Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • This topic is locked This topic is locked
12 replies to this topic

#1 s_tup_auto

s_tup_auto

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 14 July 2008 - 10:58 AM

Please can you check my hijack this log to see if it is clear. The blank F2 and O21 look a bit sus, but not sure.

NB Have just got rid of Virtumonde (i think) using VirtumundoBegone.exe as VundoFix.exe didn't work.

Many Thanks

S

-------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:19:58, on 14/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nicitdl5.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\nipalsm.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\fi.exe

F2 - REG:system.ini: Shell=
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [dbservices] scm -Silent 1 -Action 1 -Service mssqlserver
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O21 - SSODL: MicroCheck - {d0f6f079-426d-4fa6-95d2-06d4b0c43d9e} - (no file)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Citadel (NICitadel5Service) - National Instruments, Inc. - C:\WINDOWS\system32\nicitdl5.exe
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager (NILM License manager) - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 9522 bytes

Attached Files


Edited by s_tup_auto, 15 July 2008 - 03:43 AM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:53 AM

Posted 20 July 2008 - 09:15 PM

Hello s_tup_auto,

We need to create a Deckard's System Scanner (DSS) Log.

Please download Deckard's System Scanner (DSS) from one of the links below and save to your Desktop.
Primary Mirror
Secondary Mirror

DSS will do the following:
1. Create a new System Restore point in Windows XP and Vista.
2. Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
3. Check some important areas of your system and produce a report for an analyst to review.
4. Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.

Note: You must be logged onto an account with administrator privileges when using Deckard's System Scanner.

1. Close all applications and windows.
2. Double-click on dss.exe to run it and follow the prompts.

3. If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
4. When the scan is complete, two text files will open in Notepad:
main.txt <-- Will be maximized
extra.txt <-- Will be minimized
5. If not, they both can be found in the C:\Deckard\System Scanner folder.
6. Please copy (<Control>+C) and paste (<Control>+V) the contents of main.txt and extra.txt in your next reply.

Note: When running DSS, some firewalls may warn that DSS is trying to access the Internet; especially if you are asked to download the most current version of HijackThis. Please ensure that DSS is given permission to access the internet.
Note: If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

In your next reply, I need to see the following reports:
DSS Main.txt
DSS Extra.txt

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 s_tup_auto

s_tup_auto
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 21 July 2008 - 04:35 AM

Hello SifuMike,

I have run dss, here's the log:

The Kaspersky scan found tracking cookies - which were then removed, but as to why they are reoccuring i'm not sure. Mcaffee keeps finding and deleting eyeblaster and adtech cookies as potentially unwanted programs when the PC is online, so haven't used it on any sites where data fields are required. The scan also found Trojan.win32.Monderb.gen infected files, but these were all in HJT backuplog - which i have now cleaned.

FYI, Vista Antivirus 2008 was the first thing to install and alert me to the attack. I used Spybot S&D + HJT to remove this, but spybot couldn't remove the Virtumonde - kept coming back after reboot, hence using VirtumundoBegone.exe (and VundoFix.exe). This stopped any unusual activity when offline, and allowed the PC to become usuable.
Also since the first post i have run Malaware bytes antimalware, which found a load more Vundo variants - all successfully removed. I've put the log at the end of the DSS log. I ran it 4 times, first log is before clean, second log is after clean, third is after reboot and fourth is a recent check. This seemed to remove the F2 log in HJT.

Thanks for helping me, i've done my best to help myself but don't have enough knowledge to be sure i am clean!

Cheers

S

-----------------------------------------------

MAIN

Deckard's System Scanner v20071014.68
Run by mira on 2008-07-18 12:20:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-07-18 11:20:16 UTC - RP18 - Deckard's System Scanner Restore Point
1: 2008-07-18 10:55:49 UTC - RP17 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as mira.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:53, on 18/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nicitdl5.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\nipalsm.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\mira\Desktop\Virus Stuff\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\mira.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [dbservices] scm -Silent 1 -Action 1 -Service mssqlserver
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: MicroCheck - {d0f6f079-426d-4fa6-95d2-06d4b0c43d9e} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Citadel (NICitadel5Service) - National Instruments, Inc. - C:\WINDOWS\system32\nicitdl5.exe
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager (NILM License manager) - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 10060 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NIPALK - c:\windows\system32\drivers\nipalk.sys <Not Verified; National Instruments Corporation; NI-PAL>
R1 ANC - c:\windows\system32\drivers\anc.sys <Not Verified; IBM Corp.; IBM Access Connections>
R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 Smapint - c:\windows\system32\drivers\smapint.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R1 TDSMAPI - c:\windows\system32\drivers\tdsmapi.sys
R1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
R1 TPPWR - c:\windows\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.6.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
R2 cvintdrv - c:\windows\system32\drivers\cvintdrv.sys
R2 ibmfilter - c:\windows\system32\drivers\ibmfilter.sys <Not Verified; IBM; FFE and RRU>
R2 lvalarmk - c:\windows\system32\drivers\lvalarmk.dll <Not Verified; National Instruments; National Instruments lvalarms>
R2 niarbk - c:\windows\system32\drivers\niarbk.dll <Not Verified; National Instruments Corporation; NI-ARB>
R2 nibffrk - c:\windows\system32\drivers\nibffrk.dll <Not Verified; National Instruments Corporation; NI Buffer Services>
R2 Nidaq32k - c:\windows\system32\drivers\nidaq32k.sys <Not Verified; National Instruments Corporation; NI-DAQ>
R2 nidimk - c:\windows\system32\drivers\nidimk.dll <Not Verified; National Instruments Corporation; NIDIM>
R2 nidmmk (NI DMM and Data Logger Kernel Driver) - c:\windows\system32\drivers\nidmmk.dll <Not Verified; National Instruments Corporation; NIDMM User and Kernel Mode Component for NIDAQ 7.2.0>
R2 nidmxfk - c:\windows\system32\drivers\nidmxfk.dll <Not Verified; National Instruments Corporation; NIDMXF>
R2 niemrk - c:\windows\system32\drivers\niemrk.dll <Not Verified; National Instruments Corporation; NIEMR>
R2 nifslk - c:\windows\system32\drivers\nifslk.dll <Not Verified; National Instruments Corporation; NIFSL>
R2 nimdsk - c:\windows\system32\drivers\nimdsk.dll <Not Verified; National Instruments Corporation; NI-MDS>
R2 nimxpk - c:\windows\system32\drivers\nimxpk.dll <Not Verified; National Instruments Corporation; NIMXP>
R2 nipxirmk - c:\windows\system32\drivers\nipxirmk.dll <Not Verified; National Instruments Corporation; NIPXIRM>
R2 nistck - c:\windows\system32\drivers\nistck.dll <Not Verified; National Instruments Corporation; NISTC>
R2 niswdk - c:\windows\system32\drivers\niswdk.dll <Not Verified; National Instruments Corporation; NISWD>
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
R2 usb6xxxk - c:\windows\system32\drivers\usb6xxxk.dll <Not Verified; National Instruments Corporation; USB6XXXLOADER>
R3 kcanv (Kvaser Virtual CAN Driver) - c:\windows\system32\drivers\kcanv.sys <Not Verified; KVASER AB, Mölndal, SWEDEN; CANLIB>
R3 kcanx (Kvaser LAPcan Family Driver) - c:\windows\system32\drivers\kcanx.sys <Not Verified; KVASER AB, Mölndal, SWEDEN; CANLIB>
R3 nicdrk - c:\windows\system32\drivers\nicdrk.dll <Not Verified; National Instruments Corporation; NICDR>
R3 nimdbgk - c:\windows\system32\drivers\nimdbgk.dll <Not Verified; National Instruments Corporation; NIMDBG>
R3 nimru2k - c:\windows\system32\drivers\nimru2k.dll <Not Verified; National Instruments Corporation; NIMRU>
R3 nimsdrk - c:\windows\system32\drivers\nimsdrk.dll <Not Verified; National Instruments Corporation; NIMSDR>
R3 nimstsk - c:\windows\system32\drivers\nimstsk.dll <Not Verified; National Instruments Corporation; NIMSTS>
R3 nimxdfk - c:\windows\system32\drivers\nimxdfk.dll <Not Verified; National Instruments Corporation; NIMXDF>
R3 niorbk - c:\windows\system32\drivers\niorbk.dll <Not Verified; National Instruments Corporation; NIORB>
R3 niscdk - c:\windows\system32\drivers\niscdk.dll <Not Verified; National Instruments Corporation; NISCD>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 nidsark - c:\windows\system32\drivers\nidsark.dll <Not Verified; National Instruments Corporation; NIDSAR>
S3 niesrk - c:\windows\system32\drivers\niesrk.dll <Not Verified; National Instruments Corporation; NIESR>
S3 nimslk - c:\windows\system32\drivers\nimslk.dll <Not Verified; National Instruments Corporation; NIMSL>
S3 nimsrlk - c:\windows\system32\drivers\nimsrlk.dll <Not Verified; National Instruments Corporation; NIMSRL>
S3 nipalusb (NI-PAL USB Driver) - c:\windows\system32\drivers\nipalusb.sys <Not Verified; National Instruments Corporation; NI-PAL>
S3 nisdigk - c:\windows\system32\drivers\nisdigk.dll <Not Verified; National Instruments Corporation; NISDIG>
S3 nisftk - c:\windows\system32\drivers\nisftk.dll <Not Verified; National Instruments Corporation; NISFT>
S3 nispdk - c:\windows\system32\drivers\nispdk.dll
S3 nissrk - c:\windows\system32\drivers\nissrk.dll <Not Verified; National Instruments Corporation; NISSR>
S3 nistc2k - c:\windows\system32\drivers\nistc2k.dll <Not Verified; National Instruments Corporation; NISTC>
S3 nistcrk - c:\windows\system32\drivers\nistcrk.dll <Not Verified; National Instruments Corporation; NISTCR>
S3 nitiork - c:\windows\system32\drivers\nitiork.dll <Not Verified; National Instruments Corporation; NITIOR>
S3 niwfrk - c:\windows\system32\drivers\niwfrk.dll <Not Verified; National Instruments Corporation; NIWFR>
S3 nixsrk - c:\windows\system32\drivers\nixsrk.dll <Not Verified; National Instruments Corporation; NIXSR>
S3 psadd (IBM PSA Access Driver) - c:\windows\system32\drivers\psadd.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S3 QCNDISIF - c:\windows\system32\drivers\qcndisif.sys <Not Verified; IBM Corporation.; IBM ThinkPad Utility>
S3 VisionUsb (ATI VISION USB Driver) - c:\windows\system32\drivers\vsnusb.sys <Not Verified; Accurate Technologies Inc.; VisionUsb>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 IBM Rapid Restore Ultra Service - "c:\program files\ibm\ibm rapid restore ultra\rrpcsb.exe" <Not Verified; ; rrpcsb Module>
R2 LkCitadelServer (Lookout Citadel Server) - c:\windows\system32\lkcitdl.exe <Not Verified; National Instruments, Inc.; National Instruments Logos>
R2 lkClassAds (National Instruments PSP Server Locator) - c:\windows\system32\lkads.exe <Not Verified; National Instruments, Inc.; National Instruments Logos>
R2 lkTimeSync (National Instruments Time Synchronization) - c:\windows\system32\lktsrv.exe <Not Verified; National Instruments, Inc.; National Instruments Logos>
R2 mxssvr (NI Configuration Manager) - "c:\program files\national instruments\max\nimxs.exe" <Not Verified; National Instruments Corporation; NIPALSM>
R2 NICitadel5Service (National Instruments Citadel) - c:\windows\system32\nicitdl5.exe <Not Verified; National Instruments, Inc.; National Instruments Citadel>
R2 nidevldu - system32\nipalsm.exe <Not Verified; National Instruments Corporation; NIPALSM>
R2 NIDomainService (National Instruments Domain Service) - "c:\program files\national instruments\shared\security\nidmsrv.exe" <Not Verified; National Instruments, Inc.; National Instruments Shared>
R2 nipxirmu - system32\nipalsm.exe <Not Verified; National Instruments Corporation; NIPALSM>
R2 niSvcLoc (NI Service Locator) - c:\windows\system32\nisvcloc.exe -s <Not Verified; National Instruments Corp.; National Instruments Service Locator>
R2 NITaggerService (National Instruments Variable Engine) - "c:\program files\national instruments\shared\tagger\tagsrv.exe" <Not Verified; National Instruments, Inc.; National Instruments Tagger>
R2 QCONSVC - system32\qconsvc.exe <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 TpKmpSVC (IBM KCU Service) - c:\windows\system32\tpkmpsvc.exe

S3 NILM License manager - "c:\program files\national instruments\shared\license manager\bin\lmgrd.exe" <Not Verified; Macrovision Corporation; >
S3 PsaSrv (IBM PSA Access Driver Control) - c:\windows\system32\psasrv.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-02 17:53:21 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-12-12 17:17:44 346 --a------ C:\WINDOWS\Tasks\BMMTask.job
2005-11-17 16:35:55 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-06-18 and 2008-07-18 -----------------------------

2008-07-18 11:38:15 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-18 11:38:05 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-18 11:38:05 0 d-------- C:\Documents and Settings\mira\Application Data\SUPERAntiSpyware.com
2008-07-17 16:09:56 0 d-------- C:\Documents and Settings\mira\Application Data\Malwarebytes
2008-07-17 16:09:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-17 16:09:50 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-17 14:38:37 0 d-------- C:\WINDOWS\Sun
2008-07-17 14:38:37 0 d-------- C:\Documents and Settings\mira\Application Data\Sun
2008-07-17 14:37:07 0 d-------- C:\Program Files\Java
2008-07-17 14:36:22 0 d-------- C:\Program Files\Common Files\Java
2008-07-17 11:34:26 0 d-------- C:\Program Files\Lavasoft
2008-07-17 11:34:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-17 11:33:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-17 11:23:46 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-17 11:23:39 0 d-------- C:\Program Files\SpywareBlaster
2008-07-16 12:59:28 0 d-------- C:\WINDOWS\Prefetch
2008-07-16 12:51:11 0 d-------- C:\WINDOWS\system32\scripting
2008-07-16 12:51:08 0 d-------- C:\WINDOWS\l2schemas
2008-07-16 12:51:07 0 d-------- C:\WINDOWS\system32\en
2008-07-16 12:51:06 0 d-------- C:\WINDOWS\system32\bits
2008-07-16 12:47:03 0 d-------- C:\WINDOWS\ServicePackFiles
2008-07-14 14:08:54 0 d-------- C:\VundoFix Backups
2008-07-14 12:16:20 0 d-------- C:\Program Files\a-squared Free
2008-07-11 13:02:43 0 d-------- C:\WINDOWS\system32\1033
2008-07-10 16:05:17 223207 --ahs---- C:\WINDOWS\system32\yIOpYJlm.ini2
2008-07-10 15:36:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-07-10 14:39:09 0 d--h----- C:\WINDOWS\$hf_mig$
2008-07-09 17:43:38 0 -rahs---- C:\MSDOS.SYS
2008-07-09 12:08:11 0 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-07 15:50:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-07 15:38:04 0 d-------- C:\HJT
2008-07-07 15:21:17 0 d-------- C:\Program Files\Trend Micro
2008-07-05 00:37:05 3174 --ahs---- C:\WINDOWS\system32\KRuwyccf.ini2
2008-06-30 16:20:02 0 d-------- C:\Documents and Settings\mira\Application Data\InterVideo


-- Find3M Report ---------------------------------------------------------------

2008-07-17 14:36:22 0 d-------- C:\Program Files\Common Files
2008-07-16 12:52:23 0 d-------- C:\Program Files\Messenger
2008-07-16 12:51:06 0 d-------- C:\Program Files\Movie Maker
2008-07-16 12:46:43 0 d-------- C:\Program Files\Windows NT
2008-07-11 15:08:17 32558 --a------ C:\Documents and Settings\mira\Application Data\temp6828.txt
2008-06-05 09:47:47 0 d-------- C:\Documents and Settings\mira\Application Data\Apple Computer
2008-06-02 17:54:37 0 d-------- C:\Program Files\QuickTime
2008-06-02 17:53:14 0 d-------- C:\Program Files\Apple Software Update


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [12/10/2001 08:32 C:\WINDOWS\system32\S3Tray2.exe]
"TrackPointSrv"="tp4serv.exe" [13/11/2003 12:12 C:\WINDOWS\system32\tp4serv.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [30/07/2004 20:03]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [30/07/2004 19:59]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [05/02/2004 03:39]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [04/03/2005 02:10]
"TP4EX"="tp4ex.exe" [04/09/2002 10:05 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [25/12/2003 11:04]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [26/06/2004 00:39]
"UC_SMB"="" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [19/08/2003 10:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [02/09/2004 10:05]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [22/07/2004 11:01]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [19/03/2004 21:12]
"QCTRAY"="C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [18/03/2005 12:07]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [18/03/2005 12:07]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [29/07/2004 10:37]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [29/07/2004 10:37]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [29/07/2004 10:37]
"dbservices"="scm -Silent 1 -Action 1 -Service mssqlserver" []
"niDevMon"="C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [06/10/2005 12:49]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [22/02/2007 21:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [19/12/2006 12:27]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [04/03/2004 15:46]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28/03/2008 23:37]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [22/07/2004 11:01]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 01:12]
"IBM RecordNow!"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [25/10/2005 06:29:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 18/03/2005 12:07 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 13/08/2004 05:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlJYpOIy
"Notification Packages"= scecli pwdmon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23707361-8703-11dc-89fd-000ae43a325b}]
AutoRun\command- F:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{737b7345-a70e-11dc-8a19-000ae43a325b}]
AutoRun\command- E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a586c856-a7ce-11dc-8a1a-000ae43a325b}]
Auto\command- nlopfuwja.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL nlopfuwja.exe

*Newly Created Service* - NIPALK



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8784 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-18 12:22:48 ------------

EXTRA

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.60GHz
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 502.42 MiB / 141.54 MiB
Pagefile Memory (total/avail): 1226.63 MiB / 783.42 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1912.77 MiB

C: is Fixed (NTFS) - 51.38 GiB total, 34.09 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HTS541060G9AT00 - 55.89 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 51.38 GiB - C:
\PARTITION1 - Unknown - 4.51 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\mira\Application Data
CLASSPATH=.;C:\Program Files\IBM\Java141\jre\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MIRA1
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\mira
IBMSHARE=C:\IBMSHARE
KMP_DUPLICATE_LIB_OK=TRUE
LOGONSERVER=\\MIRA1
MKL_SERIAL=YES
NIDAQmxSwitchDir=C:\Program Files\National Instruments\NI-DAQ\Switch\
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\PROGRAM FILES\THINKPAD\UTILITIES;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Intel\Wireless\Bin\;C:\WINDOWS\Downloaded Program Files;C:\IBMTOOLS\Python22;C:\Program Files\PC-Doctor for Windows\services;C:\MATLAB7\bin\win32;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.pyo;.pyc;.py;.pyw
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
PYTHONCASEOK=1
PYTHONPATH=C:\IBMTOOLS\utils\support;C:\IBMTOOLS\utils\logger
P_SCHEMA=C:\Program Files\Solid Edge V18\etc\UGSchemas
QTJAVA=C:\Program Files\IBM\Java141\jre\lib\ext\QTJava.zip
RRU=C:\Program Files\IBM\IBM Rapid Restore Ultra\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TCL_LIBRARY=C:\IBMTOOLS\Python22\tcl\tcl8.4
TEMP=C:\DOCUME~1\mira\LOCALS~1\Temp
TK_LIBRARY=C:\IBMTOOLS\Python22\tcl\tk8.4
TMP=C:\DOCUME~1\mira\LOCALS~1\Temp
USERDOMAIN=MIRA1
USERNAME=mira
USERPROFILE=C:\Documents and Settings\mira
VSEDEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

mira (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\SETUP.EXE"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\SETUP.EXE" -l0x9 ControlPanelAnyText
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\SETUP.EXE"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\SETUP.EXE"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\SETUP.EXE" -l0x9 ControlPanel
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Access IBM --> MsiExec.exe /X{EC6AF20D-4376-4070-BEE4-D3A0DFF7E140}
Access IBM Message Center --> MsiExec.exe /X{F413B3A4-EE5D-457C-BAE5-6E58D9589ED5}
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI CANverter Configuration --> MsiExec.exe /I{1313012B-46BA-4B51-A2C3-A86DEDF04E7B}
ATI VISION 3.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103A7069-E09E-4D0A-9137-E5FD27DCB1C7}\Setup.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
IBM 32-bit Runtime Environment for Java 2, v1.4.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6C72E14A-C1F3-45E5-8810-83CE3C19ED63} /l1033
IBM Access Connections --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22B71A00-4DED-11D4-A5E5-0004AC564F43}\SETUP.EXE" -l0x9 anything
IBM DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
IBM Integrated 56K Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_05591014\HXFSETUP.EXE -U -IVEN_8086&DEV_24C6&SUBSYS_05591014 -S -ISFG
IBM RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
IBM Rescue and Recovery with Rapid Restore --> MsiExec.exe /X{11783F13-C3A9-44A8-929B-21A476F65272}
IBM Themes --> MsiExec.exe /I{6CE96A14-61E2-48CC-837E-22710A953ADE}
IBM ThinkPad Battery MaxiMiser and Power Management Features --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\Unbmm.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsbmm.dll"
IBM ThinkPad Configuration --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNTPUW.ISU -c"C:\Program Files\ThinkPad\Utilities\Tpinswin.dll"
IBM ThinkPad EasyEject Utility --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\Unezej.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsej.dll"
IBM ThinkPad Keyboard Customizer Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2111B23F-7FDA-4A41-8309-E5A1663CA296}\SETUP.EXE" -l0x9 anything
IBM ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,Uninstall
IBM ThinkPad Presentation Director --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNNPDR.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll"
IBM ThinkVantage Technologies Welcome Message --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1007F41F-7D69-468E-8017-3849A5A973C2}\SETUP.EXE" -l0x9 anything
IBM TrackPoint Accessibility Features --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA664480-3844-11D5-8C25-444553540000}\SETUP.EXE"
IBM TrackPoint Support --> C:\WINDOWS\System32\tp4unins.exe
IBM Update Connector --> MsiExec.exe /X{8D815BF3-2399-459C-B121-49373FEFB9E8}
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
InterVideo WinDVD Creator --> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Kvaser CAN Drivers (remove local copy only) --> C:\PROGRA~1\KVASER\Drivers\UNWISE32.EXE C:\PROGRA~1\KVASER\Drivers\INSTALL.LOG
LiveUpdate 1.90 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MATLAB Family of Products Release 14 --> C:\MATLAB7\uninstall\uninstall.exe C:\MATLAB7\
McAfee AntiSpyware Enterprise Module --> "C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe" /UninstallMAS
McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDriver --> MsiExec.exe /I{28DA872A-0848-48CF-B749-19A198157A2A}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
National Instruments Software --> "C:\Program Files\National Instruments\Shared\NIUninstaller\uninst.exe"
NI EULA Depot --> MsiExec.exe /I{60FC2242-9CF5-4264-B02A-A4A86447F560}
NI MDF Support --> MsiExec.exe /I{28C59BDD-55F3-4454-BF17-37AC537F894B}
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\SETUP.EXE"
PL-2303 USB-to-Serial --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.exe" -l0x9 Installed
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Race Technology v6 --> MsiExec.exe /I{52F29CCA-C0FC-40D8-AE2A-20BC4E3B75B9}
SecureW2 Client 3.1.2 --> C:\Program Files\Alfa & Ariss\SecureW2 Client 3.1.2\Uninstall.exe
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sentinel System Driver 5.41.1 (32-bit) --> MsiExec.exe /I{5081528F-5DD5-49BA-8213-9A6A13502497}
Solid Edge V18 --> MsiExec.exe /I{BCBA1B06-0AB4-4FA8-8544-D174FC0B0B12}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
ThinkPad FullScreen Magnifier --> RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.inf
ThinkPad Software Installer --> _tpiu000.exe /U
Wallpapers --> MsiExec.exe /I{F386C340-DF4B-4BBA-9503-420FB7EDB395}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type5455 / Error
Event Submitted/Written: 07/18/2008 11:37:26 AM
Event ID/Source: 259 / McLogEvent
Event Description:
The file C:\Documents and Settings\mira\Desktop\Virus Stuff\ComboFix.exe\PSEXEC.CFEXE contains the RemAdm-ProcLaunch!171 Remote Admin Tool. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5200.2160 DAT version 5340.0000.

Event Record #/Type5454 / Warning
Event Submitted/Written: 07/18/2008 11:37:23 AM
Event ID/Source: 258 / McLogEvent
Event Description:
The file C:\DOCUMENTS AND SETTINGS\MIRA\DESKTOP\VIRUS STUFF\COMBOFIX.EXE contains RemAdm-ProcLaunch!171 Remote Admin Tool. The file was successfully deleted.

Event Record #/Type5453 / Error
Event Submitted/Written: 07/18/2008 11:37:15 AM
Event ID/Source: 259 / McLogEvent
Event Description:
The file C:\Documents and Settings\mira\Desktop\Virus Stuff\ComboFix.exe\PSEXEC.CFEXE contains the RemAdm-ProcLaunch!171 Remote Admin Tool. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5200.2160 DAT version 5340.0000.

Event Record #/Type5451 / Warning
Event Submitted/Written: 07/18/2008 11:37:11 AM
Event ID/Source: 258 / McLogEvent
Event Description:
The file C:\DOCUMENTS AND SETTINGS\MIRA\DESKTOP\VIRUS STUFF\COMBOFIX.EXE contains RemAdm-ProcLaunch!171 Remote Admin Tool. The file was successfully deleted.

Event Record #/Type5450 / Error
Event Submitted/Written: 07/18/2008 11:37:04 AM
Event ID/Source: 259 / McLogEvent
Event Description:
The file C:\Documents and Settings\mira\Desktop\Virus Stuff\ComboFix.exe\PSEXEC.CFEXE contains the RemAdm-ProcLaunch!171 Remote Admin Tool. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5200.2160 DAT version 5340.0000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type13546 / Error
Event Submitted/Written: 07/18/2008 00:03:10 PM
Event ID/Source: 12 / PlugPlayManager
Event Description:
The device 'NIPALK' (Root\LEGACY_NIPALK\0000) disappeared from the system without first being prepared for removal.

Event Record #/Type13510 / Error
Event Submitted/Written: 07/18/2008 10:08:31 AM
Event ID/Source: 12 / PlugPlayManager
Event Description:
The device 'NIPALK' (Root\LEGACY_NIPALK\0000) disappeared from the system without first being prepared for removal.

Event Record #/Type13508 / Error
Event Submitted/Written: 07/18/2008 08:59:25 AM
Event ID/Source: 12 / PlugPlayManager
Event Description:
The device 'NIPALK' (Root\LEGACY_NIPALK\0000) disappeared from the system without first being prepared for removal.

Event Record #/Type13506 / Error
Event Submitted/Written: 07/18/2008 08:50:49 AM
Event ID/Source: 12 / PlugPlayManager
Event Description:
The device 'NIPALK' (Root\LEGACY_NIPALK\0000) disappeared from the system without first being prepared for removal.

Event Record #/Type13477 / Error
Event Submitted/Written: 07/17/2008 04:32:02 PM
Event ID/Source: 12 / PlugPlayManager
Event Description:
The device 'NIPALK' (Root\LEGACY_NIPALK\0000) disappeared from the system without first being prepared for removal.



-- End of Deckard's System Scanner: finished at 2008-07-18 12:22:48 ------------



Before Clean

Malwarebytes' Anti-Malware 1.20
Database version: 960
Windows 5.1.2600 Service Pack 3

16:25:33 17/07/2008
mbam-log-B4clean.txt

Scan type: Quick Scan
Objects scanned: 39652
Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{06c30dcd-8cbe-4c4e-9721-a0b191c7c5b7} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jmqgiyoo.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ooyigqmj.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wtrhhqju.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ujqhhrtw.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ueknchqj.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\vjtyxt.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\explorer.ini (Heuristics.Reserved.Word.Exploit) -> No action taken.


After Clean

Malwarebytes' Anti-Malware 1.20
Database version: 960
Windows 5.1.2600 Service Pack 3

16:25:42 17/07/2008
mbam-log-7-17-2008 (16-25-42).txt

Scan type: Quick Scan
Objects scanned: 39652
Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{06c30dcd-8cbe-4c4e-9721-a0b191c7c5b7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jmqgiyoo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ooyigqmj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wtrhhqju.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ujqhhrtw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ueknchqj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vjtyxt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\explorer.ini (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


After Reboot


Malwarebytes' Anti-Malware 1.20
Database version: 960
Windows 5.1.2600 Service Pack 3

16:39:27 17/07/2008
mbam-log-7-17-2008 (16-39-27).txt

Scan type: Quick Scan
Objects scanned: 39603
Time elapsed: 6 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Most Recent Check (After being online)

Malwarebytes' Anti-Malware 1.20
Database version: 960
Windows 5.1.2600 Service Pack 3

19:58:03 17/07/2008
mbam-log-7-17-2008 (19-58-03).txt

Scan type: Quick Scan
Objects scanned: 39436
Time elapsed: 4 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:53 AM

Posted 21 July 2008 - 12:18 PM

Hello s_tup_auto,

The Kaspersky scan found tracking cookies - which were then removed, but as to why they are reoccuring i'm not sure.

Tracking cookies are from browsing the Internet. They are not dangerious and can be eliminated by using using a program like CCleaner or ATF cleaner.

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your McAfee Antivirus before running ComboFix, as it will prevent it from running.

To disable McAfee Virusscan:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.



Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 21 July 2008 - 12:22 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 s_tup_auto

s_tup_auto
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 22 July 2008 - 04:46 AM

Hi there,

Run combofix - heres the log, plus the quarenteened files list. Not sure if you needed this but its at the end of the log anyway.

You may already know this, but as i didn't until now, i thought others on this forum might find this useful...

Mcafee have removed the exit option for v8.5. Searched google, and the only way to disable Mcafee OAS is to open the VirusScan console, Open the properties window on the access protection task, and uncheck the Prevent Mcafee services from being stopped. This then allows you to right click on the shield in the system tray and Disable the On-Access Scan (Normally grayed out). Other tasks can be stopped by pressing the stop button in the VirusScan Console with the relavent task highlighted.

Cheers

S

ComboFix 08-07-21.2 - mira 2008-07-22 10:10:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.166 [GMT 1:00]
Running from: C:\Documents and Settings\mira\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mira\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bckiaxne.ini
C:\WINDOWS\system32\KRuwyccf.ini
C:\WINDOWS\system32\KRuwyccf.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\yIOpYJlm.ini
C:\WINDOWS\system32\yIOpYJlm.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))
.

2008-07-18 13:36 . 2008-07-18 13:36 <DIR> d-------- C:\Program Files\CCleaner
2008-07-18 11:38 . 2008-07-18 11:38 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-18 11:38 . 2008-07-18 11:38 <DIR> d-------- C:\Documents and Settings\mira\Application Data\SUPERAntiSpyware.com
2008-07-18 11:38 . 2008-07-18 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-17 16:09 . 2008-07-17 16:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-17 16:09 . 2008-07-17 16:09 <DIR> d-------- C:\Documents and Settings\mira\Application Data\Malwarebytes
2008-07-17 16:09 . 2008-07-17 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-17 16:09 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-17 16:09 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-17 15:08 . 2008-07-17 15:08 <DIR> d-------- C:\Deckard
2008-07-17 14:38 . 2008-07-17 14:38 <DIR> d-------- C:\WINDOWS\Sun
2008-07-17 14:38 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-17 14:37 . 2008-07-17 14:38 <DIR> d-------- C:\Program Files\Java
2008-07-17 14:36 . 2008-07-17 14:36 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-17 11:34 . 2008-07-17 11:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-17 11:34 . 2008-07-17 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-17 11:33 . 2008-07-18 11:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-17 11:23 . 2008-07-17 11:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-17 11:23 . 2008-07-18 12:18 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-16 14:12 . 2008-06-13 12:05 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-16 14:12 . 2008-05-08 15:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-07-16 12:51 . 2008-07-16 12:51 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-16 12:51 . 2008-07-16 12:51 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-16 12:51 . 2008-07-16 12:51 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-16 12:51 . 2008-07-16 12:51 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-16 12:47 . 2008-07-16 12:52 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-14 14:08 . 2008-07-14 14:08 <DIR> d-------- C:\VundoFix Backups
2008-07-14 12:16 . 2008-07-16 12:27 <DIR> d-------- C:\Program Files\a-squared Free
2008-07-11 13:02 . 2008-07-11 13:02 <DIR> d-------- C:\WINDOWS\system32\1033
2008-07-10 15:57 . 2008-04-14 01:12 774,144 --------- C:\WINDOWS\system32\dllcache\setup_wm.exe
2008-07-10 15:56 . 2008-04-14 01:12 1,306,624 --------- C:\WINDOWS\system32\msxml6.dll
2008-07-10 15:55 . 2008-04-14 01:10 844,314 --------- C:\WINDOWS\system32\dllcache\msdxm.ocx
2008-07-10 15:54 . 2008-04-14 01:12 695,808 --------- C:\WINDOWS\system32\dllcache\drmv2clt.dll
2008-07-10 14:39 . 2008-07-17 10:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-09 12:08 . 2008-07-10 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-07 15:50 . 2008-07-17 13:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-07 15:50 . 2008-07-18 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-07 15:38 . 2008-07-07 15:38 <DIR> d-------- C:\HJT
2008-07-07 15:21 . 2008-07-07 15:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 16:20 . 2008-06-30 16:20 <DIR> d-------- C:\Documents and Settings\mira\Application Data\InterVideo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 08:47 --------- d-----w C:\Documents and Settings\mira\Application Data\Apple Computer
2008-06-02 16:54 --------- d-----w C:\Program Files\QuickTime
2008-06-02 16:53 --------- d-----w C:\Program Files\Apple Software Update
2008-06-02 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-02 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2004-03-15 17:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll
2003-05-01 09:36 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV7ActiveXControl.dll
2005-10-12 16:04 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-07-22 11:01 442368]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dbservices"="scm -Silent 1 -Action 1 -Service mssqlserver" [X]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-07-30 20:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-07-30 19:59 118784]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 03:39 897024]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-04 02:10 94208]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 11:04 208896]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2004-06-26 00:39 36864]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 10:05 127035]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [2004-07-22 11:01 442368]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2004-03-19 21:12 90112]
"QCTRAY"="C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2005-03-18 12:07 745472]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 12:07 86016]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-07-29 10:37 110592]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2004-07-29 10:37 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-07-29 10:37 395776]
"niDevMon"="C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [2005-10-06 12:49 263168]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-22 21:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 12:27 136768]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 15:46 172032]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 08:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"TrackPointSrv"="tp4serv.exe" [2003-11-13 12:12 94208 C:\WINDOWS\system32\tp4serv.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 10:05 53248 C:\WINDOWS\system32\TP4EX.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 01:12 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-25 06:29:43 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 12:07 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 05:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\National Instruments\\LabVIEW 7.1\\LabVIEW.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\National Instruments\\MAX\\NIMax.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\National Instruments\\VI Logger\\VILogger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\nipalk.sys [2005-09-22 22:12]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 12:07]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 12:07]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2004-07-29 10:37]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2004-07-26 11:00]
R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2004-09-24 02:39]
R2 lvalarmk;lvalarmk;C:\WINDOWS\system32\drivers\lvalarmk.dll [2005-07-27 09:58]
R2 mxssvr;NI Configuration Manager;C:\Program Files\National Instruments\MAX\nimxs.exe [2005-10-03 23:52]
R2 niarbk;niarbk;C:\WINDOWS\system32\drivers\niarbk.dll [2005-10-13 10:29]
R2 nibffrk;nibffrk;C:\WINDOWS\system32\drivers\nibffrk.dll [2005-10-13 10:29]
R2 NICitadel5Service;National Instruments Citadel;C:\WINDOWS\system32\nicitdl5.exe [2005-10-14 01:58]
R2 Nidaq32k;Nidaq32k;C:\WINDOWS\system32\drivers\Nidaq32k.sys [2005-10-13 11:17]
R2 nidimk;nidimk;C:\WINDOWS\system32\drivers\nidimk.dll [2005-09-28 22:14]
R2 nidmmk;NI DMM and Data Logger Kernel Driver;C:\WINDOWS\system32\drivers\nidmmk.dll [2005-10-13 11:18]
R2 nidmxfk;nidmxfk;C:\WINDOWS\system32\drivers\nidmxfk.dll [2005-10-13 08:27]
R2 niemrk;niemrk;C:\WINDOWS\system32\drivers\niemrk.dll [2005-10-07 01:19]
R2 nifslk;nifslk;C:\WINDOWS\system32\drivers\nifslk.dll [2005-10-06 12:32]
R2 nimdsk;nimdsk;C:\WINDOWS\system32\drivers\nimdsk.dll [2005-10-13 10:30]
R2 nimxpk;nimxpk;C:\WINDOWS\system32\drivers\nimxpk.dll [2005-10-06 13:31]
R2 nipxirmk;nipxirmk;C:\WINDOWS\system32\drivers\nipxirmk.dll [2005-09-21 12:30]
R2 nistck;nistck;C:\WINDOWS\system32\drivers\nistck.dll [2005-10-13 10:30]
R2 niswdk;niswdk;C:\WINDOWS\system32\drivers\niswdk.dll [2005-10-08 02:08]
R2 NITaggerService;National Instruments Variable Engine;C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe [2005-10-11 16:13]
R2 usb6xxxk;usb6xxxk;C:\WINDOWS\system32\drivers\usb6xxxk.dll [2005-10-07 01:06]
R3 kcanv;Kvaser Virtual CAN Driver;C:\WINDOWS\system32\drivers\kcanv.sys [2005-11-09 13:52]
R3 kcanx;Kvaser LAPcan Family Driver;C:\WINDOWS\system32\drivers\kcanx.sys [2005-11-09 13:52]
R3 nicdrk;nicdrk;C:\WINDOWS\system32\drivers\nicdrk.dll [2005-10-06 12:56]
R3 nimdbgk;nimdbgk;C:\WINDOWS\system32\drivers\nimdbgk.dll [2005-09-28 21:07]
R3 nimru2k;nimru2k;C:\WINDOWS\system32\drivers\nimru2k.dll [2005-09-28 22:54]
R3 nimsdrk;nimsdrk;C:\WINDOWS\system32\drivers\nimsdrk.dll [2005-10-06 13:19]
R3 nimstsk;nimstsk;C:\WINDOWS\system32\drivers\nimstsk.dll [2005-10-06 13:25]
R3 nimxdfk;nimxdfk;C:\WINDOWS\system32\drivers\nimxdfk.dll [2005-09-28 21:52]
R3 niorbk;niorbk;C:\WINDOWS\system32\drivers\niorbk.dll [2005-10-06 17:22]
R3 niscdk;niscdk;C:\WINDOWS\system32\drivers\niscdk.dll [2005-10-06 13:07]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys [2003-11-13 12:12]
S3 nidsark;nidsark;C:\WINDOWS\system32\drivers\nidsark.dll [2005-10-06 13:14]
S3 niesrk;niesrk;C:\WINDOWS\system32\drivers\niesrk.dll [2005-10-07 01:19]
S3 nimslk;nimslk;C:\WINDOWS\system32\drivers\nimslk.dll [2005-10-06 02:00]
S3 nimsrlk;nimsrlk;C:\WINDOWS\system32\drivers\nimsrlk.dll [2005-10-06 02:00]
S3 nipalusb;NI-PAL USB Driver;C:\WINDOWS\system32\DRIVERS\nipalusb.sys [2005-09-22 22:13]
S3 nisdigk;nisdigk;C:\WINDOWS\system32\drivers\nisdigk.dll [2005-10-07 01:06]
S3 nisftk;nisftk;C:\WINDOWS\system32\drivers\nisftk.dll [2005-10-06 12:48]
S3 nispdk;nispdk;C:\WINDOWS\system32\drivers\nispdk.dll [2005-10-06 13:07]
S3 nissrk;nissrk;C:\WINDOWS\system32\drivers\nissrk.dll [2005-10-07 01:20]
S3 nistc2k;nistc2k;C:\WINDOWS\system32\drivers\nistc2k.dll [2005-10-06 13:03]
S3 nistcrk;nistcrk;C:\WINDOWS\system32\drivers\nistcrk.dll [2005-10-10 21:07]
S3 nitiork;nitiork;C:\WINDOWS\system32\drivers\nitiork.dll [2005-10-07 01:54]
S3 niwfrk;niwfrk;C:\WINDOWS\system32\drivers\niwfrk.dll [2005-10-07 01:20]
S3 nixsrk;nixsrk;C:\WINDOWS\system32\drivers\nixsrk.dll [2005-10-07 01:20]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 12:07]
S3 VisionUsb;ATI VISION USB Driver;C:\WINDOWS\system32\Drivers\vsnusb.sys [2007-09-25 10:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23707361-8703-11dc-89fd-000ae43a325b}]
\Shell\AutoRun\command - F:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{737b7345-a70e-11dc-8a19-000ae43a325b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a586c856-a7ce-11dc-8a1a-000ae43a325b}]
\Shell\Auto\command - nlopfuwja.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL nlopfuwja.exe

*Newly Created Service* - NIPALK
.
Contents of the 'Scheduled Tasks' folder
"2008-06-02 16:53:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-12 16:17:44 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
"2005-11-17 15:35:55 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-IBM RecordNow! - (no file)
HKLM-Run-UC_SMB - (no file)
SSODL-MicroCheck-{d0f6f079-426d-4fa6-95d2-06d4b0c43d9e} - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.lboro.com/
R0 -: HKLM-Main,Start Page = hxxp://www.msn.com
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 10:17:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTRAY.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-07-22 10:22:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-22 09:21:53

Pre-Run: 36,520,112,128 bytes free
Post-Run: 36,426,547,200 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Home Edition" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

270 --- E O F --- 2008-07-17 09:12:49


2008-07-09 16:00 3174 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\KRuwyccf.ini2.vir
2008-07-09 16:02 3174 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\KRuwyccf.ini.vir
2008-07-09 20:13 1784482 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bckiaxne.ini.vir
2008-07-10 21:30 143 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mcrh.tmp.vir
2008-07-11 10:15 223207 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\yIOpYJlm.ini2.vir
2008-07-11 10:16 223207 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\yIOpYJlm.ini.vir
2008-07-22 10:12 54 --a------ C:\Qoobox\Quarantine\catchme.log
2008-07-22 10:21 157 --a------ C:\Qoobox\Quarantine\Registry_backups\SSODL-MicroCheck-{d0f6f079-426d-4fa6-95d2-06d4b0c43d9e}.reg.dat
2008-07-22 10:21 174 --a------ C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-IBM RecordNow!.reg.dat
2008-07-22 10:21 93 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-UC_SMB.reg.dat

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:53 AM

Posted 22 July 2008 - 09:01 AM

Hi s_tup_auto,


Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE,
Scan Options:
Scan Archives
Scan Mail Bases


then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. Once the scan is complete it will display if your system has been infected.
Now click on the Save Report As... button:

Posted Image

Under Save as type select Text file write name for the file and save it to your Desktop.
Locate the file at the Desktop, open it, then copy and paste that information in your next post.
9. Post the Kaspersky scan results in your next reply.




Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Folder:: 
C:\VundoFix Backups


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log and the Kaspersky scan log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 s_tup_auto

s_tup_auto
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 23 July 2008 - 05:59 AM

Hello again,

Here is the Kaspersky Scan, which is clear :thumbsup: , followed the Combofix scan, and finally the HJT scan.

The PC is running much better since the first Combofix run, thanks for all your help so far,

S

-----------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, July 23, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, July 23, 2008 08:59:20
Records in database: 996154
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 130164
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:51:17

No malware has been detected. The scan area is clean.

The selected area was scanned.


-------------------------

ComboFix 08-07-21.2 - mira 2008-07-23 11:40:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.290 [GMT 1:00]
Running from: C:\Documents and Settings\mira\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mira\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups

.
((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23 )))))))))))))))))))))))))))))))
.

2008-07-18 13:36 . 2008-07-18 13:36 <DIR> d-------- C:\Program Files\CCleaner
2008-07-18 11:38 . 2008-07-18 11:38 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-18 11:38 . 2008-07-18 11:38 <DIR> d-------- C:\Documents and Settings\mira\Application Data\SUPERAntiSpyware.com
2008-07-18 11:38 . 2008-07-18 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-17 16:09 . 2008-07-17 16:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-17 16:09 . 2008-07-17 16:09 <DIR> d-------- C:\Documents and Settings\mira\Application Data\Malwarebytes
2008-07-17 16:09 . 2008-07-17 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-17 16:09 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-17 16:09 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-17 15:08 . 2008-07-17 15:08 <DIR> d-------- C:\Deckard
2008-07-17 14:38 . 2008-07-17 14:38 <DIR> d-------- C:\WINDOWS\Sun
2008-07-17 14:38 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-17 14:37 . 2008-07-17 14:38 <DIR> d-------- C:\Program Files\Java
2008-07-17 14:36 . 2008-07-17 14:36 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-17 11:34 . 2008-07-17 11:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-17 11:34 . 2008-07-17 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-17 11:33 . 2008-07-18 11:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-17 11:23 . 2008-07-17 11:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-17 11:23 . 2008-07-18 12:18 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-16 14:12 . 2008-06-13 12:05 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-16 14:12 . 2008-05-08 15:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-07-16 12:51 . 2008-07-16 12:51 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-16 12:51 . 2008-07-16 12:51 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-16 12:51 . 2008-07-16 12:51 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-16 12:51 . 2008-07-16 12:51 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-16 12:47 . 2008-07-16 12:52 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-14 12:16 . 2008-07-16 12:27 <DIR> d-------- C:\Program Files\a-squared Free
2008-07-11 13:02 . 2008-07-11 13:02 <DIR> d-------- C:\WINDOWS\system32\1033
2008-07-10 15:57 . 2008-04-14 01:12 774,144 --------- C:\WINDOWS\system32\dllcache\setup_wm.exe
2008-07-10 15:56 . 2008-04-14 01:12 1,306,624 --------- C:\WINDOWS\system32\msxml6.dll
2008-07-10 15:55 . 2008-04-14 01:10 844,314 --------- C:\WINDOWS\system32\dllcache\msdxm.ocx
2008-07-10 15:54 . 2008-04-14 01:12 695,808 --------- C:\WINDOWS\system32\dllcache\drmv2clt.dll
2008-07-10 14:39 . 2008-07-17 10:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-09 12:08 . 2008-07-10 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-07 15:50 . 2008-07-17 13:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-07 15:50 . 2008-07-18 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-07 15:38 . 2008-07-07 15:38 <DIR> d-------- C:\HJT
2008-07-07 15:21 . 2008-07-07 15:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 16:20 . 2008-06-30 16:20 <DIR> d-------- C:\Documents and Settings\mira\Application Data\InterVideo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 08:47 --------- d-----w C:\Documents and Settings\mira\Application Data\Apple Computer
2008-06-02 16:54 --------- d-----w C:\Program Files\QuickTime
2008-06-02 16:53 --------- d-----w C:\Program Files\Apple Software Update
2008-06-02 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-02 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-16 10:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 21:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2004-03-15 17:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll
2003-05-01 09:36 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV7ActiveXControl.dll
2005-10-12 16:04 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-07-22 11:01 442368]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dbservices"="scm -Silent 1 -Action 1 -Service mssqlserver" [X]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-07-30 20:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-07-30 19:59 118784]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 03:39 897024]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-04 02:10 94208]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 11:04 208896]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2004-06-26 00:39 36864]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 10:05 127035]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [2004-07-22 11:01 442368]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2004-03-19 21:12 90112]
"QCTRAY"="C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2005-03-18 12:07 745472]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 12:07 86016]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-07-29 10:37 110592]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2004-07-29 10:37 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-07-29 10:37 395776]
"niDevMon"="C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [2005-10-06 12:49 263168]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-22 21:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 12:27 136768]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 15:46 172032]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 08:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"TrackPointSrv"="tp4serv.exe" [2003-11-13 12:12 94208 C:\WINDOWS\system32\tp4serv.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 10:05 53248 C:\WINDOWS\system32\TP4EX.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 01:12 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-25 06:29:43 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 12:07 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 05:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\National Instruments\\LabVIEW 7.1\\LabVIEW.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\National Instruments\\MAX\\NIMax.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\National Instruments\\VI Logger\\VILogger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\nipalk.sys [2005-09-22 22:12]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 12:07]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 12:07]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2004-07-29 10:37]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2004-07-26 11:00]
R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2004-09-24 02:39]
R2 lvalarmk;lvalarmk;C:\WINDOWS\system32\drivers\lvalarmk.dll [2005-07-27 09:58]
R2 mxssvr;NI Configuration Manager;C:\Program Files\National Instruments\MAX\nimxs.exe [2005-10-03 23:52]
R2 niarbk;niarbk;C:\WINDOWS\system32\drivers\niarbk.dll [2005-10-13 10:29]
R2 nibffrk;nibffrk;C:\WINDOWS\system32\drivers\nibffrk.dll [2005-10-13 10:29]
R2 NICitadel5Service;National Instruments Citadel;C:\WINDOWS\system32\nicitdl5.exe [2005-10-14 01:58]
R2 Nidaq32k;Nidaq32k;C:\WINDOWS\system32\drivers\Nidaq32k.sys [2005-10-13 11:17]
R2 nidimk;nidimk;C:\WINDOWS\system32\drivers\nidimk.dll [2005-09-28 22:14]
R2 nidmmk;NI DMM and Data Logger Kernel Driver;C:\WINDOWS\system32\drivers\nidmmk.dll [2005-10-13 11:18]
R2 nidmxfk;nidmxfk;C:\WINDOWS\system32\drivers\nidmxfk.dll [2005-10-13 08:27]
R2 niemrk;niemrk;C:\WINDOWS\system32\drivers\niemrk.dll [2005-10-07 01:19]
R2 nifslk;nifslk;C:\WINDOWS\system32\drivers\nifslk.dll [2005-10-06 12:32]
R2 nimdsk;nimdsk;C:\WINDOWS\system32\drivers\nimdsk.dll [2005-10-13 10:30]
R2 nimxpk;nimxpk;C:\WINDOWS\system32\drivers\nimxpk.dll [2005-10-06 13:31]
R2 nipxirmk;nipxirmk;C:\WINDOWS\system32\drivers\nipxirmk.dll [2005-09-21 12:30]
R2 nistck;nistck;C:\WINDOWS\system32\drivers\nistck.dll [2005-10-13 10:30]
R2 niswdk;niswdk;C:\WINDOWS\system32\drivers\niswdk.dll [2005-10-08 02:08]
R2 NITaggerService;National Instruments Variable Engine;C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe [2005-10-11 16:13]
R2 usb6xxxk;usb6xxxk;C:\WINDOWS\system32\drivers\usb6xxxk.dll [2005-10-07 01:06]
R3 kcanv;Kvaser Virtual CAN Driver;C:\WINDOWS\system32\drivers\kcanv.sys [2005-11-09 13:52]
R3 kcanx;Kvaser LAPcan Family Driver;C:\WINDOWS\system32\drivers\kcanx.sys [2005-11-09 13:52]
R3 nicdrk;nicdrk;C:\WINDOWS\system32\drivers\nicdrk.dll [2005-10-06 12:56]
R3 nimdbgk;nimdbgk;C:\WINDOWS\system32\drivers\nimdbgk.dll [2005-09-28 21:07]
R3 nimru2k;nimru2k;C:\WINDOWS\system32\drivers\nimru2k.dll [2005-09-28 22:54]
R3 nimsdrk;nimsdrk;C:\WINDOWS\system32\drivers\nimsdrk.dll [2005-10-06 13:19]
R3 nimstsk;nimstsk;C:\WINDOWS\system32\drivers\nimstsk.dll [2005-10-06 13:25]
R3 nimxdfk;nimxdfk;C:\WINDOWS\system32\drivers\nimxdfk.dll [2005-09-28 21:52]
R3 niorbk;niorbk;C:\WINDOWS\system32\drivers\niorbk.dll [2005-10-06 17:22]
R3 niscdk;niscdk;C:\WINDOWS\system32\drivers\niscdk.dll [2005-10-06 13:07]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys [2003-11-13 12:12]
S3 nidsark;nidsark;C:\WINDOWS\system32\drivers\nidsark.dll [2005-10-06 13:14]
S3 niesrk;niesrk;C:\WINDOWS\system32\drivers\niesrk.dll [2005-10-07 01:19]
S3 nimslk;nimslk;C:\WINDOWS\system32\drivers\nimslk.dll [2005-10-06 02:00]
S3 nimsrlk;nimsrlk;C:\WINDOWS\system32\drivers\nimsrlk.dll [2005-10-06 02:00]
S3 nipalusb;NI-PAL USB Driver;C:\WINDOWS\system32\DRIVERS\nipalusb.sys [2005-09-22 22:13]
S3 nisdigk;nisdigk;C:\WINDOWS\system32\drivers\nisdigk.dll [2005-10-07 01:06]
S3 nisftk;nisftk;C:\WINDOWS\system32\drivers\nisftk.dll [2005-10-06 12:48]
S3 nispdk;nispdk;C:\WINDOWS\system32\drivers\nispdk.dll [2005-10-06 13:07]
S3 nissrk;nissrk;C:\WINDOWS\system32\drivers\nissrk.dll [2005-10-07 01:20]
S3 nistc2k;nistc2k;C:\WINDOWS\system32\drivers\nistc2k.dll [2005-10-06 13:03]
S3 nistcrk;nistcrk;C:\WINDOWS\system32\drivers\nistcrk.dll [2005-10-10 21:07]
S3 nitiork;nitiork;C:\WINDOWS\system32\drivers\nitiork.dll [2005-10-07 01:54]
S3 niwfrk;niwfrk;C:\WINDOWS\system32\drivers\niwfrk.dll [2005-10-07 01:20]
S3 nixsrk;nixsrk;C:\WINDOWS\system32\drivers\nixsrk.dll [2005-10-07 01:20]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 12:07]
S3 VisionUsb;ATI VISION USB Driver;C:\WINDOWS\system32\Drivers\vsnusb.sys [2007-09-25 10:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23707361-8703-11dc-89fd-000ae43a325b}]
\Shell\AutoRun\command - F:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{737b7345-a70e-11dc-8a19-000ae43a325b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a586c856-a7ce-11dc-8a1a-000ae43a325b}]
\Shell\Auto\command - nlopfuwja.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL nlopfuwja.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - NIPALK
.
Contents of the 'Scheduled Tasks' folder
"2008-06-02 16:53:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-12 16:17:44 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
"2005-11-17 15:35:55 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 11:43:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-07-23 11:46:04
ComboFix-quarantined-files.txt 2008-07-23 10:46:00
ComboFix2.txt 2008-07-22 09:22:01

Pre-Run: 36,475,662,336 bytes free
Post-Run: 36,495,560,704 bytes free

239 --- E O F --- 2008-07-17 09:12:49


----------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:25, on 23/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nicitdl5.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\nipalsm.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\fixit.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [dbservices] scm -Silent 1 -Action 1 -Service mssqlserver
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Citadel (NICitadel5Service) - National Instruments, Inc. - C:\WINDOWS\system32\nicitdl5.exe
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager (NILM License manager) - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 10195 bytes

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:53 AM

Posted 23 July 2008 - 07:44 AM

Hi s_tup_auto,


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a586c856-a7ce-11dc-8a1a-000ae43a325b}]


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 s_tup_auto

s_tup_auto
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 23 July 2008 - 11:13 AM

Hi There,

Logs as requested,

Cheers

S

---------------------------


ComboFix 08-07-21.2 - mira 2008-07-23 17:04:44.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.252 [GMT 1:00]
Running from: C:\Documents and Settings\mira\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mira\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23 )))))))))))))))))))))))))))))))
.

2008-07-23 13:50 . 2008-04-14 01:12 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-07-18 13:36 . 2008-07-18 13:36 <DIR> d-------- C:\Program Files\CCleaner
2008-07-18 11:38 . 2008-07-18 11:38 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-18 11:38 . 2008-07-18 11:38 <DIR> d-------- C:\Documents and Settings\mira\Application Data\SUPERAntiSpyware.com
2008-07-18 11:38 . 2008-07-18 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-17 16:09 . 2008-07-17 16:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-17 16:09 . 2008-07-17 16:09 <DIR> d-------- C:\Documents and Settings\mira\Application Data\Malwarebytes
2008-07-17 16:09 . 2008-07-17 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-17 16:09 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-17 16:09 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-17 15:08 . 2008-07-17 15:08 <DIR> d-------- C:\Deckard
2008-07-17 14:38 . 2008-07-17 14:38 <DIR> d-------- C:\WINDOWS\Sun
2008-07-17 14:38 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-17 14:37 . 2008-07-17 14:38 <DIR> d-------- C:\Program Files\Java
2008-07-17 14:36 . 2008-07-17 14:36 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-17 11:34 . 2008-07-17 11:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-17 11:34 . 2008-07-17 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-17 11:33 . 2008-07-18 11:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-17 11:23 . 2008-07-17 11:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-17 11:23 . 2008-07-18 12:18 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-16 14:12 . 2008-06-13 12:05 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-16 14:12 . 2008-05-08 15:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-07-16 12:51 . 2008-07-16 12:51 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-16 12:51 . 2008-07-16 12:51 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-16 12:51 . 2008-07-16 12:51 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-16 12:51 . 2008-07-16 12:51 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-16 12:47 . 2008-07-16 12:52 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-14 12:16 . 2008-07-16 12:27 <DIR> d-------- C:\Program Files\a-squared Free
2008-07-11 13:02 . 2008-07-11 13:02 <DIR> d-------- C:\WINDOWS\system32\1033
2008-07-10 15:57 . 2008-04-14 01:12 774,144 --------- C:\WINDOWS\system32\dllcache\setup_wm.exe
2008-07-10 15:56 . 2008-04-14 01:12 1,306,624 --------- C:\WINDOWS\system32\msxml6.dll
2008-07-10 15:55 . 2008-04-14 01:10 844,314 --------- C:\WINDOWS\system32\dllcache\msdxm.ocx
2008-07-10 15:54 . 2008-04-14 01:12 695,808 --------- C:\WINDOWS\system32\dllcache\drmv2clt.dll
2008-07-10 14:39 . 2008-07-17 10:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-09 12:08 . 2008-07-10 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-07 15:50 . 2008-07-17 13:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-07 15:50 . 2008-07-18 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-07 15:38 . 2008-07-07 15:38 <DIR> d-------- C:\HJT
2008-07-07 15:21 . 2008-07-07 15:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 16:20 . 2008-06-30 16:20 <DIR> d-------- C:\Documents and Settings\mira\Application Data\InterVideo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 08:47 --------- d-----w C:\Documents and Settings\mira\Application Data\Apple Computer
2008-06-02 16:54 --------- d-----w C:\Program Files\QuickTime
2008-06-02 16:53 --------- d-----w C:\Program Files\Apple Software Update
2008-06-02 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-02 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-16 10:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 21:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2004-03-15 17:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll
2003-05-01 09:36 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV7ActiveXControl.dll
2005-10-12 16:04 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-07-22 11:01 442368]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dbservices"="scm -Silent 1 -Action 1 -Service mssqlserver" [X]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-07-30 20:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-07-30 19:59 118784]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 03:39 897024]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-04 02:10 94208]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 11:04 208896]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2004-06-26 00:39 36864]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 10:05 127035]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [2004-07-22 11:01 442368]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2004-03-19 21:12 90112]
"QCTRAY"="C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2005-03-18 12:07 745472]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 12:07 86016]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-07-29 10:37 110592]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2004-07-29 10:37 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-07-29 10:37 395776]
"niDevMon"="C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [2005-10-06 12:49 263168]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-22 21:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 12:27 136768]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 15:46 172032]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 08:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"TrackPointSrv"="tp4serv.exe" [2003-11-13 12:12 94208 C:\WINDOWS\system32\tp4serv.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 10:05 53248 C:\WINDOWS\system32\TP4EX.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 01:12 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-25 06:29:43 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 12:07 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 05:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\National Instruments\\LabVIEW 7.1\\LabVIEW.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\National Instruments\\MAX\\NIMax.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\National Instruments\\VI Logger\\VILogger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\nipalk.sys [2005-09-22 22:12]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 12:07]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 12:07]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2004-07-29 10:37]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2004-07-26 11:00]
R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2004-09-24 02:39]
R2 lvalarmk;lvalarmk;C:\WINDOWS\system32\drivers\lvalarmk.dll [2005-07-27 09:58]
R2 mxssvr;NI Configuration Manager;C:\Program Files\National Instruments\MAX\nimxs.exe [2005-10-03 23:52]
R2 niarbk;niarbk;C:\WINDOWS\system32\drivers\niarbk.dll [2005-10-13 10:29]
R2 nibffrk;nibffrk;C:\WINDOWS\system32\drivers\nibffrk.dll [2005-10-13 10:29]
R2 NICitadel5Service;National Instruments Citadel;C:\WINDOWS\system32\nicitdl5.exe [2005-10-14 01:58]
R2 Nidaq32k;Nidaq32k;C:\WINDOWS\system32\drivers\Nidaq32k.sys [2005-10-13 11:17]
R2 nidimk;nidimk;C:\WINDOWS\system32\drivers\nidimk.dll [2005-09-28 22:14]
R2 nidmmk;NI DMM and Data Logger Kernel Driver;C:\WINDOWS\system32\drivers\nidmmk.dll [2005-10-13 11:18]
R2 nidmxfk;nidmxfk;C:\WINDOWS\system32\drivers\nidmxfk.dll [2005-10-13 08:27]
R2 niemrk;niemrk;C:\WINDOWS\system32\drivers\niemrk.dll [2005-10-07 01:19]
R2 nifslk;nifslk;C:\WINDOWS\system32\drivers\nifslk.dll [2005-10-06 12:32]
R2 nimdsk;nimdsk;C:\WINDOWS\system32\drivers\nimdsk.dll [2005-10-13 10:30]
R2 nimxpk;nimxpk;C:\WINDOWS\system32\drivers\nimxpk.dll [2005-10-06 13:31]
R2 nipxirmk;nipxirmk;C:\WINDOWS\system32\drivers\nipxirmk.dll [2005-09-21 12:30]
R2 nistck;nistck;C:\WINDOWS\system32\drivers\nistck.dll [2005-10-13 10:30]
R2 niswdk;niswdk;C:\WINDOWS\system32\drivers\niswdk.dll [2005-10-08 02:08]
R2 NITaggerService;National Instruments Variable Engine;C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe [2005-10-11 16:13]
R2 usb6xxxk;usb6xxxk;C:\WINDOWS\system32\drivers\usb6xxxk.dll [2005-10-07 01:06]
R3 kcanv;Kvaser Virtual CAN Driver;C:\WINDOWS\system32\drivers\kcanv.sys [2005-11-09 13:52]
R3 kcanx;Kvaser LAPcan Family Driver;C:\WINDOWS\system32\drivers\kcanx.sys [2005-11-09 13:52]
R3 nicdrk;nicdrk;C:\WINDOWS\system32\drivers\nicdrk.dll [2005-10-06 12:56]
R3 nimdbgk;nimdbgk;C:\WINDOWS\system32\drivers\nimdbgk.dll [2005-09-28 21:07]
R3 nimru2k;nimru2k;C:\WINDOWS\system32\drivers\nimru2k.dll [2005-09-28 22:54]
R3 nimsdrk;nimsdrk;C:\WINDOWS\system32\drivers\nimsdrk.dll [2005-10-06 13:19]
R3 nimstsk;nimstsk;C:\WINDOWS\system32\drivers\nimstsk.dll [2005-10-06 13:25]
R3 nimxdfk;nimxdfk;C:\WINDOWS\system32\drivers\nimxdfk.dll [2005-09-28 21:52]
R3 niorbk;niorbk;C:\WINDOWS\system32\drivers\niorbk.dll [2005-10-06 17:22]
R3 niscdk;niscdk;C:\WINDOWS\system32\drivers\niscdk.dll [2005-10-06 13:07]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys [2003-11-13 12:12]
S3 nidsark;nidsark;C:\WINDOWS\system32\drivers\nidsark.dll [2005-10-06 13:14]
S3 niesrk;niesrk;C:\WINDOWS\system32\drivers\niesrk.dll [2005-10-07 01:19]
S3 nimslk;nimslk;C:\WINDOWS\system32\drivers\nimslk.dll [2005-10-06 02:00]
S3 nimsrlk;nimsrlk;C:\WINDOWS\system32\drivers\nimsrlk.dll [2005-10-06 02:00]
S3 nipalusb;NI-PAL USB Driver;C:\WINDOWS\system32\DRIVERS\nipalusb.sys [2005-09-22 22:13]
S3 nisdigk;nisdigk;C:\WINDOWS\system32\drivers\nisdigk.dll [2005-10-07 01:06]
S3 nisftk;nisftk;C:\WINDOWS\system32\drivers\nisftk.dll [2005-10-06 12:48]
S3 nispdk;nispdk;C:\WINDOWS\system32\drivers\nispdk.dll [2005-10-06 13:07]
S3 nissrk;nissrk;C:\WINDOWS\system32\drivers\nissrk.dll [2005-10-07 01:20]
S3 nistc2k;nistc2k;C:\WINDOWS\system32\drivers\nistc2k.dll [2005-10-06 13:03]
S3 nistcrk;nistcrk;C:\WINDOWS\system32\drivers\nistcrk.dll [2005-10-10 21:07]
S3 nitiork;nitiork;C:\WINDOWS\system32\drivers\nitiork.dll [2005-10-07 01:54]
S3 niwfrk;niwfrk;C:\WINDOWS\system32\drivers\niwfrk.dll [2005-10-07 01:20]
S3 nixsrk;nixsrk;C:\WINDOWS\system32\drivers\nixsrk.dll [2005-10-07 01:20]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 12:07]
S3 VisionUsb;ATI VISION USB Driver;C:\WINDOWS\system32\Drivers\vsnusb.sys [2007-09-25 10:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23707361-8703-11dc-89fd-000ae43a325b}]
\Shell\AutoRun\command - F:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{737b7345-a70e-11dc-8a19-000ae43a325b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - NIPALK
.
Contents of the 'Scheduled Tasks' folder
"2008-06-02 16:53:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-12 16:17:44 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
"2005-11-17 15:35:55 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 17:07:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-07-23 17:09:41
ComboFix-quarantined-files.txt 2008-07-23 16:09:38
ComboFix2.txt 2008-07-23 10:46:05
ComboFix3.txt 2008-07-22 09:22:01

Pre-Run: 36,486,942,720 bytes free
Post-Run: 36,468,453,376 bytes free

234 --- E O F --- 2008-07-17 09:12:49


-----------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:10:44, on 23/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nicitdl5.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\nipalsm.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\fixit.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [dbservices] scm -Silent 1 -Action 1 -Service mssqlserver
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Citadel (NICitadel5Service) - National Instruments, Inc. - C:\WINDOWS\system32\nicitdl5.exe
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager (NILM License manager) - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 10195 bytes

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:53 AM

Posted 23 July 2008 - 02:07 PM

Hi s_tup_auto,

Your log looks clean! :thumbsup: Good job on the cleanup!


Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 s_tup_auto

s_tup_auto
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 24 July 2008 - 05:25 AM

Thanks SifuMike,

PC Seems to be back to normal...!

Good to have help like this availible online. I'll definietely be more careful about downloading codec's from now on.


Cheers

S

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:53 AM

Posted 24 July 2008 - 08:26 AM

Hope your computer continues to run smoothly. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:53 AM

Posted 02 August 2008 - 03:01 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users