - '1' Module(s) have been scanned
Scan process 'ACWLIcon.exe' - '1' Module(s) have been scanned
Scan process 'ACTray.exe' - '1' Module(s) have been scanned
Scan process 'Amsg.exe' - '1' Module(s) have been scanned
Scan process 'TPONSCR.exe' - '1' Module(s) have been scanned
Scan process 'LPMGR.EXE' - '1' Module(s) have been scanned
Scan process 'AwaySch.EXE' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'scheduler_proxy.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'EZEJMNAP.EXE' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'TpShocks.exe' - '1' Module(s) have been scanned
Scan process 'TPOSDSVC.exe' - '1' Module(s) have been scanned
Scan process 'tpfnf7sp.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'SvcGuiHlpr.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'AcSvc.exe' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'tvtsched.exe' - '1' Module(s) have been scanned
Scan process 'rrservice.exe' - '1' Module(s) have been scanned
Scan process 'rrpservice.exe' - '1' Module(s) have been scanned
Scan process 'tvttcsd.exe' - '1' Module(s) have been scanned
Scan process 'TPHDEXLG.exe' - '1' Module(s) have been scanned
Scan process 'tvt_reg_monitor_svc.exe' - '1' Module(s) have been scanned
Scan process 'SUService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'PWIUtilityService.exe' - '1' Module(s) have been scanned
Scan process 'iviRegMgr.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'pnmlqyrx.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\pnmlqyrx.exe'
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'AcPrfMgrSvc.exe' - '1' Module(s) have been scanned
Scan process 'IPSSVC.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'btwdins.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ibmpmsvc.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'wowexec.exe' has been terminated
Process 'winB76.exe' has been terminated
Process 'pnmlqyrx.exe' has been terminated
C:\PROGRA~1\RACLE~1\wowexec.exe
[DETECTION] Is the Trojan horse TR/Dldr.PuritySca.A
[INFO] The file was deleted!
C:\WINDOWS\TEMP\winB76.exe
[DETECTION] Is the Trojan horse TR/Delf.KH.12
[INFO] TR/Delf.KH.12:[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]:<avp>=sz:winB76.exe
[INFO] The file was deleted!

86 processes with 83 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
C:\WINDOWS\system32\drvrov.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\drvrov.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
C:\WINDOWS\system32\kfbhlkdm.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\kfbhlkdm.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
C:\WINDOWS\system32\winzzd32.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\winzzd32.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
C:\WINDOWS\system32\ywxqilzk.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\ywxqilzk.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen

The registry was scanned ( '61' files ).


Starting the file scan:

Begin scan in 'C:\' <Preload>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\qrqpgtkb.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\Documents and Settings\Michele Wyman\Desktop\Adobe_Photoshop_CS2_CS2_serial_number.txt.exe
[0] Archive type: RAR SFX (self extracting)
--> keygen.exe
[DETECTION] Is the Trojan horse TR/Agent.CTX.1
--> patch.exe
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
--> crack.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Michele Wyman\Local Settings\Temp\!update.exe
[DETECTION] Is the Trojan horse TR/Dldr.PuritySca.A
[INFO] The file was deleted!
C:\Documents and Settings\Michele Wyman\Local Settings\Temp\dohinst.exe
[DETECTION] Contains detection pattern of the dropper DR/MediaTickets.CZ
[INFO] The file was deleted!
C:\Documents and Settings\Michele Wyman\Local Settings\Temp\gos126.tmp
[DETECTION] Is the Trojan horse TR/Agent.33302
[WARNING] The file could not be deleted!
C:\Documents and Settings\Michele Wyman\Local Settings\Temp\win120.exe
[DETECTION] Is the Trojan horse TR/Zlob.CA.78
[INFO] The file was deleted!
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.EG.8
[INFO] The file was deleted!
C:\Program Files\Narvrpzd\rhbsczaq.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\Program Files\pgtqncvg\tuhknwha.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\Program Files\SecCenter\scprot4.exe~
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\Program Files\Оracle\wowexec.exe~
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.EJ
[INFO] The file was deleted!
C:\Program Files\Оracle\Оracle\dohinst-103.0000
[DETECTION] Contains detection pattern of the dropper DR/MediaTickets.CZ
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP39\A0016257.exe
[DETECTION] Is the Trojan horse TR/Zlob.CA.78
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP46\A0018456.dll
[DETECTION] Is the Trojan horse TR/Vundo.AU
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP46\A0018457.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP46\A0018458.dll
[DETECTION] Is the Trojan horse TR/Vundo.AU
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP46\A0018459.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018552.dll
[DETECTION] Is the Trojan horse TR/Vundo.AU
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018553.dll
[DETECTION] Is the Trojan horse TR/Vundo.AU
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018554.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018556.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018557.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0019586.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020764.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020765.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020766.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020767.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020809.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP53\A0021809.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP53\A0021810.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP53\A0022809.exe
[DETECTION] Is the Trojan horse TR/Zlob.CA.78
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP53\A0022810.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP56\A0022898.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP56\A0022899.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP57\A0023899.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0024979.exe
[DETECTION] Is the Trojan horse TR/Fotomoto.F.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0024980.exe
[DETECTION] Is the Trojan horse TR/Dldr.PuritySca.A
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0024981.exe
[0] Archive type: RAR SFX (self extracting)
--> keygen.exe
[DETECTION] Is the Trojan horse TR/Agent.CTX.1
--> patch.exe
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
--> crack.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0024983.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.EG.8
[INFO] The file was deleted!
C:\WINDOWS\avp.exe
[DETECTION] Is the Trojan horse TR/Dldr.Alphabet.LH1
[INFO] The file was deleted!


End of the scan: Friday, December 21, 2007 18:06
Used time: 5:43:07 min

The scan has been canceled!

5970 Scanning directories
222819 Files were scanned
53 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
38 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
222766 Files not concerned
8253 Archives were scanned
10 Warnings
6 Notes



AntiVir PersonalEdition Classic
Report file date: Friday, December 21, 2007 12:23

Scanning for 985274 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: CHADHEINRICH

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 22:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 21:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/15/2007 00:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 21:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:55:56
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 19:55:56
ANTIVIR2.VDF : 7.0.1.96 2048 Bytes 12/14/2007 19:55:56
ANTIVIR3.VDF : 7.0.1.139 186368 Bytes 12/21/2007 19:55:56
AVEWIN32.DLL : 7.6.0.46 3084800 Bytes 12/21/2007 19:55:57
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 19:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 16:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 22:16:24
AVPACK32.DLL : 7.6.0.2 360488 Bytes 12/21/2007 19:55:58
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 16:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 21:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 16:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 20:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 21:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 21:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 18:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, December 21, 2007 12:23

The scan of running processes will be started
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'thunderbird.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'pidgin.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdater.exe' - '1' Module(s) have been scanned
Scan process 'DLG.exe' - '1' Module(s) have been scanned
Scan process 'BTTray.exe' - '1' Module(s) have been scanned
Scan process 'wowexec.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\PROGRA~1\RACLE~1\wowexec.exe'
Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'winB76.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\TEMP\winB76.exe'
Scan process 'regsvr32.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'brctrcen.exe' - '1' Module(s) have been scanned
Scan process 'cssauth.exe' - '1' Module(s) have been scanned
Scan process 'TpScrex.exe' - '1' Module(s) have been scanned
Scan process 'ACWLIcon.exe' - '1' Module(s) have been scanned
Scan process 'ACTray.exe' - '1' Module(s) have been scanned
Scan process 'Amsg.exe' - '1' Module(s) have been scanned
Scan process 'TPONSCR.exe' - '1' Module(s) have been scanned
Scan process 'LPMGR.EXE' - '1' Module(s) have been scanned
Scan process 'AwaySch.EXE' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'scheduler_proxy.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'EZEJMNAP.EXE' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'TpShocks.exe' - '1' Module(s) have been scanned
Scan process 'TPOSDSVC.exe' - '1' Module(s) have been scanned
Scan process 'tpfnf7sp.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'SvcGuiHlpr.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'AcSvc.exe' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'tvtsched.exe' - '1' Module(s) have been scanned
Scan process 'rrservice.exe' - '1' Module(s) have been scanned
Scan process 'rrpservice.exe' - '1' Module(s) have been scanned
Scan process 'tvttcsd.exe' - '1' Module(s) have been scanned
Scan process 'TPHDEXLG.exe' - '1' Module(s) have been scanned
Scan process 'tvt_reg_monitor_svc.exe' - '1' Module(s) have been scanned
Scan process 'SUService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'PWIUtilityService.exe' - '1' Module(s) have been scanned
Scan process 'iviRegMgr.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'pnmlqyrx.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\pnmlqyrx.exe'
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'AcPrfMgrSvc.exe' - '1' Module(s) have been scanned
Scan process 'IPSSVC.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'btwdins.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ibmpmsvc.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'wowexec.exe' has been terminated
Process 'winB76.exe' has been terminated
Process 'pnmlqyrx.exe' has been terminated
C:\PROGRA~1\RACLE~1\wowexec.exe
[DETECTION] Is the Trojan horse TR/Dldr.PuritySca.A
[INFO] The file was deleted!
C:\WINDOWS\TEMP\winB76.exe
[DETECTION] Is the Trojan horse TR/Delf.KH.12
[INFO] TR/Delf.KH.12:[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]:<avp>=sz:winB76.exe
[INFO] The file was deleted!

86 processes with 83 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
C:\WINDOWS\system32\drvrov.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\drvrov.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
C:\WINDOWS\system32\kfbhlkdm.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\kfbhlkdm.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
C:\WINDOWS\system32\winzzd32.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\winzzd32.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
C:\WINDOWS\system32\ywxqilzk.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\ywxqilzk.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen

The registry was scanned ( '61' files ).


Starting the file scan:

Begin scan in 'C:\' <Preload>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\qrqpgtkb.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\Documents and Settings\Michele Wyman\Desktop\Adobe_Photoshop_CS2_CS2_serial_number.txt.exe
[0] Archive type: RAR SFX (self extracting)
--> keygen.exe
[DETECTION] Is the Trojan horse TR/Agent.CTX.1
--> patch.exe
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
--> crack.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Michele Wyman\Local Settings\Temp\!update.exe
[DETECTION] Is the Trojan horse TR/Dldr.PuritySca.A
[INFO] The file was deleted!
C:\Documents and Settings\Michele Wyman\Local Settings\Temp\dohinst.exe
[DETECTION] Contains detection pattern of the dropper DR/MediaTickets.CZ
[INFO] The file was deleted!
C:\Documents and Settings\Michele Wyman\Local Settings\Temp\gos126.tmp
[DETECTION] Is the Trojan horse TR/Agent.33302
[WARNING] The file could not be deleted!
C:\Documents and Settings\Michele Wyman\Local Settings\Temp\win120.exe
[DETECTION] Is the Trojan horse TR/Zlob.CA.78
[INFO] The file was deleted!
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.EG.8
[INFO] The file was deleted!
C:\Program Files\Narvrpzd\rhbsczaq.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\Program Files\pgtqncvg\tuhknwha.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\Program Files\SecCenter\scprot4.exe~
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\Program Files\Оracle\wowexec.exe~
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.EJ
[INFO] The file was deleted!
C:\Program Files\Оracle\Оracle\dohinst-103.0000
[DETECTION] Contains detection pattern of the dropper DR/MediaTickets.CZ
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP39\A0016257.exe
[DETECTION] Is the Trojan horse TR/Zlob.CA.78
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP46\A0018456.dll
[DETECTION] Is the Trojan horse TR/Vundo.AU
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP46\A0018457.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP46\A0018458.dll
[DETECTION] Is the Trojan horse TR/Vundo.AU
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP46\A0018459.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018552.dll
[DETECTION] Is the Trojan horse TR/Vundo.AU
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018553.dll
[DETECTION] Is the Trojan horse TR/Vundo.AU
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018554.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018556.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018557.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0019586.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020764.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020765.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020766.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020767.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020809.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP53\A0021809.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP53\A0021810.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP53\A0022809.exe
[DETECTION] Is the Trojan horse TR/Zlob.CA.78
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP53\A0022810.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP56\A0022898.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP56\A0022899.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP57\A0023899.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0024979.exe
[DETECTION] Is the Trojan horse TR/Fotomoto.F.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0024980.exe
[DETECTION] Is the Trojan horse TR/Dldr.PuritySca.A
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0024981.exe
[0] Archive type: RAR SFX (self extracting)
--> keygen.exe
[DETECTION] Is the Trojan horse TR/Agent.CTX.1
--> patch.exe
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
--> crack.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0024983.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.EG.8
[INFO] The file was deleted!
C:\WINDOWS\avp.exe
[DETECTION] Is the Trojan horse TR/Dldr.Alphabet.LH1
[INFO] The file was deleted!


End of the scan: Friday, December 21, 2007 18:06
Used time: 5:43:07 min

The scan has been canceled!

5970 Scanning directories
222819 Files were scanned
53 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
38 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
222766 Files not concerned
8253 Archives were scanned
10 Warnings
6 Notes



AntiVir PersonalEdition Classic
Report file date: Friday, December 21, 2007 12:23

Scanning for 985274 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: CHADHEINRICH

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 22:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 21:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/15/2007 00:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 21:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:55:56
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 19:55:56
ANTIVIR2.VDF : 7.0.1.96 2048 Bytes 12/14/2007 19:55:56
ANTIVIR3.VDF : 7.0.1.139 186368 Bytes 12/21/2007 19:55:56
AVEWIN32.DLL : 7.6.0.46 3084800 Bytes 12/21/2007 19:55:57
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 19:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 16:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 22:16:24
AVPACK32.DLL : 7.6.0.2 360488 Bytes 12/21/2007 19:55:58
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 16:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 21:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 16:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 20:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 21:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 21:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 18:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, December 21, 2007 12:23

The scan of running processes will be started
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'thunderbird.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'pidgin.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdater.exe' - '1' Module(s) have been scanned
Scan process 'DLG.exe' - '1' Module(s) have been scanned
Scan process 'BTTray.exe' - '1' Module(s) have been scanned
Scan process 'wowexec.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\PROGRA~1\RACLE~1\wowexec.exe'
Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'winB76.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\TEMP\winB76.exe'
Scan process 'regsvr32.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'brctrcen.exe' - '1' Module(s) have been scanned
Scan process 'cssauth.exe' - '1' Module(s) have been scanned
Scan process 'TpScrex.exe' - '1' Module(s) have been scanned
Scan process 'ACWLIcon.exe' - '1' Module(s) have been scanned
Scan process 'ACTray.exe' - '1' Module(s) have been scanned
Scan process 'Amsg.exe' - '1' Module(s) have been scanned
Scan process 'TPONSCR.exe' - '1' Module(s) have been scanned
Scan process 'LPMGR.EXE' - '1' Module(s) have been scanned
Scan process 'AwaySch.EXE' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'scheduler_proxy.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'EZEJMNAP.EXE' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'TpShocks.exe' - '1' Module(s) have been scanned
Scan process 'TPOSDSVC.exe' - '1' Module(s) have been scanned
Scan process 'tpfnf7sp.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'SvcGuiHlpr.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'AcSvc.exe' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'tvtsched.exe' - '1' Module(s) have been scanned
Scan process 'rrservice.exe' - '1' Module(s) have been scanned
Scan process 'rrpservice.exe' - '1' Module(s) have been scanned
Scan process 'tvttcsd.exe' - '1' Module(s) have been scanned
Scan process 'TPHDEXLG.exe' - '1' Module(s) have been scanned
Scan process 'tvt_reg_monitor_svc.exe' - '1' Module(s) have been scanned
Scan process 'SUService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'PWIUtilityService.exe' - '1' Module(s) have been scanned
Scan process 'iviRegMgr.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'pnmlqyrx.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\pnmlqyrx.exe'
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'AcPrfMgrSvc.exe' - '1' Module(s) have been scanned
Scan process 'IPSSVC.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'btwdins.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ibmpmsvc.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'wowexec.exe' has been terminated
Process 'winB76.exe' has been terminated
Process 'pnmlqyrx.exe' has been terminated
C:\PROGRA~1\RACLE~1\wowexec.exe
[DETECTION] Is the Trojan horse TR/Dldr.PuritySca.A
[INFO] The file was deleted!
C:\WINDOWS\TEMP\winB76.exe
[DETECTION] Is the Trojan horse TR/Delf.KH.12
[INFO] TR/Delf.KH.12:[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]:<avp>=sz:winB76.exe
[INFO] The file was deleted!

86 processes with 83 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
C:\WINDOWS\system32\drvrov.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\drvrov.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
C:\WINDOWS\system32\kfbhlkdm.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\kfbhlkdm.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
C:\WINDOWS\system32\winzzd32.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\winzzd32.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
C:\WINDOWS\system32\ywxqilzk.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\ywxqilzk.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen

The registry was scanned ( '61' files ).


Starting the file scan:

Begin scan in 'C:\' <Preload>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\qrqpgtkb.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\Documents and Settings\Michele Wyman\Desktop\Adobe_Photoshop_CS2_CS2_serial_number.txt.exe
[0] Archive type: RAR SFX (self extracting)
--> keygen.exe
[DETECTION] Is the Trojan horse TR/Agent.CTX.1
--> patch.exe
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
--> crack.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Michele Wyman\Local Settings\Temp\!update.exe
[DETECTION] Is the Trojan horse TR/Dldr.PuritySca.A
[INFO] The file was deleted!
C:\Documents and Settings\Michele Wyman\Local Settings\Temp\dohinst.exe
[DETECTION] Contains detection pattern of the dropper DR/MediaTickets.CZ
[INFO] The file was deleted!
C:\Documents and Settings\Michele Wyman\Local Settings\Temp\gos126.tmp
[DETECTION] Is the Trojan horse TR/Agent.33302
[WARNING] The file could not be deleted!
C:\Documents and Settings\Michele Wyman\Local Settings\Temp\win120.exe
[DETECTION] Is the Trojan horse TR/Zlob.CA.78
[INFO] The file was deleted!
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.EG.8
[INFO] The file was deleted!
C:\Program Files\Narvrpzd\rhbsczaq.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\Program Files\pgtqncvg\tuhknwha.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\Program Files\SecCenter\scprot4.exe~
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\Program Files\Оracle\wowexec.exe~
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.EJ
[INFO] The file was deleted!
C:\Program Files\Оracle\Оracle\dohinst-103.0000
[DETECTION] Contains detection pattern of the dropper DR/MediaTickets.CZ
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP39\A0016257.exe
[DETECTION] Is the Trojan horse TR/Zlob.CA.78
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP46\A0018456.dll
[DETECTION] Is the Trojan horse TR/Vundo.AU
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP46\A0018457.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP46\A0018458.dll
[DETECTION] Is the Trojan horse TR/Vundo.AU
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP46\A0018459.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018552.dll
[DETECTION] Is the Trojan horse TR/Vundo.AU
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018553.dll
[DETECTION] Is the Trojan horse TR/Vundo.AU
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018554.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018556.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018557.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0019586.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020764.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020765.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020766.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020767.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020809.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP53\A0021809.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP53\A0021810.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP53\A0022809.exe
[DETECTION] Is the Trojan horse TR/Zlob.CA.78
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP53\A0022810.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP56\A0022898.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP56\A0022899.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP57\A0023899.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0024979.exe
[DETECTION] Is the Trojan horse TR/Fotomoto.F.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0024980.exe
[DETECTION] Is the Trojan horse TR/Dldr.PuritySca.A
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0024981.exe
[0] Archive type: RAR SFX (self extracting)
--> keygen.exe
[DETECTION] Is the Trojan horse TR/Agent.CTX.1
--> patch.exe
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
--> crack.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0024983.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.EG.8
[INFO] The file was deleted!
C:\WINDOWS\avp.exe
[DETECTION] Is the Trojan horse TR/Dldr.Alphabet.LH1
[INFO] The file was deleted!


End of the scan: Friday, December 21, 2007 18:06
Used time: 5:43:07 min

The scan has been canceled!

5970 Scanning directories
222819 Files were scanned
53 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
38 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
222766 Files not concerned
8253 Archives were scanned
10 Warnings
6 Notes



AntiVir PersonalEdition Classic
Report file date: Friday, December 21, 2007 12:23

Scanning for 985274 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: CHADHEINRICH

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 22:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 21:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/15/2007 00:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 21:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:55:56
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 19:55:56
ANTIVIR2.VDF : 7.0.1.96 2048 Bytes 12/14/2007 19:55:56
ANTIVIR3.VDF : 7.0.1.139 186368 Bytes 12/21/2007 19:55:56
AVEWIN32.DLL : 7.6.0.46 3084800 Bytes 12/21/2007 19:55:57
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 19:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 16:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 22:16:24
AVPACK32.DLL : 7.6.0.2 360488 Bytes 12/21/2007 19:55:58
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 16:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 21:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 16:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 20:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 21:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 21:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 18:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, December 21, 2007 12:23

The scan of running processes will be started
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'thunderbird.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'pidgin.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdater.exe' - '1' Module(s) have been scanned
Scan process 'DLG.exe' - '1' Module(s) have been scanned
Scan process 'BTTray.exe' - '1' Module(s) have been scanned
Scan process 'wowexec.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\PROGRA~1\RACLE~1\wowexec.exe'
Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'winB76.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\TEMP\winB76.exe'
Scan process 'regsvr32.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'brctrcen.exe' - '1' Module(s) have been scanned
Scan process 'cssauth.exe' - '1' Module(s) have been scanned
Scan process 'TpScrex.exe' - '1' Module(s) have been scanned
Scan process 'ACWLIcon.exe' - '1' Module(s) have been scanned
Scan process 'ACTray.exe' - '1' Module(s) have been scanned
Scan process 'Amsg.exe' - '1' Module(s) have been scanned
Scan process 'TPONSCR.exe' - '1' Module(s) have been scanned
Scan process 'LPMGR.EXE' - '1' Module(s) have been scanned
Scan process 'AwaySch.EXE' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'scheduler_proxy.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'EZEJMNAP.EXE' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'TpShocks.exe' - '1' Module(s) have been scanned
Scan process 'TPOSDSVC.exe' - '1' Module(s) have been scanned
Scan process 'tpfnf7sp.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'SvcGuiHlpr.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'AcSvc.exe' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'tvtsched.exe' - '1' Module(s) have been scanned
Scan process 'rrservice.exe' - '1' Module(s) have been scanned
Scan process 'rrpservice.exe' - '1' Module(s) have been scanned
Scan process 'tvttcsd.exe' - '1' Module(s) have been scanned
Scan process 'TPHDEXLG.exe' - '1' Module(s) have been scanned
Scan process 'tvt_reg_monitor_svc.exe' - '1' Module(s) have been scanned
Scan process 'SUService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'PWIUtilityService.exe' - '1' Module(s) have been scanned
Scan process 'iviRegMgr.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'pnmlqyrx.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\pnmlqyrx.exe'
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'AcPrfMgrSvc.exe' - '1' Module(s) have been scanned
Scan process 'IPSSVC.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'btwdins.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ibmpmsvc.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'wowexec.exe' has been terminated
Process 'winB76.exe' has been terminated
Process 'pnmlqyrx.exe' has been terminated
C:\PROGRA~1\RACLE~1\wowexec.exe
[DETECTION] Is the Trojan horse TR/Dldr.PuritySca.A
[INFO] The file was deleted!
C:\WINDOWS\TEMP\winB76.exe
[DETECTION] Is the Trojan horse TR/Delf.KH.12
[INFO] TR/Delf.KH.12:[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]:<avp>=sz:winB76.exe
[INFO] The file was deleted!

86 processes with 83 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
C:\WINDOWS\system32\drvrov.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\drvrov.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
C:\WINDOWS\system32\kfbhlkdm.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\kfbhlkdm.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
C:\WINDOWS\system32\winzzd32.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\winzzd32.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
C:\WINDOWS\system32\ywxqilzk.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\ywxqilzk.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen

The registry was scanned ( '61' files ).


Starting the file scan:

Begin scan in 'C:\' <Preload>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\qrqpgtkb.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\Documents and Settings\Michele Wyman\Desktop\Adobe_Photoshop_CS2_CS2_serial_number.txt.exe
[0] Archive type: RAR SFX (self extracting)
--> keygen.exe
[DETECTION] Is the Trojan horse TR/Agent.CTX.1
--> patch.exe
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
--> crack.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Michele Wyman\Local Settings\Temp\!update.exe
[DETECTION] Is the Trojan horse TR/Dldr.PuritySca.A
[INFO] The file was deleted!
C:\Documents and Settings\Michele Wyman\Local Settings\Temp\dohinst.exe
[DETECTION] Contains detection pattern of the dropper DR/MediaTickets.CZ
[INFO] The file was deleted!
C:\Documents and Settings\Michele Wyman\Local Settings\Temp\gos126.tmp
[DETECTION] Is the Trojan horse TR/Agent.33302
[WARNING] The file could not be deleted!
C:\Documents and Settings\Michele Wyman\Local Settings\Temp\win120.exe
[DETECTION] Is the Trojan horse TR/Zlob.CA.78
[INFO] The file was deleted!
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.EG.8
[INFO] The file was deleted!
C:\Program Files\Narvrpzd\rhbsczaq.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\Program Files\pgtqncvg\tuhknwha.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\Program Files\SecCenter\scprot4.exe~
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\Program Files\Оracle\wowexec.exe~
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.EJ
[INFO] The file was deleted!
C:\Program Files\Оracle\Оracle\dohinst-103.0000
[DETECTION] Contains detection pattern of the dropper DR/MediaTickets.CZ
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP39\A0016257.exe
[DETECTION] Is the Trojan horse TR/Zlob.CA.78
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP46\A0018456.dll
[DETECTION] Is the Trojan horse TR/Vundo.AU
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP46\A0018457.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP46\A0018458.dll
[DETECTION] Is the Trojan horse TR/Vundo.AU
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP46\A0018459.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018552.dll
[DETECTION] Is the Trojan horse TR/Vundo.AU
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018553.dll
[DETECTION] Is the Trojan horse TR/Vundo.AU
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018554.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018556.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0018557.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP48\A0019586.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020764.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020765.exe
[DETECTION] Is the Trojan horse TR/Click.MNB
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020766.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020767.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP52\A0020809.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP53\A0021809.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP53\A0021810.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP53\A0022809.exe
[DETECTION] Is the Trojan horse TR/Zlob.CA.78
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP53\A0022810.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP56\A0022898.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP56\A0022899.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP57\A0023899.dll
[DETECTION] Is the Trojan horse TR/Vundo.DRT
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0024979.exe
[DETECTION] Is the Trojan horse TR/Fotomoto.F.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0024980.exe
[DETECTION] Is the Trojan horse TR/Dldr.PuritySca.A
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0024981.exe
[0] Archive type: RAR SFX (self extracting)
--> keygen.exe
[DETECTION] Is the Trojan horse TR/Agent.CTX.1
--> patch.exe
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
--> crack.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0024983.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.EG.8
[INFO] The file was deleted!
C:\WINDOWS\avp.exe
[DETECTION] Is the Trojan horse TR/Dldr.Alphabet.LH1
[INFO] The file was deleted!


End of the scan: Friday, December 21, 2007 18:06
Used time: 5:43:07 min

The scan has been canceled!

5970 Scanning directories
222819 Files were scanned
53 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
38 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
222766 Files not concerned
8253 Archives were scanned
10 Warnings
6 Notes


SDFix: Version 1.119

Run by Chad Heinrich on Sat 12/22/2007 at 09:45 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\DOCUME~1\MICHEL~1\LOCALS~1\Temp\removalfile.bat - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 09:49:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Pidgin\\pidgin.exe"="C:\\Program Files\\Pidgin\\pidgin.exe:*:Enabled:Pidgin"
"C:\\DOCUME~1\\MICHEL~1\\LOCALS~1\\Temp\\win11A.exe"="C:\\DOCUME~1\\MICHEL~1\\LOCALS~1\\Temp\\win11A.exe:*:Enabled:win11A"
"C:\\WINDOWS\\system32\\pnmlqyrx.exe"="C:\\WINDOWS\\system32\\pnm"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:


Finished!



ComboFix 07-12-22.1 - Chad Heinrich 2007-12-22 9:58:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1474 [GMT -8:00]
Running from: C:\Documents and Settings\Michele Wyman\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Michele Wyman\Application Data\MBOLS~1
C:\Documents and Settings\Michele Wyman\Desktop\MalwareAlarm.lnk
C:\Documents and Settings\Michele Wyman\g2mdlhlpx.exe
C:\Documents and Settings\Michele Wyman\My Documents\SMBOLS~1
C:\Documents and Settings\Michele Wyman\Start Menu\Programs\MalwareAlarm
C:\Documents and Settings\Michele Wyman\Start Menu\Programs\MalwareAlarm\MalwareAlarm.lnk
C:\Documents and Settings\Michele Wyman\Start Menu\Programs\MalwareAlarm\Uninstall.lnk
C:\Documents and Settings\Michele Wyman\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Michele Wyman\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Michele Wyman\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\racle~1
C:\Program Files\ecurit~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\racle~1
C:\Program Files\racle~1\?racle\
C:\Program Files\SecCenter
C:\WINDOWS\system32\bipklpcp.ini
C:\WINDOWS\system32\crosof~1.net
C:\WINDOWS\system32\dhfinhem.ini
C:\WINDOWS\system32\eskfxygu.ini
C:\WINDOWS\system32\fgluwqnc.ini
C:\WINDOWS\system32\fibagbia
C:\WINDOWS\system32\fibagbia\bg1.gif
C:\WINDOWS\system32\fibagbia\bgtop.gif
C:\WINDOWS\system32\fibagbia\bottom1.gif
C:\WINDOWS\system32\fibagbia\essentials.gif
C:\WINDOWS\system32\fibagbia\fibagbia1.exe
C:\WINDOWS\system32\fibagbia\fibagbia2.exe
C:\WINDOWS\system32\fibagbia\fibagbia3.exe
C:\WINDOWS\system32\fibagbia\icon1.ico
C:\WINDOWS\system32\fibagbia\install1.gif
C:\WINDOWS\system32\fibagbia\left1.gif
C:\WINDOWS\system32\fibagbia\li.gif
C:\WINDOWS\system32\fibagbia\logo.gif
C:\WINDOWS\system32\fibagbia\main.htm
C:\WINDOWS\system32\fibagbia\mainframe.htm
C:\WINDOWS\system32\fibagbia\reinstall1.gif
C:\WINDOWS\system32\fibagbia\right1.gif
C:\WINDOWS\system32\fibagbia\s1.htm
C:\WINDOWS\system32\fibagbia\s2.htm
C:\WINDOWS\system32\fibagbia\s3.htm
C:\WINDOWS\system32\fibagbia\SMTop1.gif
C:\WINDOWS\system32\fibagbia\SMTop2.gif
C:\WINDOWS\system32\fibagbia\SMTop3.gif
C:\WINDOWS\system32\fibagbia\SMTop4.gif
C:\WINDOWS\system32\fibagbia\soft1_off.gif
C:\WINDOWS\system32\fibagbia\soft1_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft1_on.gif
C:\WINDOWS\system32\fibagbia\soft1_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_off.gif
C:\WINDOWS\system32\fibagbia\soft2_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_on.gif
C:\WINDOWS\system32\fibagbia\soft2_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_off.gif
C:\WINDOWS\system32\fibagbia\soft3_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_on.gif
C:\WINDOWS\system32\fibagbia\soft3_on_ext.gif
C:\WINDOWS\system32\fibagbia\softbottom_off.gif
C:\WINDOWS\system32\fibagbia\softbottom_on.gif
C:\WINDOWS\system32\fibagbia\softleft_off.gif
C:\WINDOWS\system32\fibagbia\softleft_on.gif
C:\WINDOWS\system32\fibagbia\top1.gif
C:\WINDOWS\system32\fibagbia\top2.gif
C:\WINDOWS\system32\fibagbia\turnoff1.gif
C:\WINDOWS\system32\fibagbia\turnon1.gif
C:\WINDOWS\system32\gqxndtna.ini
C:\WINDOWS\system32\gsqnmqow.ini
C:\WINDOWS\system32\hhtbjwcd.ini
C:\WINDOWS\system32\hrffnese.ini
C:\WINDOWS\system32\idnnosqp.ini
C:\WINDOWS\system32\ixxe.dll
C:\WINDOWS\system32\kbdgyjcu.ini
C:\WINDOWS\system32\mdklhbfk.ini
C:\WINDOWS\system32\mjovaiwv.ini
C:\WINDOWS\system32\mqjbrjmw.ini
C:\WINDOWS\system32\neywgrcd.ini
C:\WINDOWS\system32\nivfmywq.ini
C:\WINDOWS\system32\otebtkgj.exe
C:\WINDOWS\system32\rbdjtbyq.dll
C:\WINDOWS\system32\rmjjcypn.ini
C:\WINDOWS\system32\roxerqcq.ini
C:\WINDOWS\system32\sembly~1
C:\WINDOWS\system32\skjeatlw.exe
C:\WINDOWS\system32\sstem~1
C:\WINDOWS\system32\ukbyfuqc.exe
C:\WINDOWS\system32\upwftwau.exe
C:\WINDOWS\system32\uspromxy.exe
C:\WINDOWS\system32\vjceskyf.dll
C:\WINDOWS\system32\vlmpuecj.dll
C:\WINDOWS\system32\vpvcmnbe.exe
C:\WINDOWS\system32\wmiglxfa.dll
C:\WINDOWS\system32\wnstsisv32.exe
C:\WINDOWS\system32\wolsaxav.dll
C:\WINDOWS\system32\xbennsah.exe
C:\WINDOWS\system32\xftuwelp.dll
C:\WINDOWS\system32\xyvkhbxk.exe
C:\WINDOWS\system32\yhmuyrrn.exe
C:\WINDOWS\system32\yhtvsshp.ini
C:\WINDOWS\wnsxs~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.

2007-12-22 09:44 . 2007-12-22 09:44 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-21 11:40 . 2007-12-21 11:40 <DIR> d-------- C:\Program Files\Avira
2007-12-21 11:40 . 2007-12-21 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-21 10:38 . 2007-12-21 10:39 14,033 --a------ C:\posEDE.tmp
2007-12-20 22:58 . 2007-12-20 22:59 14,033 --a------ C:\posDAE.tmp
2007-12-20 17:17 . 2007-12-20 17:17 14,033 --a------ C:\posBB8.tmp
2007-12-20 17:16 . 2007-12-20 17:17 14,033 --a------ C:\pos7E5.tmp
2007-12-20 17:09 . 2007-12-20 17:09 14,033 --a------ C:\pos7CD.tmp
2007-12-20 17:08 . 2007-12-20 17:09 14,033 --a------ C:\pos687.tmp
2007-12-20 12:49 . 2007-12-20 12:49 14,033 --a------ C:\posAA9.tmp
2007-12-20 12:48 . 2007-12-20 12:49 14,033 --a------ C:\pos985.tmp
2007-12-20 12:42 . 2007-12-20 12:42 14,033 --a------ C:\pos5CE.tmp
2007-12-20 11:11 . 2007-12-20 11:11 14,033 --a------ C:\posF.tmp
2007-12-19 11:27 . 2007-12-19 11:27 165,472 --a------ C:\WINDOWS\system32\qxcrkutr.dll
2007-12-18 14:52 . 2007-12-20 12:48 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-18 14:21 . 2007-12-18 14:21 <DIR> d-------- C:\Documents and Settings\Michele Wyman\Application Data\Apple Computer
2007-12-18 14:21 . 2007-12-22 09:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-18 14:21 . 2007-12-18 14:21 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-18 14:20 . 2007-12-18 14:20 <DIR> d-------- C:\Program Files\iTunes
2007-12-18 14:20 . 2007-12-18 14:20 <DIR> d-------- C:\Program Files\iPod
2007-12-18 14:18 . 2007-12-18 14:19 <DIR> d-------- C:\Program Files\QuickTime
2007-12-18 14:18 . 2007-12-18 14:18 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-18 14:18 . 2007-12-18 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-18 14:17 . 2007-12-18 14:17 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-18 14:17 . 2007-12-18 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-14 11:42 . 2007-12-14 11:42 <DIR> d-------- C:\WINDOWS\Sun
2007-12-14 11:42 . 2007-12-14 11:42 <DIR> d-------- C:\Program Files\Citrix
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-05 16:25 . 2007-12-05 16:25 <DIR> d-------- C:\Program Files\Chami
2007-12-05 09:21 . 2007-12-05 09:21 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-04 10:54 . 2007-12-04 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sprint Mobile Broadband (Pantech)
2007-12-04 10:40 . 2007-12-04 10:40 <DIR> d-------- C:\Program Files\Sprint
2007-12-04 10:40 . 2007-02-01 18:21 61,440 --a------ C:\WINDOWS\system32\pxfhwmcp.dll
2007-12-04 10:40 . 2007-01-11 00:30 39,424 --a------ C:\WINDOWS\system32\drivers\PTDCMdm.sys
2007-12-04 10:40 . 2007-01-11 00:30 37,760 --a------ C:\WINDOWS\system32\drivers\PTDCVsp.sys
2007-12-04 10:40 . 2007-01-11 00:30 24,832 --a------ C:\WINDOWS\system32\drivers\PTDCBus.sys
2007-12-04 10:40 . 2007-01-11 00:30 14,336 --a------ C:\WINDOWS\system32\PTDCCID.dll
2007-12-03 10:59 . 2007-12-03 10:59 <DIR> d-------- C:\Program Files\ReaConverter 5.0 Pro
2007-12-03 10:59 . 2007-12-03 10:59 <DIR> d-------- C:\Documents and Settings\Michele Wyman\Application Data\RCP 5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 17:55 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-12-22 03:05 --------- d-----w C:\Program Files\pgtqncvg
2007-12-22 03:05 --------- d-----w C:\Program Files\Narvrpzd
2007-12-22 03:02 --------- d-----w C:\Documents and Settings\Michele Wyman\Application Data\.purple
2007-12-21 22:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-20 03:04 --------- d-----w C:\Documents and Settings\Michele Wyman\Application Data\gtk-2.0
2007-12-12 18:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-05 00:03 --------- d-----w C:\Program Files\Google
2007-11-16 18:33 --------- d-----w C:\Program Files\MalwareAlarm
2007-11-16 06:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-08 06:27 --------- d-----w C:\Program Files\InterActual
2007-11-04 05:39 --------- d-----w C:\Documents and Settings\Michele Wyman\Application Data\InterVideo
2007-10-31 20:54 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-30 18:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-30 00:42 --------- d-----w C:\Program Files\OpenVPN
2007-10-05 20:33 21,393 ----a-w C:\WINDOWS\AegisP.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]
C:\Program Files\Narvrpzd\rhbsczaq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EFF8B15-F92A-497C-9CFD-63F5B52105F7}]
C:\WINDOWS\system32\vtsqp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"MalwareAlarm"="C:\Program Files\MalwareAlarm\MalwareAlarm.exe" [2007-11-16 10:33]
"Ebc"="C:\PROGRA~1\RACLE~1\wowexec.exe" []
"Qkxbolf"="C:\WINDOWS\system32\s?stem\n?tepad.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-13 21:17]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-13 21:16]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-06-17 08:16]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-06-17 08:16]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 10:03]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-08 21:49]
"TpShocks"="TpShocks.exe" [2007-03-29 17:40 C:\WINDOWS\system32\TpShocks.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 09:32]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-04-08 23:23]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2007-04-03 18:55]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-02-25 18:34]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-02-25 18:34]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-02-25 18:33]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 12:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-02-02 04:20]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 02:51]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-22 09:02]
"AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 10:00]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 13:58]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 13:51]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2007-01-30 18:01]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 17:30]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10]
"58a8ab0d"="C:\WINDOWS\system32\kfbhlkdm.dll" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-12-21 11:55]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 16:43:30]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-10-05 12:36:18]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-10-10 13:19:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gos126]
gos126.tmp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\WINDOWS\system32\psqlpwd.dll 2007-03-14 21:17 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-05 23:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-13 18:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzzd32]
winzzd32.dll

R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 16:49]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 16:47]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 08:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 10:24]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-06-17 08:16]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-03-14 21:10]
R2 TVT Backup Protection Service;TVT Backup Protection Service;"C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe" [2007-02-08 12:11]
R3 atmeltpm;atmeltpm;C:\WINDOWS\system32\DRIVERS\atmeltpm.sys [2005-05-17 09:20]
R3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-01-11 00:30]
R3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-01-11 00:30]
R3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-01-11 00:30]
R3 tap0901;TAP-Win32 Adapter V9;C:\WINDOWS\system32\DRIVERS\tap0901.sys [2007-04-25 15:53]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2007-03-14 20:50]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2006-09-13 11:42]
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2006-04-14 09:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setup.exe -auto

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5a528f0-ae86-11dc-a5cf-0013e8d35d03}]
\Shell\AutoRun\command - E:\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-18 22:18:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-22 18:03:05 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 10:02:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\WAM]
"ImagePath"="\??\C:\Program Files\Lenovo\Rescue and Recovery\WAM.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\PROGRA~1\ThinkPad\UTILIT~1\US\PWRMGRRT.DLL
-> C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRIF.DLL
.
Completion time: 2007-12-22 10:04:10 - machine was rebooted
.
2007-12-12 18:33:39 --- E O F ---

VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 8:57:14 AM 12/22/2007

Listing files found while scanning....

C:\DOCUME~1\MICHEL~1\LOCALS~1\Temp\gos126.tmp
C:\WINDOWS\system32\ahglpyrr.exe
C:\WINDOWS\system32\bvfpacgx.dll
C:\WINDOWS\system32\ctrneien.dll
C:\WINDOWS\system32\diepojex.dll
C:\WINDOWS\system32\dqjsjgdr.dll
C:\windows\system32\drvrovr.dll
C:\WINDOWS\system32\evufksxo.exe
C:\WINDOWS\system32\gmhyvqwi.dll
C:\WINDOWS\system32\iiycvcpc.exe
C:\WINDOWS\system32\isnuiruu.dll
C:\WINDOWS\system32\kerxovrt.exe
C:\WINDOWS\system32\lwkxnpds.dll
C:\WINDOWS\system32\lxpuittb.dll
C:\WINDOWS\system32\mevmamao.dll
C:\WINDOWS\system32\mhcbrwbb.exe
C:\WINDOWS\system32\msurratm.dll
C:\WINDOWS\system32\msuvjtax.exe
C:\windows\system32\mxbttcid.exe
C:\WINDOWS\system32\obkciqwe.exe
C:\windows\system32\pqstv.bak1
C:\windows\system32\pqstv.bak2
C:\windows\system32\pqstv.ini
C:\windows\system32\vtsqp.dll
C:\WINDOWS\system32\ywxqilzk.dll
C:\windows\system32\ywxqilzk.dllbox

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ahglpyrr.exe
C:\WINDOWS\system32\ahglpyrr.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\bvfpacgx.dll
C:\WINDOWS\system32\bvfpacgx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ctrneien.dll
C:\WINDOWS\system32\ctrneien.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\diepojex.dll
C:\WINDOWS\system32\diepojex.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dqjsjgdr.dll
C:\WINDOWS\system32\dqjsjgdr.dll Has been deleted!

Attempting to delete C:\windows\system32\drvrovr.dll
C:\windows\system32\drvrovr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\evufksxo.exe
C:\WINDOWS\system32\evufksxo.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\gmhyvqwi.dll
C:\WINDOWS\system32\gmhyvqwi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iiycvcpc.exe
C:\WINDOWS\system32\iiycvcpc.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\isnuiruu.dll
C:\WINDOWS\system32\isnuiruu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kerxovrt.exe
C:\WINDOWS\system32\kerxovrt.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\lwkxnpds.dll
C:\WINDOWS\system32\lwkxnpds.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lxpuittb.dll
C:\WINDOWS\system32\lxpuittb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mevmamao.dll
C:\WINDOWS\system32\mevmamao.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mhcbrwbb.exe
C:\WINDOWS\system32\mhcbrwbb.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\msurratm.dll
C:\WINDOWS\system32\msurratm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\msuvjtax.exe
C:\WINDOWS\system32\msuvjtax.exe Has been deleted!

Attempting to delete C:\windows\system32\mxbttcid.exe
C:\windows\system32\mxbttcid.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\obkciqwe.exe
C:\WINDOWS\system32\obkciqwe.exe Has been deleted!

Attempting to delete C:\windows\system32\pqstv.bak1
C:\windows\system32\pqstv.bak1 Has been deleted!

Attempting to delete C:\windows\system32\pqstv.bak2
C:\windows\system32\pqstv.bak2 Has been deleted!

Attempting to delete C:\windows\system32\pqstv.ini
C:\windows\system32\pqstv.ini Has been deleted!

Attempting to delete C:\windows\system32\vtsqp.dll
C:\windows\system32\vtsqp.dll Has been deleted!

Attempting to delete C:\windows\system32\ywxqilzk.dllbox
C:\windows\system32\ywxqilzk.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:44 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\CMPWI.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Michele Wyman\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Michele Wyman\Desktop\HiJackThis(2).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Narvrpzd\rhbsczaq.dll (file missing)
O2 - BHO: (no name) - {2EFF8B15-F92A-497C-9CFD-63F5B52105F7} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [58a8ab0d] rundll32.exe "C:\WINDOWS\system32\kfbhlkdm.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe
O4 - HKCU\..\Run: [Ebc] "C:\PROGRA~1\RACLE~1\wowexec.exe" -vt ndrv
O4 - HKCU\..\Run: [Qkxbolf] C:\WINDOWS\system32\s?stem\n?tepad.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{350F61B7-F8AA-4657-9EF6-F5642892C322}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCE45038-682B-4EB8-9DA3-FE9DEE171071}: NameServer = 68.28.50.91 68.28.58.92
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: gos126 - gos126.tmp (file missing)
O20 - Winlogon Notify: winzzd32 - winzzd32.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13449 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 23 December 2007 - 05:28 AM

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Posted Image
Posted Image

#5 flavor

flavor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 24 December 2007 - 12:40 AM

Deckard's System Scanner v20071014.68
Run by Chad Heinrich on 2007-12-23 21:33:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2007-12-24 05:33:48 UTC - RP62 - Deckard's System Scanner Restore Point
3: 2007-12-23 19:17:30 UTC - RP61 - System Checkpoint
2: 2007-12-22 17:57:55 UTC - RP60 - ComboFix created restore point
1: 2007-12-22 17:57:48 UTC - RP59 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Chad Heinrich.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:15 PM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Michele Wyman\Desktop\dss.exe
C:\DOCUME~1\MICHEL~1\Desktop\Chad Heinrich.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Narvrpzd\rhbsczaq.dll (file missing)
O2 - BHO: (no name) - {2EFF8B15-F92A-497C-9CFD-63F5B52105F7} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [58a8ab0d] rundll32.exe "C:\WINDOWS\system32\kfbhlkdm.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe
O4 - HKCU\..\Run: [Ebc] "C:\PROGRA~1\RACLE~1\wowexec.exe" -vt ndrv
O4 - HKCU\..\Run: [Qkxbolf] C:\WINDOWS\system32\s?stem\n?tepad.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{350F61B7-F8AA-4657-9EF6-F5642892C322}: NameServer = 192.168.1.1
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: gos126 - gos126.tmp (file missing)
O20 - Winlogon Notify: winzzd32 - winzzd32.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12855 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ANC - c:\windows\system32\drivers\anc.sys <Not Verified; IBM Corp.; IBM Access Connections>
R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 TPPWRIF - c:\windows\system32\drivers\tppwrif.sys
R2 pmem - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 tap0901 (TAP-Win32 Adapter V9) - c:\windows\system32\drivers\tap0901.sys <Not Verified; The OpenVPN Project; TAP-Win32 Virtual Network Driver>

S3 catchme - c:\docume~1\michel~1\locals~1\temp\catchme.sys (file missing)
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Pantech Utility Service - c:\program files\sprint\pantech\sprint mobile broadband (pantech)\pwiutilityservice.exe <Not Verified; Sprint Spectrum, L.L.C; Sprint Mobile Broadband for Pantech>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 SUService (System Update) - c:\program files\lenovo\system update\suservice.exe
R2 TVT Backup Protection Service - "c:\program files\lenovo\rescue and recovery\rrpservice.exe" <Not Verified; ; rrpservice Module>
R2 TVT Scheduler - "c:\program files\common files\lenovo\scheduler\tvtsched.exe" <Not Verified; Lenovo Group Limited; tvtsched Module>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 tvtnetwk - c:\program files\lenovo\rescue and recovery\adm\iuservice.exe (file missing)
S3 OpenVPNService (OpenVPN Service) - c:\program files\openvpn\bin\openvpnserv.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: NEC PCI to USB Open Host Controller
Device ID: PCI\VEN_1033&DEV_0035&SUBSYS_A50019CD&REV_43\5&2B491BAE&0&0100F0
Manufacturer: NEC
Name: NEC PCI to USB Open Host Controller
PNP Device ID: PCI\VEN_1033&DEV_0035&SUBSYS_A50019CD&REV_43\5&2B491BAE&0&0100F0
Service: usbohci


-- Scheduled Tasks -------------------------------------------------------------

2007-12-23 20:19:57 316 --a------ C:\WINDOWS\Tasks\PMTask.job
2007-12-18 14:18:18 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-11-23 and 2007-12-23 -----------------------------

2007-12-22 09:44:31 0 d-------- C:\WINDOWS\ERUNT
2007-12-21 11:40:51 0 d-------- C:\Program Files\Avira
2007-12-21 11:40:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-18 14:21:14 0 d-------- C:\Documents and Settings\Michele Wyman\Application Data\Apple Computer
2007-12-18 14:20:33 0 d-------- C:\Program Files\iPod
2007-12-18 14:20:26 0 d-------- C:\Program Files\iTunes
2007-12-18 14:18:54 0 d-------- C:\Program Files\QuickTime
2007-12-18 14:18:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-18 14:18:06 0 d-------- C:\Program Files\Apple Software Update
2007-12-18 14:17:23 0 d-------- C:\Program Files\Common Files\Apple
2007-12-18 14:17:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-14 11:42:32 0 d-------- C:\Program Files\Citrix
2007-12-14 11:42:19 0 d-------- C:\WINDOWS\Sun
2007-12-14 11:42:18 0 d-------- C:\Documents and Settings\Michele Wyman\Application Data\Sun
2007-12-05 16:25:56 0 d-------- C:\Program Files\Chami
2007-12-05 09:21:54 0 d-------- C:\WINDOWS\system32\LogFiles
2007-12-04 16:04:19 0 d-------- C:\Documents and Settings\Michele Wyman\Application Data\Google
2007-12-04 10:54:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Sprint Mobile Broadband (Pantech)
2007-12-04 10:40:47 61440 --a------ C:\WINDOWS\system32\pxfhwmcp.dll <Not Verified; DEVGURU; Application Interface DLL>
2007-12-04 10:40:22 0 d-------- C:\Program Files\Sprint
2007-12-03 10:59:11 0 d-------- C:\Documents and Settings\Michele Wyman\Application Data\RCP 5
2007-12-03 10:59:10 0 d-------- C:\Program Files\ReaConverter 5.0 Pro


-- Find3M Report ---------------------------------------------------------------

2007-12-23 21:04:56 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-12-22 09:59:22 0 d-------- C:\Program Files\Common Files
2007-12-21 19:05:37 0 d-------- C:\Program Files\pgtqncvg
2007-12-21 19:05:37 0 d-------- C:\Program Files\Narvrpzd
2007-12-21 19:02:26 0 d-------- C:\Documents and Settings\Michele Wyman\Application Data\.purple
2007-12-19 19:04:53 0 d-------- C:\Documents and Settings\Michele Wyman\Application Data\gtk-2.0
2007-12-04 16:03:33 0 d-------- C:\Program Files\Google
2007-11-16 10:33:32 0 d-------- C:\Program Files\MalwareAlarm
2007-11-15 22:46:35 1147424 --a------ C:\Install
2007-11-15 22:43:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-07 22:27:36 0 d-------- C:\Program Files\InterActual
2007-11-03 21:39:34 0 d-------- C:\Documents and Settings\Michele Wyman\Application Data\InterVideo
2007-10-31 12:54:24 0 d-------- C:\Program Files\Common Files\Adobe
2007-10-29 16:42:03 0 d-------- C:\Program Files\OpenVPN
2007-10-10 13:39:21 65 --a------ C:\WINDOWS\system32\BD8660DN.DAT
2007-10-09 03:47:39 1156 --a------ C:\WINDOWS\mozver.dat
2007-10-09 03:43:27 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-03 23:36:46 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]
C:\Program Files\Narvrpzd\rhbsczaq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EFF8B15-F92A-497C-9CFD-63F5B52105F7}]
C:\WINDOWS\system32\vtsqp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02/13/2006 09:17 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [02/13/2006 09:16 PM]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [06/17/2007 08:16 AM]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [06/17/2007 08:16 AM]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [04/09/2007 10:03 AM]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [03/08/2007 09:49 PM]
"TpShocks"="TpShocks.exe" [03/29/2007 05:40 PM C:\WINDOWS\system32\TpShocks.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [03/28/2007 09:32 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [04/08/2007 11:23 PM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [04/03/2007 06:55 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/25/2007 06:34 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/25/2007 06:34 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [02/25/2007 06:33 PM]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [02/08/2007 12:19 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [11/10/2005 12:03 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [02/02/2006 04:20 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 03:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 03:50 PM]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [11/07/2006 02:51 AM]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [03/22/2007 09:02 AM]
"AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [02/01/2007 10:00 AM]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [07/05/2007 01:58 PM]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [07/05/2007 01:51 PM]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [01/30/2007 06:01 PM]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [11/11/2005 05:30 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 06:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [12/11/2007 10:56 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 12:10 PM]
"58a8ab0d"="C:\WINDOWS\system32\kfbhlkdm.dll" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [12/21/2007 11:55 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]
"MalwareAlarm"="C:\Program Files\MalwareAlarm\MalwareAlarm.exe" [11/16/2007 10:33 AM]
"Ebc"="C:\PROGRA~1\RACLE~1\wowexec.exe" []
"Qkxbolf"="C:\WINDOWS\system32\s?stem\n?tepad.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2/27/2007 4:43:30 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [10/5/2007 12:36:18 PM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [10/10/2007 1:19:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll 07/05/2007 01:52 PM 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gos126]
gos126.tmp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\WINDOWS\system32\psqlpwd.dll 03/14/2007 09:17 PM 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 09/05/2006 11:37 PM 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 12/13/2006 06:06 PM 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzzd32]
winzzd32.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Setup.exe -auto

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5a528f0-ae86-11dc-a5cf-0013e8d35d03}]
AutoRun\command- E:\autorun.exe




-- End of Deckard's System Scanner: finished at 2007-12-23 21:35:56 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU T7100 @ 1.80GHz
CPU 1: Intel® Core™2 Duo CPU T7100 @ 1.80GHz
Percentage of Memory in Use: 25%
Physical Memory (total/avail): 2006.22 MiB / 1495.49 MiB
Pagefile Memory (total/avail): 3898.36 MiB / 3499.31 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.41 MiB

C: is Fixed (NTFS) - 50.3 GiB total, 37.53 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - HTS721060G9SA00 - 55.89 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 50.3 GiB - C:
\PARTITION1 - Unknown - 5.58 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Avira AntiVir PersonalEdition v 7.0.1.144
(Avira GmbH)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Michele Wyman\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CHADHEINRICH
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Michele Wyman
LOGONSERVER=\\CHADHEINRICH
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Intel\Wireless\Bin\;C:\Program Files\ThinkPad\ConnectUtilities;C:\Program Files\Common Files\Lenovo;C:\Program Files\Lenovo\Client Security Solution;C:\Program Files\QuickTime\QTSystem;C:\Program Files\OpenVPN\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
RR=C:\Program Files\Lenovo\Rescue and Recovery
SESSIONNAME=Console
SMA=C:\Program Files\ThinkVantage\SMA\
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SWSHARE=C:\SWSHARE
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MICHEL~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MICHEL~1\LOCALS~1\Temp
TPCCommon=C:\PROGRA~1\THINKV~1\PrdCtr
TVT=C:\Program Files\Lenovo
TVTCOMMON=C:\Program Files\Common Files\Lenovo
TVTPYDIR=C:\Program Files\Common Files\Lenovo\Python24
USERDOMAIN=CHADHEINRICH
USERNAME=Chad Heinrich
USERPROFILE=C:\Documents and Settings\Michele Wyman
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Michele Wyman (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\SETUP.exe -l0x0009 -removeonly
--> C:\Program Files\InstallShield Installation Information\{69333A04-5134-40A5-A055-9166A7AA1EC8}\setup.exe -runfromtemp -l0x0009 -removeonly
--> C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\SETUP.exe -l0x0009 -removeonly
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.42 --> "C:\Program Files\7-Zip\Uninstall.exe"
Access Help --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6FA39A7-26B1-480A-BC74-6D17531AC222}\Setup.exe" -l0x9 UNINSTALL
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Avira AntiVir PersonalEdition Classic --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Brother MFL-Pro Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9211CCBB-BEFE-4A0C-9199-D7A535DBFE5F}\Setup.exe" -l0x9 Brunin03.dllBrunin03.dll
Client Security Solution --> MsiExec.exe /I{F055E1B2-8A05-4D87-8039-1BE979BA4193}
Google AdWords Editor --> MsiExec.exe /I{E7237B6D-E484-43F7-870E-BCE060FC01E2}
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
GoToMeeting/GoToWebinar 3.0.0.198 --> C:\Program Files\Citrix\GoToMeeting\198\G2MUninstall.exe /uninstall
GTK+ Runtime 2.10.13 rev a (remove only) --> C:\Program Files\Common Files\GTK\2.0\uninst.exe
Help Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{986F64DC-FF15-449D-998F-EE3BCEC6666A}\Setup.exe" -l0x9 -AddRemove
High Definition Audio Driver Package - KB888111 -->
HijackThis 2.0.2 --> "C:\Documents and Settings\Michele Wyman\Desktop\HijackThis.exe" /uninstall
Integrated Camera --> C:\Program Files\InstallShield Installation Information\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}\setup.exe -runfromtemp -l0x0009 -removeonly -u
Intel® Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Intel® PRO Network Connections Drivers --> Prounstl.exe
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Lenovo Registration --> C:\Program Files\Lenovo Registration\uninstall.exe
Maintenance Manager --> Rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\AWAYTASK.INF
MalwareAlarm --> C:\Program Files\MalwareAlarm\Uninstall.exe
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
Message Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7E836B8-4BDD-454F-82E6-5FEA17C83AD4}\Setup.exe" -l0x9 -AddRemove
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Hybrid 2007 --> MsiExec.exe /X{91120000-0031-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft SQL Server Native Client --> MsiExec.exe /I{50A0893D-47D8-48E0-A7E8-44BCD7E4422E}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{C0D2F614-5CE5-4DCB-8678-E5C9AF7044F8}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.9) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
On Screen Display --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall.XP 132 C:\Program Files\Lenovo\HOTKEY\tphk_tp.inf
OpenVPN 2.1_rc4 --> C:\Program Files\OpenVPN\Uninstall.exe
PANTECH PC Card Software --> C:\Program Files\Sprint\Pantech PC Card\PTDCUninstall.exe
Pidgin --> C:\Program Files\Pidgin\pidgin-uninst.exe
Presentation Director --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{65706020-7B6F-41F2-8047-FC69579E386A}\Setup.exe" -l0x9 -AddRemove
Productivity Center Supplement for ThinkPad --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D728E945-256D-4477-B377-6BBA693714AC}\SETUP.EXE" -l0x9 -AddRemove
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Remove Multimedia Center --> C:\swtools\apps\MMCfTO\customiz\sequencer.exe -fc:\swtools\apps\MMCfTO\customiz\uninst.seq
Rescue and Recovery --> MsiExec.exe /I{F151F2B3-0C32-44D3-90E2-E639B8024622}
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\setup.exe" -l0x9 anything
Screenshot Utility version 1.0 --> "C:\Program Files\Screenshot Utility\unins000.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB936509) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A00724F5-82C4-4924-B707-0E5A84B52471}
Security Update for Office 2007 (KB934062) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB936514) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {C7A78F7F-EF32-4477-BAD7-3439EA7571BF}
Security Update for Step By Step Interactive Training (KB898458) -->
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic Icons for Lenovo --> MsiExec.exe /I{B334D9AE-1393-423E-97C0-3BDC3360E692}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.exe" -l0x9 -removeonly
Sprint Mobile Broadband (Pantech) --> MsiExec.exe /I{B9E8CAF9-B495-4E8B-89F6-588C2CEF9766}
System Migration Assistant --> MsiExec.exe /X{F705E3E1-A471-426B-9A09-73429F3418EE}
System Update --> MsiExec.exe /X{8675339C-128C-44DD-83BF-0A5D6ABD8297}
The GIMP 2.2.8 --> "C:\Program Files\GIMP-2.0\unins000.exe"
ThinkPad Bluetooth with Enhanced Data Rate Software --> MsiExec.exe /X{84814E6B-2581-46EC-926A-823BD1C670F6}
ThinkPad EasyEject Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1297C681-92D7-40EF-93BF-03F66EC5105C}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad FullScreen Magnifier --> RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\Lenovo\Zoom\TpScrex.inf
ThinkPad Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588\UIU32m.exe -U -ITkp0588k.inf
ThinkPad PC Card Power Policy --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUnInstall 132 C:\SWTOOLS\OSFIXES\PCMCIAPW\pcmciapw.inf
ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,Uninstall
ThinkPad Power Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad UltraNav Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
ThinkPad UltraNav Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17CBC505-D1AE-459D-B445-3D2000A85842}\SETUP.EXE" -l0x9 UNINSTALL
ThinkVantage Access Connections --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7EB114D8-207F-45AE-BABD-1669715F2630}\Setup.exe" -l0x9 anything
ThinkVantage Active Protection System --> MsiExec.exe /X{46A84694-59EC-48F0-964C-7E76E9F8A2ED}
ThinkVantage Productivity Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}\SETUP.EXE" -l0x9 -AddRemove
ThinkVantage Technologies Welcome Message --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1007F41F-7D69-468E-8017-3849A5A973C2}\Setup.exe" -l0x9 anything
Update for Office 2007 (KB932080) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB934393) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {92FBAD46-E7F6-49FA-89B5-C39FC5BFAD15}
Update for Word 2007 (KB934173) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {C6A89125-5473-45E3-B413-ED8186437475}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Wallpapers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DB71210F-8314-4AE3-B7A7-EBAF85BD30E9}\Setup.exe" -l0x9 UNINSTALL
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
XP Themes --> MsiExec.exe /I{C54ED2B6-1AF2-416F-BBA8-5E2B8CDCB5C4}


-- Application Event Log -------------------------------------------------------

Event Record #/Type2520 / Warning
Event Submitted/Written: 12/23/2007 11:40:07 AM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Vundo.Gen'
in the file
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP60\A0026183.dll

Event Record #/Type2457 / Warning
Event Submitted/Written: 12/22/2007 09:34:49 AM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Vundo.Gen'
in the file
C:\WINDOWS\system32\vtsqp.dll

Event Record #/Type2456 / Warning
Event Submitted/Written: 12/22/2007 09:34:45 AM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Click.MNB'
in the file
C:\WINDOWS\system32\mxbttcid.exe

Event Record #/Type2453 / Warning
Event Submitted/Written: 12/22/2007 09:29:59 AM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Vundo.Gen'
in the file
C:\WINDOWS\system32\vtsqp.dll

Event Record #/Type2452 / Warning
Event Submitted/Written: 12/22/2007 09:26:23 AM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Vundo.Gen'
in the file
C:\WINDOWS\system32\olijfckf.dll



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type7523 / Error
Event Submitted/Written: 12/23/2007 10:36:35 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The tvtnetwk service failed to start due to the following error:
%%2

Event Record #/Type7515 / Warning
Event Submitted/Written: 12/23/2007 10:31:38 AM
Event ID/Source: 11050 / dnscache
Event Description:
The DNS Client service could not contact any DNS servers for
a repeated number of attempts. For the next 30 seconds the
DNS Client service will not use the network to avoid further
network performance problems. It will resume its normal behavior
after that. If this problem persists, verify your TCP/IP
configuration, specifically check that you have a preferred
(and possibly an alternate) DNS server configured. If the problem
continues, verify network conditions to these DNS servers or contact
your network administrator.

Event Record #/Type7514 / Error
Event Submitted/Written: 12/23/2007 10:31:37 AM
Event ID/Source: 32003 / ipnathlp
Event Description:
The Network Address Translator (NAT) was unable to request an operation
of the kernel-mode translation module.
This may indicate misconfiguration, insufficient resources, or
an internal error.
The data is the error code.

Event Record #/Type7476 / Error
Event Submitted/Written: 12/22/2007 10:02:17 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The tvtnetwk service failed to start due to the following error:
%%2

Event Record #/Type7425 / Error
Event Submitted/Written: 12/22/2007 09:48:22 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The tvtnetwk service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2007-12-23 21:35:56 ------------

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 24 December 2007 - 04:54 AM

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Program Files\pgtqncvg
C:\Program Files\Narvrpzd


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the information into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EFF8B15-F92A-497C-9CFD-63F5B52105F7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"58a8ab0d"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ebc"=-
"Qkxbolf"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gos126]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzzd32]


Also post a new Hijackthis log please.
Posted Image
Posted Image

#7 flavor

flavor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 25 December 2007 - 11:37 PM

C:\Program Files\pgtqncvg moved successfully.
C:\Program Files\Narvrpzd moved successfully.

Created on 12252007_203558

#8 flavor

flavor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 26 December 2007 - 01:31 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:49 PM, on 12/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\CMPWI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Michele Wyman\Desktop\HiJackThis(2).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Narvrpzd\rhbsczaq.dll (file missing)
O2 - BHO: (no name) - {2EFF8B15-F92A-497C-9CFD-63F5B52105F7} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{350F61B7-F8AA-4657-9EF6-F5642892C322}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCE45038-682B-4EB8-9DA3-FE9DEE171071}: NameServer = 68.28.50.91 68.28.58.92
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12765 bytes

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 26 December 2007 - 04:46 AM

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546

You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:
Viewpoint
Viewpoint Manager
Viewpoint Media Player



Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Narvrpzd\rhbsczaq.dll (file missing)
O2 - BHO: (no name) - {2EFF8B15-F92A-497C-9CFD-63F5B52105F7} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O4 - HKCU\..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users