Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • Please log in to reply
20 replies to this topic

#1 ericj629

ericj629

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 28 December 2007 - 01:38 AM

I've been infected with Virtumonde for a few days now. I've tried every solution I've come across, but I've had no success yet. Every time I think I'm close to getting rid of it, it just comes right back.

I've tried removal with the following programs as recommended on various other forums: Ad-Aware, Spybot S&D, AntiVir Personal Edition, Trojan Hunter, ADS Spy, Vundo Fix, Symantec's Fix Vundo, VundoBeGone, and ComboFix. I'm sure there were others, but these were the only ones I remember.

AntiVir Guard gives me alerts nearly every time I open the Windows file explorer or the control panel. The files detected are typically some variation of TMP.tmp with affixed numbers (i.e. TMP1.tmp, TMP13.tmp, etc.). I also get constant warnings for ssqrs.exe. This has really been the root of my problem...no matter how many times I've tried to get rid of ssqrs.dll, it just keeps coming back.

I hope that's enough of a description. Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:42 AM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Gmail Notifier\gnotify .exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://student.wfu.edu/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://student.wfu.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrs.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE"
O4 - Startup: delete.bat
O4 - Startup: delete2.bat
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CB4574A5-D463-46BE-8E12-8CD0DCA9EDA1} (LIVECHAT Control) - http://www.wcgzone.com/LiveChat.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O17 - HKLM\Software\..\Telephony: DomainName = deacnet.wfu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B46318D-04AD-4C6A-BFD5-F1DA535B3099}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4D2A2EB-92DF-4AA0-83F3-62E59B273BF1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://www.glop.org/gamercard/card/excero.png

--
End of file - 10310 bytes


Thanks in advance for whoever can help.

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 28 December 2007 - 09:31 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Using My Computer, navigate to where you have HijackThis saved.
Right-click on the HijackThis.exe file.
Select "Rename", call it fluffybunny and press enter.
Use fluffybunny.exe from now on.

Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please include VundoFix.txt and a new HijackThis log in your next reply.

Edited by rookie147, 28 December 2007 - 09:31 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 ericj629

ericj629
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 28 December 2007 - 06:17 PM

VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 12:07:05 PM 12/28/2007

Listing files found while scanning....

C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini2
C:\WINDOWS\system32\ssqrs.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\srqss.ini2
C:\WINDOWS\system32\srqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\ssqrs.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\srqss.ini2
C:\WINDOWS\system32\srqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\ssqrs.dll Has been deleted!

Performing Repairs to the registry.
Done!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:13:35 PM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Gmail Notifier\gnotify .exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\edlhjvhf.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://student.wfu.edu/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://student.wfu.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrs.exe
O2 - BHO: (no name) - {60F22AF3-6B6A-4A4D-904E-5980196A9171} - C:\WINDOWS\system32\ssqrs.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE"
O4 - Startup: delete.bat
O4 - Startup: delete2.bat
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CB4574A5-D463-46BE-8E12-8CD0DCA9EDA1} (LIVECHAT Control) - http://www.wcgzone.com/LiveChat.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O17 - HKLM\Software\..\Telephony: DomainName = deacnet.wfu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B46318D-04AD-4C6A-BFD5-F1DA535B3099}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4D2A2EB-92DF-4AA0-83F3-62E59B273BF1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\edlhjvhf.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://www.glop.org/gamercard/card/excero.png

--
End of file - 10478 bytes



#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 30 December 2007 - 12:47 PM

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 ericj629

ericj629
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 30 December 2007 - 06:18 PM

ComboFix 07-12-21.4 - joneea3 2007-12-30 17:42:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.419 [GMT -5:00]
Running from: C:\UserData\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\caihahew.dll
C:\WINDOWS\system32\edlhjvhf.exe
C:\WINDOWS\system32\phxokqmm.dll
C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini2
C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\wcfkledb.exe
C:\WINDOWS\system32\wehahiac.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))
.

2007-12-30 18:09 . 2007-12-30 18:09 <DIR> d-------- C:\Temp\WPDNSE
2007-12-30 18:09 . 2007-12-30 18:09 53,248 --a------ C:\Temp\yjheymfr2005.dll
2007-12-29 14:58 . 2007-12-29 18:24 <DIR> d-------- C:\Temp\plugtmp
2007-12-29 08:55 . 2007-12-30 17:42 335,872 --a------ C:\WINDOWS\system32\ssqrs.exe
2007-12-28 01:04 . 2007-12-28 01:04 <DIR> d---s---- C:\Temp\Temporary Internet Files
2007-12-28 01:04 . 2007-12-28 01:04 <DIR> d---s---- C:\Temp\History
2007-12-28 01:04 . 2007-12-30 18:08 <DIR> d---s---- C:\Temp\Cookies
2007-12-28 00:49 . 2007-12-30 18:08 <DIR> d-------- C:\Temp\{85C3FA3C-4832-4204-B21E-168E4920936A}
2007-12-28 00:45 . 2007-12-28 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-28 00:18 . 2007-12-28 00:18 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-27 22:13 . 2007-12-28 01:03 <DIR> d-------- C:\UBCD4Win
2007-12-27 19:00 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-27 19:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-27 19:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-27 19:00 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-27 16:34 . 2007-12-27 16:35 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-27 15:00 . 2007-12-28 17:59 <DIR> d-------- C:\VundoFix Backups
2007-12-27 15:00 . 2007-12-27 15:00 <DIR> d-------- C:\Documents and Settings\WFUR522005\Application Data\TrojanHunter
2007-12-27 01:57 . 2007-12-27 14:49 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-12-27 01:18 . 2007-12-27 01:19 <DIR> d-------- C:\Documents and Settings\WFUR522005\Application Data\PrevxCSI
2007-12-27 01:18 . 2007-12-27 01:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-27 01:06 . 2007-12-30 18:10 <DIR> d-------- C:\Temp
2007-12-25 01:03 . 2007-12-25 01:03 <DIR> d-------- C:\Program Files\InterMute
2007-12-25 00:12 . 2007-12-25 00:39 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-25 00:12 . 2007-12-25 00:39 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-23 19:14 . 2007-12-23 19:14 <DIR> d-------- C:\Program Files\Avira
2007-12-23 19:14 . 2007-12-23 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-22 20:32 . 2007-12-27 18:19 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 12:37 . 2007-12-27 00:16 45,632 --a------ C:\WINDOWS\system32\taskswitch .exe
2007-12-22 12:37 . 2007-12-23 22:08 40,960 --a------ C:\WINDOWS\system32\TpScrLk .exe
2007-12-22 11:49 . 2007-11-02 19:04 385,024 --a------ C:\WINDOWS\system32\WinNB57.dll
2007-12-22 11:34 . 2007-12-24 23:58 <DIR> d--hs---- C:\WINDOWS\V2FrZSBGb3Jlc3Q
2007-12-22 11:34 . 2007-12-24 23:58 <DIR> d-------- C:\WINDOWS\system32\to9
2007-12-22 11:34 . 2007-12-27 14:48 <DIR> d-------- C:\WINDOWS\system32\ll9
2007-12-22 11:34 . 2007-12-24 23:58 <DIR> d-------- C:\WINDOWS\system32\dj2
2007-12-22 11:33 . 2007-12-22 11:33 <DIR> d-------- C:\WINDOWS\system32\ardCo02
2007-12-18 11:56 . 2007-12-18 12:17 <DIR> d-------- C:\Program Files\Return to Castle Wolfenstein
2007-12-18 11:54 . 2007-12-18 12:07 810 --a------ C:\WINDOWS\Rtcw.INI
2007-11-24 23:47 . 2007-12-30 17:41 <DIR> d-------- C:\Documents and Settings\WFUR522005\Application Data\NoNameScript
2007-11-02 21:05 . 2007-11-04 20:14 <DIR> d-------- C:\Program Files\Octoshape Streaming Services

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 03:37 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-12-29 18:49 --------- d-----w C:\Program Files\Steam
2007-12-29 13:13 --------- d-----w C:\Program Files\mIRC
2007-12-28 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-27 19:48 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-27 19:48 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-27 04:58 --------- d-----w C:\Program Files\D-Tools
2007-12-27 04:56 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-25 05:36 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-25 05:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-23 03:30 --------- d-----w C:\Program Files\FlashFXP
2007-12-10 11:28 --------- d-----w C:\Documents and Settings\WFUR522005\Application Data\uTorrent
2007-09-11 03:33 737,280 -c--a-w C:\WINDOWS\iun6002.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\V2FrZSBGb3Jlc3Q\pZIOtm13vaL5wak.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2005-01-24 11:41 C:\WINDOWS\system32\TpShocks.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2007-12-28 17:59]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" []
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 00:01]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 C:\WINDOWS\system32\bthprops.cpl]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2007-12-28 17:59]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-12-30 17:42]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" []
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" []

C:\Documents and Settings\WFUR522005\Start Menu\Programs\Startup\
delete.bat [2007-12-27 22:51:31]
delete2.bat [2007-12-27 22:55:16]
Rainlendar.lnk - C:\Program Files\Rainlendar\Rainlendar.exe [2005-07-22 10:14:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2004-08-12 22:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\ssqrs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=stopradio.wsf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1474414563-1125766349-1731688626-22745\Scripts\Logon\0\0]
"Script"=C:\WINDOWS\system32\enableRadio.wsf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3648828106-1271997588-1896958717-1006\Scripts\Logon\0\0]
"Script"=C:\WINDOWS\system32\enableRadio.wsf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3648828106-1271997588-1896958717-1008\Scripts\Logon\0\0]
"Script"=C:\WINDOWS\system32\enableRadio.wsf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3648828106-1271997588-1896958717-500\Scripts\Logon\0\0]
"Script"=C:\WINDOWS\system32\enableRadio.wsf

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^WFUR522005^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\WFUR522005\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2007-12-26 23:49 825344 --a------ C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-12-26 23:56 489984 --a------ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CJIMETIPSYNC]
C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
C:\Program Files\D-Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
2007-12-26 23:49 553984 --a------ C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2004-08-04 07:00 44032 --a------ C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG9.0]
C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMSCMig]
C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
2007-12-30 17:42 335872 --a------ C:\WINDOWS\system32\ssqrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-12-26 23:58 489984 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIMETIPSYNC]
C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-12-26 23:57 864256 --a------ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2007-12-26 23:48 448512 --a------ C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
tp4ex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
2007-12-26 23:49 430080 --a------ C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKBDLED]
C:\WINDOWS\system32\TpScrLk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2007-12-26 23:56 466432 --a------ C:\PROGRA~1\SYMANT~1\VPTray.exe

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-01-14 11:20]
R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys [2004-12-02 18:14]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2004-05-14 11:59]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2005-04-14 00:01]
R3 portio;TPM Service;C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys [2004-05-19 15:41]
R3 TPInput;TPInput;C:\WINDOWS\system32\DRIVERS\TPInput.sys [2004-12-02 17:54]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys [2005-04-12 18:21]
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys [2005-04-12 18:21]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 08:05]
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys [2005-04-12 18:21]
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys [2005-04-12 18:21]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-30 23:10:37 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
"2007-12-30 11:00:02 C:\WINDOWS\Tasks\{00E61D57-D98F-47C2-A581-FC3EC25FE17D}_DEACNET_joneea3.job"
- C:\WINDOWS\system32\mobsync.exeD /Schedule=
"2007-12-30 17:00:02 C:\WINDOWS\Tasks\{10C3C478-D032-4FBC-9BD0-E348A781B310}_DEACNET_joneea3.job"
- C:\WINDOWS\system32\mobsync.exeD /Schedule=
"2007-12-30 05:00:09 C:\WINDOWS\Tasks\{2DE57D17-3C5B-4ADA-BFD7-12C955B6A92A}_DEACNET_joneea3.job"
- C:\WINDOWS\system32\mobsync.exeD /Schedule=
"2007-12-30 23:00:09 C:\WINDOWS\Tasks\{7DBBB958-CB65-4DCC-B000-159C5C22B0BD}_DEACNET_joneea3.job"
- C:\WINDOWS\system32\mobsync.exeD /Schedule=
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 18:09:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2007-12-30 18:14:19
C:\ComboFix2.txt ... 2007-12-27 01:06
.
2007-12-28 05:19:04 --- E O F ---



#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 01 January 2008 - 05:54 AM

Sorry, could I have a new HijackThis log too, please?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 ericj629

ericj629
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 01 January 2008 - 09:00 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:49 AM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
C:\Program Files\Google\Gmail Notifier\gnotify .exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\iduvmfwf.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://student.wfu.edu/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://student.wfu.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrs.exe
O2 - BHO: (no name) - {2C2DDC85-9FE5-41FF-B348-6402BDD12C94} - C:\WINDOWS\system32\ssqrs.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [428ca900] rundll32.exe "C:\WINDOWS\system32\wvnbyfgd.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE"
O4 - Startup: delete.bat
O4 - Startup: delete2.bat
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CB4574A5-D463-46BE-8E12-8CD0DCA9EDA1} (LIVECHAT Control) - http://www.wcgzone.com/LiveChat.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O17 - HKLM\Software\..\Telephony: DomainName = deacnet.wfu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B46318D-04AD-4C6A-BFD5-F1DA535B3099}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4D2A2EB-92DF-4AA0-83F3-62E59B273BF1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\iduvmfwf.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://www.glop.org/gamercard/card/excero.png

--
End of file - 10728 bytes

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 01 January 2008 - 05:53 PM

Hi again,
Please print off a copy of these instructions, and also save them to a Notepad file on your Desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrs.exe
O2 - BHO: (no name) - {2C2DDC85-9FE5-41FF-B348-6402BDD12C94} - C:\WINDOWS\system32\ssqrs.dll
O4 - HKLM\..\Run: [428ca900] rundll32.exe "C:\WINDOWS\system32\wvnbyfgd.dll",b
O23 - Service: DomainService - - C:\WINDOWS\system32\iduvmfwf.exe


Then close all other windows - you should only see HijackThis on your Desktop - and click the Fix checked button.

Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Find and delete the following files (if present):

C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\wvnbyfgd.dll
C:\WINDOWS\system32\iduvmfwf.exe

Copy and paste the following text into Notepad:
sc stop DomainService
sc delete DomainService
Save this as "services.bat". Choose to save as *all files and place it on your Desktop.
Double-click services.bat.

Reboot into Normal Mode again.

In your reply I'd like a new HijackThis and Combofix log.

Edited by rookie147, 02 January 2008 - 05:03 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 ericj629

ericj629
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 01 January 2008 - 08:16 PM

It wouldn't let me delete ssqrs.dll in safe mode, but it looks like ComboFix might have taken care of it. Also, when I tried to run the .bat file it told me the service didn't exist.

ComboFix 07-12-31.4 - joneea3 2008-01-01 19:31:43.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.582 [GMT -5:00]
Running from: C:\UserData\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\IME\IMJP9\IMJPMIG.EXE
C:\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\IMSCMIG.EXE
C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE
C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE
C:\Program Files\Steam\Steam.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\Utilities\EzEjMnAp.Exe
C:\WINDOWS\system32\pkfyveve.exe
C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini2
C:\WINDOWS\system32\ssqrs.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.

2008-01-01 19:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 16:26 . 2008-01-01 19:48 <DIR> d-------- C:\Program Files\Steam
2008-01-01 16:16 . 2008-01-01 16:16 15,718 --a------ C:\WINDOWS\system32\unstall.bmp
2008-01-01 09:07 . 2008-01-01 15:52 1,031,259 --ahs---- C:\WINDOWS\system32\nsohohcx.ini
2007-12-31 09:07 . 2008-01-01 15:57 1,031,319 --ahs---- C:\WINDOWS\system32\dgfybnvw.ini
2007-12-28 00:45 . 2007-12-28 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-28 00:18 . 2007-12-28 00:18 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-27 22:13 . 2007-12-28 01:03 <DIR> d-------- C:\UBCD4Win
2007-12-27 19:00 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-27 19:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-27 19:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-27 19:00 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-27 16:34 . 2007-12-27 16:35 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-27 15:00 . 2007-12-27 15:00 <DIR> d-------- C:\Documents and Settings\WFUR522005\Application Data\TrojanHunter
2007-12-27 01:57 . 2008-01-01 16:22 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-12-27 01:18 . 2007-12-27 01:19 <DIR> d-------- C:\Documents and Settings\WFUR522005\Application Data\PrevxCSI
2007-12-27 01:18 . 2007-12-27 01:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-27 01:06 . 2008-01-01 19:58 <DIR> d-------- C:\Temp
2007-12-25 01:03 . 2007-12-25 01:03 <DIR> d-------- C:\Program Files\InterMute
2007-12-25 00:12 . 2007-12-25 00:39 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-25 00:12 . 2007-12-25 00:39 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-23 19:14 . 2007-12-23 19:14 <DIR> d-------- C:\Program Files\Avira
2007-12-23 19:14 . 2007-12-23 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-22 20:32 . 2007-12-27 18:19 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 12:37 . 2007-12-27 00:16 45,632 --a------ C:\WINDOWS\system32\taskswitch .exe
2007-12-22 12:37 . 2007-12-23 22:08 40,960 --a------ C:\WINDOWS\system32\TpScrLk .exe
2007-12-22 11:49 . 2007-11-02 19:04 385,024 --a------ C:\WINDOWS\system32\WinNB57.dll
2007-12-22 11:34 . 2007-12-24 23:58 <DIR> d--hs---- C:\WINDOWS\V2FrZSBGb3Jlc3Q
2007-12-22 11:34 . 2007-12-24 23:58 <DIR> d-------- C:\WINDOWS\system32\to9
2007-12-22 11:34 . 2007-12-27 14:48 <DIR> d-------- C:\WINDOWS\system32\ll9
2007-12-22 11:34 . 2007-12-24 23:58 <DIR> d-------- C:\WINDOWS\system32\dj2
2007-12-22 11:33 . 2007-12-22 11:33 <DIR> d-------- C:\WINDOWS\system32\ardCo02
2007-12-18 11:56 . 2008-01-01 16:17 <DIR> d-------- C:\Program Files\Return to Castle Wolfenstein
2007-12-18 11:54 . 2008-01-01 16:17 600 --a------ C:\WINDOWS\Rtcw.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 00:48 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-02 00:48 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-02 00:48 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-02 00:48 --------- d-----w C:\Program Files\D-Tools
2008-01-02 00:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-01 23:44 --------- d-----w C:\Documents and Settings\WFUR522005\Application Data\NoNameScript
2008-01-01 21:59 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-01 21:12 --------- d-----w C:\Program Files\GameSpy Arcade
2008-01-01 20:58 --------- d-----w C:\Program Files\mIRC
2007-12-28 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-25 05:36 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-23 03:30 --------- d-----w C:\Program Files\FlashFXP
2007-12-10 11:28 --------- d-----w C:\Documents and Settings\WFUR522005\Application Data\uTorrent
2007-11-05 01:14 --------- d-----w C:\Program Files\Octoshape Streaming Services
2005-07-29 21:24 472 --sha-r C:\WINDOWS\V2FrZSBGb3Jlc3Q\pZIOtm13vaL5wak.vbs
.

----a-w		   483,328 2007-12-27 04:51:52  C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray .exe
----a-w		 1,388,544 2008-01-02 00:19:55  C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
----a-w		   249,896 2008-01-02 00:20:17  C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
----a-w		   153,136 2007-12-27 04:52:07  C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w		   153,136 2007-12-27 04:52:42  C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w		   118,472 2007-12-27 04:51:27  C:\Program Files\Common Files\Microsoft Shared\IME\IMJP9\IMJPMIG .EXE
----a-w			13,368 2007-12-27 04:51:21  C:\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\IMSCMIG .EXE
----a-w			63,040 2007-12-27 04:51:46  C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG .EXE
----a-w			95,296 2007-12-27 04:51:14  C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG .EXE
----a-w			66,680 2007-12-25 05:18:10  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w			81,920 2007-12-27 04:52:10  C:\Program Files\D-Tools\daemon .exe
----a-w		   171,464 2007-12-27 04:52:53  C:\Program Files\DAEMON Tools\daemon .exe
----a-w		   479,232 2008-01-02 00:20:06  C:\Program Files\Google\Gmail Notifier\gnotify .exe
----a-w			36,975 2007-12-25 05:17:06  C:\Program Files\Java\jre1.5.0_03\bin\jusched .exe
----a-w		 1,266,936 2008-01-02 00:20:28  C:\Program Files\Steam\Steam .exe
----a-w		   124,112 2007-12-27 04:50:30  C:\Program Files\Symantec AntiVirus\VPTray .exe
----a-w		   512,000 2007-12-27 04:50:56  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w		   110,592 2007-12-27 04:50:50  C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
----a-w			94,208 2007-12-27 04:51:49  C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR .exe
----a-w		   212,992 2007-12-27 04:51:35  C:\Program Files\ThinkPad\Utilities\EzEjMnAp .Exe
----a-w		   897,024 2007-12-27 23:32:23  C:\Program Files\ThinkPad\Utilities\TpKmapAp .exe
----a-w			15,360 2007-12-27 23:19:11  C:\WINDOWS\system32\ctfmon .exe
----a-w			45,632 2007-12-27 05:16:58  C:\WINDOWS\system32\taskswitch .exe
----a-w			40,960 2007-12-24 03:08:38  C:\WINDOWS\system32\TpScrLk .exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE" [ ]
"Steam"="C:\Program Files\Steam\Steam.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2005-01-24 11:41 106496 C:\WINDOWS\system32\TpShocks.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [ ]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [ ]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [ ]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 00:01 139264]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [ ]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [ ]

C:\Documents and Settings\WFUR522005\Start Menu\Programs\Startup\
Rainlendar.lnk - C:\Program Files\Rainlendar\Rainlendar.exe [2005-07-22 10:14:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2004-08-12 22:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ssqrs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=stopradio.wsf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1474414563-1125766349-1731688626-22745\Scripts\Logon\0\0]
"Script"=C:\WINDOWS\system32\enableRadio.wsf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3648828106-1271997588-1896958717-1006\Scripts\Logon\0\0]
"Script"=C:\WINDOWS\system32\enableRadio.wsf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3648828106-1271997588-1896958717-1008\Scripts\Logon\0\0]
"Script"=C:\WINDOWS\system32\enableRadio.wsf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3648828106-1271997588-1896958717-500\Scripts\Logon\0\0]
"Script"=C:\WINDOWS\system32\enableRadio.wsf

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^WFUR522005^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\WFUR522005\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CJIMETIPSYNC]
C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
C:\Program Files\D-Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2004-08-04 07:00 44032 --a------ C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG9.0]
C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMSCMig]
C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\ssqrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIMETIPSYNC]
C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
tp4ex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKBDLED]
C:\WINDOWS\system32\TpScrLk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-01-14 11:20]
R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys [2004-12-02 18:14]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2004-05-14 11:59]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2005-04-14 00:01]
R3 portio;TPM Service;C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys [2004-05-19 15:41]
R3 TPInput;TPInput;C:\WINDOWS\system32\DRIVERS\TPInput.sys [2004-12-02 17:54]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 08:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 01:00:28 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
"2008-01-01 11:00:02 C:\WINDOWS\Tasks\{00E61D57-D98F-47C2-A581-FC3EC25FE17D}_DEACNET_joneea3.job"
- C:\WINDOWS\system32\mobsync.exeD /Schedule=
"2008-01-01 17:00:03 C:\WINDOWS\Tasks\{10C3C478-D032-4FBC-9BD0-E348A781B310}_DEACNET_joneea3.job"
- C:\WINDOWS\system32\mobsync.exeD /Schedule=
"2008-01-01 05:00:08 C:\WINDOWS\Tasks\{2DE57D17-3C5B-4ADA-BFD7-12C955B6A92A}_DEACNET_joneea3.job"
- C:\WINDOWS\system32\mobsync.exeD /Schedule=
"2008-01-01 23:00:01 C:\WINDOWS\Tasks\{7DBBB958-CB65-4DCC-B000-159C5C22B0BD}_DEACNET_joneea3.job"
- C:\WINDOWS\system32\mobsync.exeD /Schedule=
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 19:58:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\PROGRA~1\ThinkPad\UTILIT~1\US\PWRMGRRT.DLL
-> C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRIF.DLL
.
Completion time: 2008-01-01 20:10:45 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-02 01:10:41
.
2007-12-28 05:19:04 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:31 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://student.wfu.edu/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://student.wfu.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CB4574A5-D463-46BE-8E12-8CD0DCA9EDA1} (LIVECHAT Control) - http://www.wcgzone.com/LiveChat.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O17 - HKLM\Software\..\Telephony: DomainName = deacnet.wfu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B46318D-04AD-4C6A-BFD5-F1DA535B3099}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4D2A2EB-92DF-4AA0-83F3-62E59B273BF1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9705 bytes



#10 ericj629

ericj629
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 02 January 2008 - 10:54 AM

I thought I would add that even though it seems ssqrs.dll is finally gone, AntiVir keeps giving me warnings for the following file now:

C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP17\A0004095.dll

It tells me that it is TR/Vundo.Gen.

#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 02 January 2008 - 04:10 PM

The "System Volume Information" file you are getting warnings about is an infected file in System Restore. Since we have not completely removed the malware yet I am reluctant to purge it, obviously it is best to do this after we have finished the clean-up.
Go to this page.
Where it says "Browse to the file you want to submit", copy and paste the filepath below into the box:

C:\WINDOWS\system32\ctfmon .exe

Then click the Send File button below.

Let me know when you've uploaded the file.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 ericj629

ericj629
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 02 January 2008 - 04:15 PM

Done.

#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 03 January 2008 - 09:30 AM

Thanks, I'll take a look at it now and get back to you later.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 03 January 2008 - 09:37 AM

That file you uploaded for me was harmless.

I see you have Viewpoint installed:
Viewpoint Manager is considered to be foistware rather than malware, since it is installed without your approval but doesn't actually spy or do anything "bad". This will soon change, according to this article, which you may want to read: http://www.clickz.com/news/article.php/3561546
I recommend that you remove the Viewpoint products. If you do decide to do so, please remove all references to Viewpoint from Add/Remove Programs.


Open Notepad - don't use any other text editor or the script will fail.
Copy and paste the text in the quote box below into the document:

File::
C:\WINDOWS\system32\nsohohcx.ini
C:\WINDOWS\system32\dgfybnvw.ini
C:\WINDOWS\system32\WinNB57.dll

Folder::
C:\WINDOWS\V2FrZSBGb3Jlc3Q
C:\WINDOWS\system32\to9
C:\WINDOWS\system32\ll9
C:\WINDOWS\system32\dj2
C:\WINDOWS\system32\ardCo02


Save this as txtfile CFScript .
Then drag the CFScript into ComboFix.exe as you see in the screenshot below:

Posted Image

This will start ComboFix again.
A new log will be created, which I would like to see in your reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 ericj629

ericj629
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 03 January 2008 - 12:11 PM

ComboFix 07-12-31.4 - joneea3 2008-01-03 11:30:44.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446 [GMT -5:00]
Running from: C:\UserData\Desktop\ComboFix.exe
Command switches used :: C:\UserData\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\dgfybnvw.ini
C:\WINDOWS\system32\nsohohcx.ini
C:\WINDOWS\system32\WinNB57.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ardCo02
C:\WINDOWS\system32\ardCo02\ardCo021099.exe
C:\WINDOWS\system32\dgfybnvw.ini
C:\WINDOWS\system32\dj2
C:\WINDOWS\system32\ll9
C:\WINDOWS\system32\nsohohcx.ini
C:\WINDOWS\system32\to9
C:\WINDOWS\system32\WinNB57.dll
C:\WINDOWS\V2FrZSBGb3Jlc3Q
C:\WINDOWS\V2FrZSBGb3Jlc3Q\pZIOtm13vaL5wak.vbs

.
((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-03 11:31 . 2008-01-03 11:31 <DIR> d-------- C:\Temp\WPDNSE
2008-01-02 19:44 . 2008-01-02 19:44 <DIR> d-------- C:\Program Files\Ventrilo
2008-01-02 01:09 . 2008-01-02 01:09 <DIR> d-------- C:\Temp\Rar$DR01.609
2008-01-01 21:28 . 2008-01-01 21:28 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-01-01 20:10 . 2008-01-03 11:51 <DIR> d-------- C:\Temp
2008-01-01 19:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 16:26 . 2008-01-02 17:59 <DIR> d-------- C:\Program Files\Steam
2008-01-01 16:16 . 2008-01-01 16:16 15,718 --a------ C:\WINDOWS\system32\unstall.bmp
2007-12-28 00:45 . 2007-12-28 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-28 00:18 . 2007-12-28 00:18 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-27 22:13 . 2007-12-28 01:03 <DIR> d-------- C:\UBCD4Win
2007-12-27 19:00 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-27 19:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-27 19:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-27 19:00 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-27 16:34 . 2007-12-27 16:35 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-27 15:00 . 2007-12-27 15:00 <DIR> d-------- C:\Documents and Settings\WFUR522005\Application Data\TrojanHunter
2007-12-27 01:57 . 2008-01-01 16:22 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-12-27 01:18 . 2007-12-27 01:19 <DIR> d-------- C:\Documents and Settings\WFUR522005\Application Data\PrevxCSI
2007-12-27 01:18 . 2007-12-27 01:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-25 01:03 . 2007-12-25 01:03 <DIR> d-------- C:\Program Files\InterMute
2007-12-25 00:12 . 2007-12-25 00:39 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-25 00:12 . 2007-12-25 00:39 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-23 19:14 . 2007-12-23 19:14 <DIR> d-------- C:\Program Files\Avira
2007-12-23 19:14 . 2007-12-23 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-22 20:32 . 2007-12-27 18:19 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 12:37 . 2007-12-27 00:16 45,632 --a------ C:\WINDOWS\system32\taskswitch .exe
2007-12-22 12:37 . 2007-12-23 22:08 40,960 --a------ C:\WINDOWS\system32\TpScrLk .exe
2007-12-18 11:56 . 2008-01-01 16:17 <DIR> d-------- C:\Program Files\Return to Castle Wolfenstein
2007-12-18 11:54 . 2008-01-01 16:17 600 --a------ C:\WINDOWS\Rtcw.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 16:41 --------- d-----w C:\Documents and Settings\WFUR522005\Application Data\NoNameScript
2008-01-03 16:19 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-03 00:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-02 02:27 --------- d-----w C:\Program Files\MSECache
2008-01-02 01:21 --------- d-----w C:\Program Files\mIRC
2008-01-02 00:48 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-02 00:48 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-02 00:48 --------- d-----w C:\Program Files\D-Tools
2008-01-02 00:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-01 21:12 --------- d-----w C:\Program Files\GameSpy Arcade
2007-12-28 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-25 05:36 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-23 03:30 --------- d-----w C:\Program Files\FlashFXP
2007-12-10 11:28 --------- d-----w C:\Documents and Settings\WFUR522005\Application Data\uTorrent
2007-11-05 01:14 --------- d-----w C:\Program Files\Octoshape Streaming Services
.

----a-w		   483,328 2007-12-27 04:51:52  C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray .exe
----a-w		 1,388,544 2008-01-02 00:19:55  C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
----a-w		   249,896 2008-01-02 00:20:17  C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
----a-w		   153,136 2007-12-27 04:52:07  C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w		   153,136 2007-12-27 04:52:42  C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w		   118,472 2007-12-27 04:51:27  C:\Program Files\Common Files\Microsoft Shared\IME\IMJP9\IMJPMIG .EXE
----a-w			13,368 2007-12-27 04:51:21  C:\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\IMSCMIG .EXE
----a-w			63,040 2007-12-27 04:51:46  C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG .EXE
----a-w			95,296 2007-12-27 04:51:14  C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG .EXE
----a-w			66,680 2007-12-25 05:18:10  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w			81,920 2007-12-27 04:52:10  C:\Program Files\D-Tools\daemon .exe
----a-w		   171,464 2007-12-27 04:52:53  C:\Program Files\DAEMON Tools\daemon .exe
----a-w		   479,232 2008-01-02 00:20:06  C:\Program Files\Google\Gmail Notifier\gnotify .exe
----a-w			36,975 2007-12-25 05:17:06  C:\Program Files\Java\jre1.5.0_03\bin\jusched .exe
----a-w		 1,266,936 2008-01-02 00:20:28  C:\Program Files\Steam\Steam .exe
----a-w		   512,000 2007-12-27 04:50:56  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w		   110,592 2007-12-27 04:50:50  C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
----a-w			94,208 2007-12-27 04:51:49  C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR .exe
----a-w		   212,992 2007-12-27 04:51:35  C:\Program Files\ThinkPad\Utilities\EzEjMnAp .Exe
----a-w		   897,024 2007-12-27 23:32:23  C:\Program Files\ThinkPad\Utilities\TpKmapAp .exe
----a-w			15,360 2007-12-27 23:19:11  C:\WINDOWS\system32\ctfmon .exe
----a-w			45,632 2007-12-27 05:16:58  C:\WINDOWS\system32\taskswitch .exe
----a-w			40,960 2007-12-24 03:08:38  C:\WINDOWS\system32\TpScrLk .exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE" [ ]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-01-01 20:40 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2005-01-24 11:41 106496 C:\WINDOWS\system32\TpShocks.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [ ]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [ ]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" [ ]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 00:01 139264]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 16:48 479232]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-01 20:45 249896]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [ ]

C:\Documents and Settings\WFUR522005\Start Menu\Programs\Startup\
Rainlendar.lnk - C:\Program Files\Rainlendar\Rainlendar.exe [2005-07-22 10:14:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2004-08-12 22:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=stopradio.wsf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1474414563-1125766349-1731688626-22745\Scripts\Logon\0\0]
"Script"=C:\WINDOWS\system32\enableRadio.wsf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3648828106-1271997588-1896958717-1006\Scripts\Logon\0\0]
"Script"=C:\WINDOWS\system32\enableRadio.wsf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3648828106-1271997588-1896958717-1008\Scripts\Logon\0\0]
"Script"=C:\WINDOWS\system32\enableRadio.wsf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3648828106-1271997588-1896958717-500\Scripts\Logon\0\0]
"Script"=C:\WINDOWS\system32\enableRadio.wsf

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^WFUR522005^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\WFUR522005\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CJIMETIPSYNC]
C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
C:\Program Files\D-Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2004-08-04 07:00 44032 --a------ C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG9.0]
C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMSCMig]
C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\ssqrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIMETIPSYNC]
C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
tp4ex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKBDLED]
C:\WINDOWS\system32\TpScrLk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-01-14 11:20]
R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys [2004-12-02 18:14]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2004-05-14 11:59]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2005-04-14 00:01]
R3 portio;TPM Service;C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys [2004-05-19 15:41]
R3 TPInput;TPInput;C:\WINDOWS\system32\DRIVERS\TPInput.sys [2004-12-02 17:54]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 08:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-03 16:53:59 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
"2008-01-03 11:00:00 C:\WINDOWS\Tasks\{00E61D57-D98F-47C2-A581-FC3EC25FE17D}_DEACNET_joneea3.job"
- C:\WINDOWS\system32\mobsync.exeD /Schedule=
"2008-01-03 17:00:03 C:\WINDOWS\Tasks\{10C3C478-D032-4FBC-9BD0-E348A781B310}_DEACNET_joneea3.job"
- C:\WINDOWS\system32\mobsync.exeD /Schedule=
"2008-01-03 05:00:01 C:\WINDOWS\Tasks\{2DE57D17-3C5B-4ADA-BFD7-12C955B6A92A}_DEACNET_joneea3.job"
- C:\WINDOWS\system32\mobsync.exeD /Schedule=
"2008-01-02 23:00:01 C:\WINDOWS\Tasks\{7DBBB958-CB65-4DCC-B000-159C5C22B0BD}_DEACNET_joneea3.job"
- C:\WINDOWS\system32\mobsync.exeD /Schedule=
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 11:52:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\PROGRA~1\ThinkPad\UTILIT~1\US\PWRMGRRT.DLL
-> C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRIF.DLL
.
Completion time: 2008-01-03 12:05:27 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-03 17:05:22
.
2007-12-28 05:19:04 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:01 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://student.wfu.edu/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://student.wfu.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CB4574A5-D463-46BE-8E12-8CD0DCA9EDA1} (LIVECHAT Control) - http://www.wcgzone.com/LiveChat.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O17 - HKLM\Software\..\Telephony: DomainName = deacnet.wfu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B46318D-04AD-4C6A-BFD5-F1DA535B3099}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4D2A2EB-92DF-4AA0-83F3-62E59B273BF1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 9472 bytes






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users