Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.agent Infection


  • This topic is locked This topic is locked
19 replies to this topic

#1 keetso

keetso

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 12 September 2008 - 12:38 PM

Hello.

I was recently infected with a trojan that continuously (every 15 seconds or so) delivered a pop up box telling me that I was infected with a myriad of (non-existent) viruses. After finding this fine page, I downloaded and ran Malwarebyte's Anti-Malware program which seems to have eliminated the annoying popups.

However, I'm now regularly receiving the following message:

Windows Security Alert
Warning: Your current Antivirus protection is not effective
Your system is currently sending private information and documents to a remote computer.
One of these processes (xsearch.dll) has just sent the following information
- windows/system32

After working with "quietman7" in the "Am I Infected? What Do I Do?" forum, I was advised by him to
submit a HijackThis log.


Please help as I'm at my wit's end as to what to do next.

Thanks in advance!


-----------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:30, on 2008-09-12
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\RIM Secure VPN Solution\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\LANDesk\LDClient\amtmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\PROGRA~1\LANDesk\LDClient\LDregwatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://insiderim/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.bbse-is
O15 - Trusted Zone: http://*.bbse-is
O15 - Trusted Zone: *.beta.bbse-is
O15 - Trusted Zone: http://*.beta.bbse-is
O15 - Trusted Zone: *.eval.bbse-is
O15 - Trusted Zone: http://*.eval.bbse-is
O15 - Trusted Zone: *.evna
O15 - Trusted Zone: *.evna01
O15 - Trusted Zone: http://*.evna01
O15 - Trusted Zone: *.evna02
O15 - Trusted Zone: http://*.evna02
O15 - Trusted Zone: *.evna03
O15 - Trusted Zone: http://*.evna03
O15 - Trusted Zone: *.evna04
O15 - Trusted Zone: http://*.evna04
O15 - Trusted Zone: *.evna05
O15 - Trusted Zone: http://*.evna05
O15 - Trusted Zone: *.evs98ykf
O15 - Trusted Zone: http://*.insiderim
O15 - Trusted Zone: http://*.insite
O15 - Trusted Zone: http://*.intranet
O15 - Trusted Zone: *.mantis.bbse-is
O15 - Trusted Zone: http://*.mantis.bbse-is
O15 - Trusted Zone: *.pstimport
O15 - Trusted Zone: http://bbse-is.rim.net
O15 - Trusted Zone: http://beta.bbse-is.rim.net
O15 - Trusted Zone: http://epm.rim.net
O15 - Trusted Zone: http://epmqa.rim.net
O15 - Trusted Zone: http://epmqars.rim.net
O15 - Trusted Zone: http://epmrs.rim.net
O15 - Trusted Zone: http://eval.bbse-is.rim.net
O15 - Trusted Zone: evna.rim.net
O15 - Trusted Zone: http://insiderim.rim.net
O15 - Trusted Zone: http://insite.rim.net
O15 - Trusted Zone: http://intranet.rim.net
O15 - Trusted Zone: http://mantis.bbse-is.rim.net
O15 - Trusted Zone: http://otasl.support.bbse-is.rim.net
O15 - Trusted Zone: http://portal.rim.net
O15 - Trusted Zone: otasl.support.bbse-is
O15 - Trusted Zone: http://otasl.support.bbse-is
O15 - Trusted Zone: *.bbse-is (HKLM)
O15 - Trusted Zone: http://*.bbse-is (HKLM)
O15 - Trusted Zone: *.beta.bbse-is (HKLM)
O15 - Trusted Zone: http://*.beta.bbse-is (HKLM)
O15 - Trusted Zone: *.eval.bbse-is (HKLM)
O15 - Trusted Zone: http://*.eval.bbse-is (HKLM)
O15 - Trusted Zone: *.evna (HKLM)
O15 - Trusted Zone: *.evna01 (HKLM)
O15 - Trusted Zone: *.evna02 (HKLM)
O15 - Trusted Zone: *.evna03 (HKLM)
O15 - Trusted Zone: *.evna04 (HKLM)
O15 - Trusted Zone: *.evna05 (HKLM)
O15 - Trusted Zone: *.evs98ykf (HKLM)
O15 - Trusted Zone: http://*.insiderim (HKLM)
O15 - Trusted Zone: http://*.insite (HKLM)
O15 - Trusted Zone: http://*.intranet (HKLM)
O15 - Trusted Zone: *.mantis.bbse-is (HKLM)
O15 - Trusted Zone: http://*.mantis.bbse-is (HKLM)
O15 - Trusted Zone: *.pstimport (HKLM)
O15 - Trusted Zone: http://bbse-is.rim.net (HKLM)
O15 - Trusted Zone: http://beta.bbse-is.rim.net (HKLM)
O15 - Trusted Zone: http://epm.rim.net (HKLM)
O15 - Trusted Zone: http://epmqa.rim.net (HKLM)
O15 - Trusted Zone: http://epmqars.rim.net (HKLM)
O15 - Trusted Zone: http://epmrs.rim.net (HKLM)
O15 - Trusted Zone: http://eval.bbse-is.rim.net (HKLM)
O15 - Trusted Zone: evna.rim.net (HKLM)
O15 - Trusted Zone: http://insiderim.rim.net (HKLM)
O15 - Trusted Zone: http://insite.rim.net (HKLM)
O15 - Trusted Zone: http://intranet.rim.net (HKLM)
O15 - Trusted Zone: http://mantis.bbse-is.rim.net (HKLM)
O15 - Trusted Zone: http://otasl.support.bbse-is.rim.net (HKLM)
O15 - Trusted Zone: http://portal.rim.net (HKLM)
O15 - Trusted Zone: otasl.support.bbse-is (HKLM)
O15 - Trusted Zone: http://otasl.support.bbse-is (HKLM)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192157923875
O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} (Crystal ActiveX Report Viewer Control 11.5) - http://wrp11ykf/crystalreportviewers115/Ac...tiveXViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rim.net
O17 - HKLM\Software\..\Telephony: DomainName = rim.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rim.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rim.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = rim.net
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Research In Motion VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\RIM Secure VPN Solution\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: LANDesk Policy Invoker - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
O23 - Service: LANDesk® Out-of-Band Monitor Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\amtmon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 20870 bytes

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:49 PM

Posted 19 September 2008 - 07:26 PM

Hello, keetso.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you would still like help, please post a new HiJack This log below, as things may have changed on your system.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

Please take note of the following:
  • While a HJT Team member is working with you, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please reply using the Posted Image button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :).
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 keetso

keetso
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 22 September 2008 - 08:02 AM

Hi Billy.

Thanks for taking the time to help me clean my computer of this very annoying malware.

Here's a current HiJack This! log as requested.

--------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:56:05, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\RIM Secure VPN Solution\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\LANDesk\LDClient\amtmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\PROGRA~1\LANDesk\LDClient\LDregwatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\userinit.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.bbse-is
O15 - Trusted Zone: http://*.bbse-is
O15 - Trusted Zone: *.beta.bbse-is
O15 - Trusted Zone: http://*.beta.bbse-is
O15 - Trusted Zone: *.eval.bbse-is
O15 - Trusted Zone: http://*.eval.bbse-is
O15 - Trusted Zone: *.evna
O15 - Trusted Zone: *.evna01
O15 - Trusted Zone: *.evna02
O15 - Trusted Zone: *.evna03
O15 - Trusted Zone: *.evna04
O15 - Trusted Zone: *.evna05
O15 - Trusted Zone: *.evs98ykf
O15 - Trusted Zone: http://*.insiderim
O15 - Trusted Zone: http://*.insite
O15 - Trusted Zone: http://*.intranet
O15 - Trusted Zone: *.mantis.bbse-is
O15 - Trusted Zone: http://*.mantis.bbse-is
O15 - Trusted Zone: *.pstimport
O15 - Trusted Zone: http://bbse-is.rim.net
O15 - Trusted Zone: http://beta.bbse-is.rim.net
O15 - Trusted Zone: http://epm.rim.net
O15 - Trusted Zone: http://epmqa.rim.net
O15 - Trusted Zone: http://epmqars.rim.net
O15 - Trusted Zone: http://epmrs.rim.net
O15 - Trusted Zone: http://eval.bbse-is.rim.net
O15 - Trusted Zone: evna.rim.net
O15 - Trusted Zone: http://insiderim.rim.net
O15 - Trusted Zone: http://insite.rim.net
O15 - Trusted Zone: http://intranet.rim.net
O15 - Trusted Zone: http://mantis.bbse-is.rim.net
O15 - Trusted Zone: http://otasl.support.bbse-is.rim.net
O15 - Trusted Zone: http://portal.rim.net
O15 - Trusted Zone: otasl.support.bbse-is
O15 - Trusted Zone: http://otasl.support.bbse-is
O15 - Trusted Zone: *.bbse-is (HKLM)
O15 - Trusted Zone: http://*.bbse-is (HKLM)
O15 - Trusted Zone: *.beta.bbse-is (HKLM)
O15 - Trusted Zone: http://*.beta.bbse-is (HKLM)
O15 - Trusted Zone: *.eval.bbse-is (HKLM)
O15 - Trusted Zone: http://*.eval.bbse-is (HKLM)
O15 - Trusted Zone: *.evna (HKLM)
O15 - Trusted Zone: *.evna01 (HKLM)
O15 - Trusted Zone: *.evna02 (HKLM)
O15 - Trusted Zone: *.evna03 (HKLM)
O15 - Trusted Zone: *.evna04 (HKLM)
O15 - Trusted Zone: *.evna05 (HKLM)
O15 - Trusted Zone: *.evs98ykf (HKLM)
O15 - Trusted Zone: http://*.insiderim (HKLM)
O15 - Trusted Zone: http://*.insite (HKLM)
O15 - Trusted Zone: http://*.intranet (HKLM)
O15 - Trusted Zone: *.mantis.bbse-is (HKLM)
O15 - Trusted Zone: http://*.mantis.bbse-is (HKLM)
O15 - Trusted Zone: *.pstimport (HKLM)
O15 - Trusted Zone: http://bbse-is.rim.net (HKLM)
O15 - Trusted Zone: http://beta.bbse-is.rim.net (HKLM)
O15 - Trusted Zone: http://epm.rim.net (HKLM)
O15 - Trusted Zone: http://epmqa.rim.net (HKLM)
O15 - Trusted Zone: http://epmqars.rim.net (HKLM)
O15 - Trusted Zone: http://epmrs.rim.net (HKLM)
O15 - Trusted Zone: http://eval.bbse-is.rim.net (HKLM)
O15 - Trusted Zone: evna.rim.net (HKLM)
O15 - Trusted Zone: http://insiderim.rim.net (HKLM)
O15 - Trusted Zone: http://insite.rim.net (HKLM)
O15 - Trusted Zone: http://intranet.rim.net (HKLM)
O15 - Trusted Zone: http://mantis.bbse-is.rim.net (HKLM)
O15 - Trusted Zone: http://otasl.support.bbse-is.rim.net (HKLM)
O15 - Trusted Zone: http://portal.rim.net (HKLM)
O15 - Trusted Zone: otasl.support.bbse-is (HKLM)
O15 - Trusted Zone: http://otasl.support.bbse-is (HKLM)
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192157923875
O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} (Crystal ActiveX Report Viewer Control 11.5) - http://wrp11ykf/crystalreportviewers115/Ac...tiveXViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rim.net
O17 - HKLM\Software\..\Telephony: DomainName = rim.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rim.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rim.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = rim.net
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Research In Motion VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\RIM Secure VPN Solution\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: LANDesk Policy Invoker - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
O23 - Service: LANDesk® Out-of-Band Monitor Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\amtmon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 20644 bytes

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:49 PM

Posted 22 September 2008 - 05:07 PM

Hello, keetso.
We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 keetso

keetso
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 23 September 2008 - 08:42 AM

Hi Billy.

Here's the ComboFix log as requested.

Thanks!

--------


ComboFix 08-09-20.05 - msarazen 2008-09-23 9:20:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2344 [GMT -4:00]
Running from: C:\Documents and Settings\msarazen.RIMNET\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000005_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-19 11:19 . 2008-09-19 11:20 256 --a------ C:\Documents and Settings\msarazen.RIMNET\pool.bin
2008-09-19 11:12 . 2008-09-19 11:12 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Research In Motion
2008-09-17 13:21 . 2008-09-17 13:21 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Windows Search
2008-09-17 07:44 . 2008-09-17 07:44 <DIR> d-------- C:\c9f0872de8e019e3cad1
2008-09-17 07:40 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-16 14:49 . 2008-09-16 14:49 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\SUPERAntiSpyware.com
2008-09-16 14:35 . 2008-09-16 14:35 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Malwarebytes
2008-09-16 14:32 . 2008-09-16 14:32 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Lenovo
2008-09-16 14:31 . 2008-09-16 14:31 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Intel
2008-09-16 14:27 . 2007-10-11 22:58 <DIR> d---s---- C:\Documents and Settings\msarazen.RIMNET\UserData
2008-09-16 14:27 . 2007-10-15 23:13 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Lavasoft
2008-09-16 14:27 . 2008-09-19 11:25 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Blackberry Desktop
2008-09-16 14:27 . 2007-10-30 16:52 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\AR System
2008-09-16 14:27 . 2008-02-27 11:34 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Apple Computer
2008-09-16 14:27 . 2008-09-19 11:19 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET
2008-09-16 14:12 . 2008-09-16 14:18 <DIR> d-------- C:\Documents and Settings\TEMP
2008-09-16 09:46 . 2008-09-17 13:28 6,090 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-12 15:36 . 2008-09-12 15:36 <DIR> d-------- C:\rsit
2008-09-12 13:19 . 2008-09-12 13:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-12 13:13 . 2008-09-12 13:19 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-09-12 10:49 . 2008-09-17 13:35 <DIR> d-------- C:\Program Files\Panda Security
2008-09-12 09:23 . 2008-09-12 10:42 <DIR> d-------- C:\Documents and Settings\msarazen\.housecall6.6
2008-09-11 12:03 . 2008-09-11 12:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-11 12:03 . 2008-09-11 12:03 <DIR> d-------- C:\Documents and Settings\msarazen\Application Data\SUPERAntiSpyware.com
2008-09-11 12:03 . 2008-09-11 12:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-11 12:02 . 2008-09-11 12:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-11 11:30 . 2008-09-11 11:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-11 11:30 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-11 11:30 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-10 09:59 . 2008-09-10 09:59 <DIR> d-------- C:\Program Files\Windows Defender
2008-09-09 14:22 . 2008-09-09 14:22 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-09 10:58 . 2008-09-09 10:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
2008-09-09 10:57 . 2008-09-09 10:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lenovo
2008-09-09 10:57 . 2008-09-09 10:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-09-08 08:56 . 2008-09-08 08:56 <DIR> d-------- C:\Documents and Settings\msarazen\Application Data\Windows Search
2008-09-08 08:25 . 2008-09-08 08:25 <DIR> d-------- C:\Documents and Settings\msarazen\Application Data\Windows Desktop Search
2008-09-08 08:24 . 2008-09-10 10:54 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-09-08 08:24 . 2008-09-08 08:24 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-09-08 08:24 . 2008-03-07 13:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-09-08 08:24 . 2008-03-07 13:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-09-08 08:24 . 2008-03-07 13:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-09-08 08:21 . 2008-07-22 10:45 1,214,526 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-09-08 08:21 . 2008-07-22 10:45 790,846 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-09-08 08:21 . 2008-07-22 10:45 9,696 -----c--- C:\WINDOWS\system32\dllcache\drvmain.sdb
2008-09-05 11:05 . 2008-09-05 11:05 <DIR> d-------- C:\Documents and Settings\msarazen\Application Data\Malwarebytes
2008-09-05 11:05 . 2008-09-05 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-05 09:23 . 2008-09-16 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\rwbihmxy
2008-09-05 09:17 . 2008-09-05 12:16 <DIR> d-------- C:\Documents and Settings\msarazen\Application Data\CyberScrub
2008-09-05 09:17 . 2007-02-07 12:08 84 --a------ C:\WINDOWS\csact.ini
2008-08-29 09:47 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-29 09:46 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-27 10:33 . 2008-08-27 10:33 <DIR> d-------- C:\Program Files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 13:29 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-22 13:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
2008-09-17 16:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-17 16:45 --------- d-----w C:\Program Files\SpywareBlaster
2008-09-07 14:58 --------- d-----w C:\Program Files\Steam
2008-09-01 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-29 13:31 --------- d-----w C:\Program Files\Java
2008-08-26 17:44 --------- d-----w C:\Program Files\DivX
2008-08-20 16:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-16 00:12 4,224 ----a-w C:\WINDOWS\system32\drivers\IBMBLDID.sys
2008-08-16 00:12 11,520 ----a-w C:\WINDOWS\system32\drivers\ANC.sys
2008-08-14 13:35 --------- d-----w C:\Program Files\iTunes
2008-08-14 13:34 --------- d-----w C:\Program Files\iPod
2008-08-14 13:33 --------- d-----w C:\Program Files\Bonjour
2008-08-14 13:07 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-08-11 16:19 --------- d-----w C:\Program Files\DVDVideoSoft
2008-08-09 14:18 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Avaya
2008-08-06 12:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-06 12:48 --------- d-----w C:\Program Files\ThinkPad
2008-08-06 12:48 --------- d-----w C:\Program Files\NetWaiting
2008-08-06 12:48 --------- d-----w C:\Program Files\Digital Line Detect
2008-08-06 12:48 --------- d-----w C:\Documents and Settings\msarazen\Application Data\InstallShield
2008-07-30 17:53 --------- d-----w C:\Documents and Settings\msarazen\Application Data\LimeWire
2008-07-30 17:01 --------- d-----w C:\Program Files\Elecard
2008-07-30 17:01 --------- d-----w C:\Program Files\Common Files\Elecard
2008-07-30 13:57 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2008-07-29 05:43 4,442 ------w C:\WINDOWS\system32\drivers\TPPWRIF.SYS
2008-07-29 05:43 16,384 ------w C:\WINDOWS\PWMBTHLP.EXE
2008-07-23 00:32 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-02-11 13:57 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-02 01:50 22,328 ----a-w C:\Documents and Settings\msarazen\Application Data\PnkBstrK.sys
.

------- Sigcheck -------

2004-08-04 00:56 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\ServicePackFiles\i386\userinit.exe
2008-09-05 09:23 57344 b5bfcf3c4dfe120d2bb0f9736a17c065 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 512000]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-09 165208]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-07-29 331776]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-07-29 208896]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-03-21 13524992]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 58416]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-08-15 143360]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-31 185896]
"LPMailChecker"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-09 124248]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-12-11 1044480]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-03-21 86016]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 C:\WINDOWS\system32\bthprops.cpl]
"TpShocks"="TpShocks.exe" [2008-06-06 C:\WINDOWS\system32\TpShocks.exe]
"nwiz"="nwiz.exe" [2008-03-21 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-08-06 50688]
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2008-07-30 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 15:54 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 16:02 34080 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-08-15 21:37 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina psqlpwd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=C:\WINDOWS\pss\Windows Search.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aplmsg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StrApl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysShApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webcomapi

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\cba\\pds.exe"=
"C:\\WINDOWS\\system32\\msgsys.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"C:\\Program Files\\Steam\\steamapps\\keetso\\half-life\\hl.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"46819:UDP"= 46819:UDP:Limewire

R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2008-05-14 114728]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2008-05-14 19496]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2008-08-15 11520]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2008-08-15 4224]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2008-07-29 4442]
R2 CBA8;LANDesk® Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-01-09 122880]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe [2008-03-11 118784]
R2 LANDesk® Out-of-Band Monitor Service;LANDesk® Out-of-Band Monitor Service;C:\Program Files\LANDesk\LDClient\amtmon.exe [2007-11-30 983040]
R2 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-07-29 94208]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 10896]
R2 Softmon;LANDesk® Software Monitoring Service;C:\Program Files\LANDesk\LDClient\softmon.exe [2007-12-06 331776]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-07-11 569344]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2005-07-01 3328]
R3 LenovoRd;LenovoRd;C:\WINDOWS\system32\Drivers\LenovoRd.sys [2007-06-08 81280]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2005-07-01 3712]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]
S3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2005-07-01 11904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28438b1a-7cc6-11dc-a08d-001c26f7a8a6}]
\Shell\AutoRun\command - explorer.exe /n,/e,\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8aa80540-7bb0-11dc-adca-001c26f7a8a6}]
\Shell\AutoRun\command - explorer.exe /n,/e,\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b4c6528-7ce4-11dc-9ab6-001c26f7a8a6}]
\Shell\AutoRun\command - explorer.exe /n,/e,\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0985e7f-786a-11dc-bf53-b902aff43a34}]
\Shell\AutoRun\command - explorer.exe /n,/e,\
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CfgChk - C:\WINDOWS\system32\jsnwzmtk.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\msarazen.RIMNET\Application Data\Mozilla\Firefox\Profiles\lkw06drs.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://google.com
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 09:30:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\CSGina.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\RIM Secure VPN Solution\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\PROGRA~1\LANDesk\LDClient\LDRegWatch.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-23 9:33:40 - machine was rebooted [msarazen]
ComboFix-quarantined-files.txt 2008-09-23 13:33:36

Pre-Run: 1,664,516,096 bytes free
Post-Run: 1,581,957,120 bytes free

310 --- E O F --- 2007-11-08 18:35:58

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:49 PM

Posted 23 September 2008 - 03:39 PM

Hello, keetso.

This is VERY important!! Please re-run with the above instructions.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


Ensure you install the recovery console. If it is not installed, then I will not be able to repair a core windows file.

Please reply with a new CF log with the recovery console installed :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 keetso

keetso
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 24 September 2008 - 08:51 AM

Hi Billy.

I actually tried to install the Recovery Console by following the instructions to install it via ComboFix.
It obviously didn't work. I eventually had to remove Windows Service Pack 3 and it installed without issue.

Unfortunately I'm unable to paste the new CF log as it says that it's too long.

I've attached it instead.

Hope this isn't too much of a bother for you.

Keetso

Attached Files



#8 keetso

keetso
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 24 September 2008 - 01:23 PM

Hi Billy.

Just wanted to provide an update.

It seems that after uninstalling Windows SP 3 and re-running ComboFix (log is posted in my previous post), those annoying popups seem to have disappeared.

Previously, the following message would appear (along with an icon in my tool bar next to the system time) approximately 5-15 minutes after booting up:

WARNING: YOUR CURRENT ANTIVIRUS PROTECTION IS NOT EFFECTIVE!

Your system is currently sending private information and documents to a remote computer.
One of these processes (xsearch.dll) has just sent the following information:
- Windows/System32

Click here to download intrusion detection system


(Clicking on it (while not connected to the Internet) would take me to www.antispydeluxe.com)

-------------

Then, after another 5-15 minutes, this message would pop up:

ATTENTION!

Your computer could be disarranged and therefore vulnerable to information loss.

Line: 93
Char: 1
Error: Errors on files
Code: 0
URL: res://C:\Windows\System32\shdoclc.dll

Click here to repair potentially damaged files.


(Again, clicking on it would take you to www.antisypdeluxe.com)

I'm not sure if uninstalling SP3 had anything to do with it but my computer has now been up and running
for 4 1/2 hours with NO popups whatsoever and I thought I should let you know.

I haven't run anything else other than a Symantec AntiVirus scan which came up clean and will not without
your guidance.

So far though, all *seems* to be running fine but I will defer to you and your expertise to run whatever additional
scans, etc, to let me know when my computer is actually clean.

Cheers,

Keetso

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:49 PM

Posted 24 September 2008 - 07:50 PM

Hello :thumbsup:

No problem with the attachment :) I like to keep the logs in open forum whereever possible for students here to learn from and other things... but if it must be attached then it must ;)

Hmm... it seems you can it twice. Can you please post the contents of :
C:\Qoobox\ComboFix2.txt ?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 keetso

keetso
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 25 September 2008 - 08:29 AM

Hi Billy.

Here you go.

I did run it twice. Once after trying to install the recovery console (which failed) and again after removing SP3 and successfully installing the recovery console.

The log below looks like the original one that was generated prior to installing the recovery console.

I can run it again if you require it.

Please also accept my apologies for my ignorance and myriad of questions about this. I'm not overly technically adept and am trying to follow your instructions to the letter.


C:\Qoobox\ComboFix2.txt posted below:

--------------------


ComboFix 08-09-20.05 - msarazen 2008-09-23 9:20:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2344 [GMT -4:00]
Running from: C:\Documents and Settings\msarazen.RIMNET\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000005_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-19 11:19 . 2008-09-19 11:20 256 --a------ C:\Documents and Settings\msarazen.RIMNET\pool.bin
2008-09-19 11:12 . 2008-09-19 11:12 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Research In Motion
2008-09-17 13:21 . 2008-09-17 13:21 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Windows Search
2008-09-17 07:44 . 2008-09-17 07:44 <DIR> d-------- C:\c9f0872de8e019e3cad1
2008-09-17 07:40 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-16 14:49 . 2008-09-16 14:49 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\SUPERAntiSpyware.com
2008-09-16 14:35 . 2008-09-16 14:35 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Malwarebytes
2008-09-16 14:32 . 2008-09-16 14:32 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Lenovo
2008-09-16 14:31 . 2008-09-16 14:31 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Intel
2008-09-16 14:27 . 2007-10-11 22:58 <DIR> d---s---- C:\Documents and Settings\msarazen.RIMNET\UserData
2008-09-16 14:27 . 2007-10-15 23:13 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Lavasoft
2008-09-16 14:27 . 2008-09-19 11:25 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Blackberry Desktop
2008-09-16 14:27 . 2007-10-30 16:52 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\AR System
2008-09-16 14:27 . 2008-02-27 11:34 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Apple Computer
2008-09-16 14:27 . 2008-09-19 11:19 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET
2008-09-16 14:12 . 2008-09-16 14:18 <DIR> d-------- C:\Documents and Settings\TEMP
2008-09-16 09:46 . 2008-09-17 13:28 6,090 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-12 15:36 . 2008-09-12 15:36 <DIR> d-------- C:\rsit
2008-09-12 13:19 . 2008-09-12 13:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-12 13:13 . 2008-09-12 13:19 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-09-12 10:49 . 2008-09-17 13:35 <DIR> d-------- C:\Program Files\Panda Security
2008-09-12 09:23 . 2008-09-12 10:42 <DIR> d-------- C:\Documents and Settings\msarazen\.housecall6.6
2008-09-11 12:03 . 2008-09-11 12:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-11 12:03 . 2008-09-11 12:03 <DIR> d-------- C:\Documents and Settings\msarazen\Application Data\SUPERAntiSpyware.com
2008-09-11 12:03 . 2008-09-11 12:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-11 12:02 . 2008-09-11 12:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-11 11:30 . 2008-09-11 11:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-11 11:30 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-11 11:30 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-10 09:59 . 2008-09-10 09:59 <DIR> d-------- C:\Program Files\Windows Defender
2008-09-09 14:22 . 2008-09-09 14:22 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-09 10:58 . 2008-09-09 10:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
2008-09-09 10:57 . 2008-09-09 10:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lenovo
2008-09-09 10:57 . 2008-09-09 10:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-09-08 08:56 . 2008-09-08 08:56 <DIR> d-------- C:\Documents and Settings\msarazen\Application Data\Windows Search
2008-09-08 08:25 . 2008-09-08 08:25 <DIR> d-------- C:\Documents and Settings\msarazen\Application Data\Windows Desktop Search
2008-09-08 08:24 . 2008-09-10 10:54 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-09-08 08:24 . 2008-09-08 08:24 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-09-08 08:24 . 2008-03-07 13:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-09-08 08:24 . 2008-03-07 13:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-09-08 08:24 . 2008-03-07 13:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-09-08 08:21 . 2008-07-22 10:45 1,214,526 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-09-08 08:21 . 2008-07-22 10:45 790,846 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-09-08 08:21 . 2008-07-22 10:45 9,696 -----c--- C:\WINDOWS\system32\dllcache\drvmain.sdb
2008-09-05 11:05 . 2008-09-05 11:05 <DIR> d-------- C:\Documents and Settings\msarazen\Application Data\Malwarebytes
2008-09-05 11:05 . 2008-09-05 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-05 09:23 . 2008-09-16 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\rwbihmxy
2008-09-05 09:17 . 2008-09-05 12:16 <DIR> d-------- C:\Documents and Settings\msarazen\Application Data\CyberScrub
2008-09-05 09:17 . 2007-02-07 12:08 84 --a------ C:\WINDOWS\csact.ini
2008-08-29 09:47 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-29 09:46 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-27 10:33 . 2008-08-27 10:33 <DIR> d-------- C:\Program Files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 13:29 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-22 13:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
2008-09-17 16:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-17 16:45 --------- d-----w C:\Program Files\SpywareBlaster
2008-09-07 14:58 --------- d-----w C:\Program Files\Steam
2008-09-01 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-29 13:31 --------- d-----w C:\Program Files\Java
2008-08-26 17:44 --------- d-----w C:\Program Files\DivX
2008-08-20 16:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-16 00:12 4,224 ----a-w C:\WINDOWS\system32\drivers\IBMBLDID.sys
2008-08-16 00:12 11,520 ----a-w C:\WINDOWS\system32\drivers\ANC.sys
2008-08-14 13:35 --------- d-----w C:\Program Files\iTunes
2008-08-14 13:34 --------- d-----w C:\Program Files\iPod
2008-08-14 13:33 --------- d-----w C:\Program Files\Bonjour
2008-08-14 13:07 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-08-11 16:19 --------- d-----w C:\Program Files\DVDVideoSoft
2008-08-09 14:18 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Avaya
2008-08-06 12:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-06 12:48 --------- d-----w C:\Program Files\ThinkPad
2008-08-06 12:48 --------- d-----w C:\Program Files\NetWaiting
2008-08-06 12:48 --------- d-----w C:\Program Files\Digital Line Detect
2008-08-06 12:48 --------- d-----w C:\Documents and Settings\msarazen\Application Data\InstallShield
2008-07-30 17:53 --------- d-----w C:\Documents and Settings\msarazen\Application Data\LimeWire
2008-07-30 17:01 --------- d-----w C:\Program Files\Elecard
2008-07-30 17:01 --------- d-----w C:\Program Files\Common Files\Elecard
2008-07-30 13:57 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2008-07-29 05:43 4,442 ------w C:\WINDOWS\system32\drivers\TPPWRIF.SYS
2008-07-29 05:43 16,384 ------w C:\WINDOWS\PWMBTHLP.EXE
2008-07-23 00:32 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-02-11 13:57 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-02 01:50 22,328 ----a-w C:\Documents and Settings\msarazen\Application Data\PnkBstrK.sys
.

------- Sigcheck -------

2004-08-04 00:56 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 C:\WINDOWS\ServicePackFiles\i386\userinit.exe
2008-09-05 09:23 57344 b5bfcf3c4dfe120d2bb0f9736a17c065 C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 512000]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-09 165208]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-07-29 331776]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-07-29 208896]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-03-21 13524992]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 58416]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-08-15 143360]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-31 185896]
"LPMailChecker"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-09 124248]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-12-11 1044480]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-03-21 86016]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 C:\WINDOWS\system32\bthprops.cpl]
"TpShocks"="TpShocks.exe" [2008-06-06 C:\WINDOWS\system32\TpShocks.exe]
"nwiz"="nwiz.exe" [2008-03-21 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-08-06 50688]
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2008-07-30 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 15:54 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 16:02 34080 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-08-15 21:37 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina psqlpwd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=C:\WINDOWS\pss\Windows Search.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aplmsg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StrApl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysShApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webcomapi

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\cba\\pds.exe"=
"C:\\WINDOWS\\system32\\msgsys.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"C:\\Program Files\\Steam\\steamapps\\keetso\\half-life\\hl.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"46819:UDP"= 46819:UDP:Limewire

R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2008-05-14 114728]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2008-05-14 19496]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2008-08-15 11520]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2008-08-15 4224]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2008-07-29 4442]
R2 CBA8;LANDesk® Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-01-09 122880]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe [2008-03-11 118784]
R2 LANDesk® Out-of-Band Monitor Service;LANDesk® Out-of-Band Monitor Service;C:\Program Files\LANDesk\LDClient\amtmon.exe [2007-11-30 983040]
R2 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-07-29 94208]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 10896]
R2 Softmon;LANDesk® Software Monitoring Service;C:\Program Files\LANDesk\LDClient\softmon.exe [2007-12-06 331776]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-07-11 569344]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2005-07-01 3328]
R3 LenovoRd;LenovoRd;C:\WINDOWS\system32\Drivers\LenovoRd.sys [2007-06-08 81280]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2005-07-01 3712]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]
S3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2005-07-01 11904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28438b1a-7cc6-11dc-a08d-001c26f7a8a6}]
\Shell\AutoRun\command - explorer.exe /n,/e,\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8aa80540-7bb0-11dc-adca-001c26f7a8a6}]
\Shell\AutoRun\command - explorer.exe /n,/e,\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b4c6528-7ce4-11dc-9ab6-001c26f7a8a6}]
\Shell\AutoRun\command - explorer.exe /n,/e,\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0985e7f-786a-11dc-bf53-b902aff43a34}]
\Shell\AutoRun\command - explorer.exe /n,/e,\
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CfgChk - C:\WINDOWS\system32\jsnwzmtk.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\msarazen.RIMNET\Application Data\Mozilla\Firefox\Profiles\lkw06drs.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://google.com
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 09:30:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\CSGina.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\RIM Secure VPN Solution\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\PROGRA~1\LANDesk\LDClient\LDRegWatch.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-23 9:33:40 - machine was rebooted [msarazen]
ComboFix-quarantined-files.txt 2008-09-23 13:33:36

Pre-Run: 1,664,516,096 bytes free
Post-Run: 1,581,957,120 bytes free

310 --- E O F --- 2007-11-08 18:35:58

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:49 PM

Posted 25 September 2008 - 03:52 PM

Hello, keetso.
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    FMove::
    C:\WINDOWS\ServicePackFiles\i386\userinit.exe | C:\WINDOWS\system32\userinit.exe
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • ComboFix.txt
  • Kaspersky's Log
  • A New HiJack This log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:49 PM

Posted 29 September 2008 - 02:50 PM

Hello, keetso.
Are you still here?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 keetso

keetso
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 01 October 2008 - 08:02 AM

Hi Billy.

Sorry for the delay in replying as I was involved in an accident
and am now recovering from surgery.

I will run the requested scans and post the logs hopefully by the eod today.

Thanks again for your help and patience.

K

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:49 PM

Posted 01 October 2008 - 08:39 PM

Alrighty :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 keetso

keetso
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 02 October 2008 - 10:53 AM

Hi Billy.

Here're the logs as requested.

Thanks!

K



ComboFix

ComboFix 08-09-30.03 - msarazen 2008-10-01 9:24:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2164 [GMT -4:00]
Running from: C:\Documents and Settings\msarazen.RIMNET\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
.

2008-09-29 12:16 . 2008-09-29 12:16 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Saved Games
2008-09-29 12:15 . 2008-09-29 12:15 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\iWin
2008-09-24 14:38 . 2008-06-18 22:03 110,592 --a------ C:\WINDOWS\system32\ICFConfig-v4.exe
2008-09-19 11:19 . 2008-09-19 11:20 256 --a------ C:\Documents and Settings\msarazen.RIMNET\pool.bin
2008-09-19 11:12 . 2008-09-19 11:12 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Research In Motion
2008-09-17 13:21 . 2008-09-17 13:21 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Windows Search
2008-09-17 07:44 . 2008-09-17 07:44 <DIR> d-------- C:\c9f0872de8e019e3cad1
2008-09-17 07:40 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-16 14:49 . 2008-09-16 14:49 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\SUPERAntiSpyware.com
2008-09-16 14:35 . 2008-09-16 14:35 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Malwarebytes
2008-09-16 14:32 . 2008-09-16 14:32 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Lenovo
2008-09-16 14:31 . 2008-09-16 14:31 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Intel
2008-09-16 14:27 . 2007-10-11 22:58 <DIR> d---s---- C:\Documents and Settings\msarazen.RIMNET\UserData
2008-09-16 14:27 . 2007-10-15 23:13 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Lavasoft
2008-09-16 14:27 . 2008-09-19 11:25 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Blackberry Desktop
2008-09-16 14:27 . 2007-10-30 16:52 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\AR System
2008-09-16 14:27 . 2008-02-27 11:34 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET\Application Data\Apple Computer
2008-09-16 14:27 . 2008-09-29 12:16 <DIR> d-------- C:\Documents and Settings\msarazen.RIMNET
2008-09-16 14:12 . 2008-09-16 14:18 <DIR> d-------- C:\Documents and Settings\TEMP
2008-09-16 09:46 . 2008-09-17 13:28 6,090 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-12 15:36 . 2008-09-12 15:36 <DIR> d-------- C:\rsit
2008-09-12 13:19 . 2008-09-12 13:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-12 13:13 . 2008-09-12 13:19 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-09-12 10:49 . 2008-09-17 13:35 <DIR> d-------- C:\Program Files\Panda Security
2008-09-12 09:23 . 2008-09-12 10:42 <DIR> d-------- C:\Documents and Settings\msarazen\.housecall6.6
2008-09-11 12:03 . 2008-09-11 12:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-11 12:03 . 2008-09-11 12:03 <DIR> d-------- C:\Documents and Settings\msarazen\Application Data\SUPERAntiSpyware.com
2008-09-11 12:03 . 2008-09-11 12:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-11 12:02 . 2008-09-11 12:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-11 11:30 . 2008-09-11 11:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-11 11:30 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-11 11:30 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-10 09:59 . 2008-09-10 09:59 <DIR> d-------- C:\Program Files\Windows Defender
2008-09-09 14:22 . 2008-09-09 14:22 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-09 10:58 . 2008-09-09 10:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
2008-09-09 10:57 . 2008-09-09 10:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lenovo
2008-09-09 10:57 . 2008-09-09 10:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-09-08 08:56 . 2008-09-08 08:56 <DIR> d-------- C:\Documents and Settings\msarazen\Application Data\Windows Search
2008-09-08 08:25 . 2008-09-08 08:25 <DIR> d-------- C:\Documents and Settings\msarazen\Application Data\Windows Desktop Search
2008-09-08 08:24 . 2008-09-10 10:54 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-09-08 08:24 . 2008-09-08 08:24 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-09-08 08:24 . 2004-08-04 00:56 120,832 --a------ C:\WINDOWS\system32\dllcache\offfilt.dll
2008-09-08 08:24 . 2004-08-04 00:56 103,936 --a------ C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-09-08 08:24 . 2001-08-23 08:00 18,944 --a------ C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-09-08 08:21 . 2006-10-04 10:06 1,197,294 --a------ C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-09-08 08:21 . 2006-10-04 10:06 764,868 --a------ C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-09-08 08:21 . 2004-08-04 01:02 9,424 --a------ C:\WINDOWS\system32\dllcache\drvmain.sdb
2008-09-05 11:05 . 2008-09-05 11:05 <DIR> d-------- C:\Documents and Settings\msarazen\Application Data\Malwarebytes
2008-09-05 11:05 . 2008-09-05 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-05 09:23 . 2008-09-16 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\rwbihmxy
2008-09-05 09:17 . 2008-09-05 12:16 <DIR> d-------- C:\Documents and Settings\msarazen\Application Data\CyberScrub
2008-09-05 09:17 . 2007-02-07 12:08 84 --a------ C:\WINDOWS\csact.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-01 13:29 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-30 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
2008-09-17 16:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-17 16:45 --------- d-----w C:\Program Files\SpywareBlaster
2008-09-07 14:58 --------- d-----w C:\Program Files\Steam
2008-09-01 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-29 13:31 --------- d-----w C:\Program Files\Java
2008-08-27 14:33 --------- d-----w C:\Program Files\Apple Software Update
2008-08-26 17:44 --------- d-----w C:\Program Files\DivX
2008-08-20 16:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-16 00:12 4,224 ----a-w C:\WINDOWS\system32\drivers\IBMBLDID.sys
2008-08-16 00:12 11,520 ----a-w C:\WINDOWS\system32\drivers\ANC.sys
2008-08-14 13:35 --------- d-----w C:\Program Files\iTunes
2008-08-14 13:34 --------- d-----w C:\Program Files\iPod
2008-08-14 13:33 --------- d-----w C:\Program Files\Bonjour
2008-08-14 13:07 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-08-11 16:19 --------- d-----w C:\Program Files\DVDVideoSoft
2008-08-09 14:18 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Avaya
2008-08-06 12:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-06 12:48 --------- d-----w C:\Program Files\ThinkPad
2008-08-06 12:48 --------- d-----w C:\Program Files\NetWaiting
2008-08-06 12:48 --------- d-----w C:\Program Files\Digital Line Detect
2008-08-06 12:48 --------- d-----w C:\Documents and Settings\msarazen\Application Data\InstallShield
2008-07-29 05:43 16,384 ------w C:\WINDOWS\PWMBTHLP.EXE
2008-02-11 13:57 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-02 01:50 22,328 ----a-w C:\Documents and Settings\msarazen\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2005-02-22 1611488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 512000]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-09 165208]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-07-29 331776]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-07-29 208896]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-03-21 13524992]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 58416]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-08-15 143360]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-31 185896]
"LPMailChecker"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-09 124248]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-12-11 1044480]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-03-21 86016]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]
"TpShocks"="TpShocks.exe" [2008-06-06 C:\WINDOWS\system32\TpShocks.exe]
"nwiz"="nwiz.exe" [2008-03-21 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-08-06 50688]
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2008-07-30 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 15:54 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 16:02 34080 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-08-15 21:37 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ ACGina psqlpwd scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=C:\WINDOWS\pss\Windows Search.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aplmsg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StrApl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysShApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webcomapi

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\cba\\pds.exe"= C:\\WINDOWS\\system32\\CBA\\pds.exe
"C:\\WINDOWS\\system32\\msgsys.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"C:\\Program Files\\Steam\\steamapps\\keetso\\half-life\\hl.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\msgsys.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"46819:UDP"= 46819:UDP:Limewire
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"67:TCP"= 67:TCP:LANDesk® PXE TCP Port
"67:UDP"= 67:UDP:LANDesk® PXE UDP Port
"9535:TCP"= 9535:TCP:LANDesk® Remote Control Agent TCP Port
"9535:UDP"= 9535:UDP:LANDesk® Remote Control Agent UDP Port

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2008-05-14 114728]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2008-05-14 19496]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2008-08-15 11520]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2008-08-15 4224]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2008-07-29 4442]
R2 CBA8;LANDesk® Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-01-09 122880]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe [2008-03-11 118784]
R2 LANDesk® Out-of-Band Monitor Service;LANDesk® Out-of-Band Monitor Service;C:\Program Files\LANDesk\LDClient\amtmon.exe [2007-11-30 983040]
R2 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-07-29 94208]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 10896]
R2 Softmon;LANDesk® Software Monitoring Service;C:\Program Files\LANDesk\LDClient\softmon.exe [2007-12-06 331776]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-07-11 569344]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2005-07-01 3328]
R3 LenovoRd;LenovoRd;C:\WINDOWS\system32\Drivers\LenovoRd.sys [2007-06-08 81280]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2005-07-01 3712]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]
S3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2005-07-01 11904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28438b1a-7cc6-11dc-a08d-001c26f7a8a6}]
\Shell\AutoRun\command - explorer.exe /n,/e,\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8aa80540-7bb0-11dc-adca-001c26f7a8a6}]
\Shell\AutoRun\command - explorer.exe /n,/e,\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b4c6528-7ce4-11dc-9ab6-001c26f7a8a6}]
\Shell\AutoRun\command - explorer.exe /n,/e,\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0985e7f-786a-11dc-bf53-b902aff43a34}]
\Shell\AutoRun\command - explorer.exe /n,/e,\
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\msarazen.RIMNET\Application Data\Mozilla\Firefox\Profiles\lkw06drs.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://google.com
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-01 09:29:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\CSGina.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\RIM Secure VPN Solution\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\PROGRA~1\LANDesk\LDClient\LDRegWatch.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-10-01 9:32:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-01 13:32:44
ComboFix2.txt 2008-09-24 13:40:41

Pre-Run: 1,910,050,816 bytes free
Post-Run: 1,857,269,760 bytes free

301 --- E O F --- 2007-11-08 18:35:58


Kaspersky

KASPERSKY ONLINE SCANNER 7 REPORTKASPERSKY ONLINE SCANNER 7 REPORT
Thursday, October 2, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build
2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, October 01, 2008 20:22:57
Records in database: 1280928


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\


Scan statistics
Files scanned72929
Threat name2
Infected objects5
Suspicious objects0
Duration of the scan05:36:44

File nameThreat nameThreats count
C:\Documents and
Settings\msarazen\.housecall6.6\Quarantine\userinit.exe.bac_a05892Infected:
not-a-virus:FraudTool.Win32.Agent.bw1

C:\Documents and
Settings\msarazen\Desktop\SmitfraudFix\Reboot.exeInfected:
not-a-virus:RiskTool.Win32.Reboot.f1

C:\Documents and Settings\msarazen\Desktop\SmitfraudFix.exeInfected:
not-a-virus:RiskTool.Win32.Reboot.f1

C:\Documents and
Settings\msarazen.RIMNET\Desktop\SmitfraudFix\Reboot.exeInfected:
not-a-virus:RiskTool.Win32.Reboot.f1

C:\Documents and
Settings\msarazen.RIMNET\Desktop\SmitfraudFix.exeInfected:
not-a-virus:RiskTool.Win32.Reboot.f1

The selected area was scanned.

HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41, on 2008-10-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\RIM Secure VPN Solution\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\LANDesk\LDClient\amtmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\PROGRA~1\LANDesk\LDClient\LDregwatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.bbse-is
O15 - Trusted Zone: http://*.bbse-is
O15 - Trusted Zone: *.beta.bbse-is
O15 - Trusted Zone: http://*.beta.bbse-is
O15 - Trusted Zone: *.eval.bbse-is
O15 - Trusted Zone: http://*.eval.bbse-is
O15 - Trusted Zone: *.evna
O15 - Trusted Zone: *.evna01
O15 - Trusted Zone: *.evna02
O15 - Trusted Zone: *.evna03
O15 - Trusted Zone: *.evna04
O15 - Trusted Zone: *.evna05
O15 - Trusted Zone: *.evs98ykf
O15 - Trusted Zone: http://*.insiderim
O15 - Trusted Zone: http://*.insite
O15 - Trusted Zone: http://*.intranet
O15 - Trusted Zone: *.mantis.bbse-is
O15 - Trusted Zone: http://*.mantis.bbse-is
O15 - Trusted Zone: *.pstimport
O15 - Trusted Zone: http://bbse-is.rim.net
O15 - Trusted Zone: http://beta.bbse-is.rim.net
O15 - Trusted Zone: http://epm.rim.net
O15 - Trusted Zone: http://epmqa.rim.net
O15 - Trusted Zone: http://epmqars.rim.net
O15 - Trusted Zone: http://epmrs.rim.net
O15 - Trusted Zone: http://eval.bbse-is.rim.net
O15 - Trusted Zone: evna.rim.net
O15 - Trusted Zone: http://insiderim.rim.net
O15 - Trusted Zone: http://insite.rim.net
O15 - Trusted Zone: http://intranet.rim.net
O15 - Trusted Zone: http://mantis.bbse-is.rim.net
O15 - Trusted Zone: http://otasl.support.bbse-is.rim.net
O15 - Trusted Zone: http://portal.rim.net
O15 - Trusted Zone: otasl.support.bbse-is
O15 - Trusted Zone: http://otasl.support.bbse-is
O15 - Trusted Zone: http://*.bbse-is (HKLM)
O15 - Trusted Zone: http://*.beta.bbse-is (HKLM)
O15 - Trusted Zone: http://*.eval.bbse-is (HKLM)
O15 - Trusted Zone: *.evna (HKLM)
O15 - Trusted Zone: *.evna01 (HKLM)
O15 - Trusted Zone: *.evna02 (HKLM)
O15 - Trusted Zone: *.evna03 (HKLM)
O15 - Trusted Zone: *.evna04 (HKLM)
O15 - Trusted Zone: *.evna05 (HKLM)
O15 - Trusted Zone: *.evs98ykf (HKLM)
O15 - Trusted Zone: http://*.insiderim (HKLM)
O15 - Trusted Zone: http://*.insite (HKLM)
O15 - Trusted Zone: http://*.intranet (HKLM)
O15 - Trusted Zone: http://*.mantis.bbse-is (HKLM)
O15 - Trusted Zone: http://bbse-is.rim.net (HKLM)
O15 - Trusted Zone: http://beta.bbse-is.rim.net (HKLM)
O15 - Trusted Zone: http://epm.rim.net (HKLM)
O15 - Trusted Zone: http://epmqa.rim.net (HKLM)
O15 - Trusted Zone: http://epmqars.rim.net (HKLM)
O15 - Trusted Zone: http://epmrs.rim.net (HKLM)
O15 - Trusted Zone: http://eval.bbse-is.rim.net (HKLM)
O15 - Trusted Zone: evna.rim.net (HKLM)
O15 - Trusted Zone: http://insiderim.rim.net (HKLM)
O15 - Trusted Zone: http://insite.rim.net (HKLM)
O15 - Trusted Zone: http://intranet.rim.net (HKLM)
O15 - Trusted Zone: http://mantis.bbse-is.rim.net (HKLM)
O15 - Trusted Zone: http://otasl.support.bbse-is.rim.net (HKLM)
O15 - Trusted Zone: http://portal.rim.net (HKLM)
O15 - Trusted Zone: http://otasl.support.bbse-is (HKLM)
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1222269573687
O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} (Crystal ActiveX Report Viewer Control 11.5) - http://wrp11ykf/crystalreportviewers115/Ac...tiveXViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rim.net
O17 - HKLM\Software\..\Telephony: DomainName = rim.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rim.net
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Research In Motion VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\RIM Secure VPN Solution\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: LANDesk Policy Invoker - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
O23 - Service: LANDesk® Out-of-Band Monitor Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\amtmon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 19869 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users