Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32.sdbot.add - did I get rid of it?


  • This topic is locked This topic is locked
6 replies to this topic

#1 Igmupaka

Igmupaka

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 03 December 2008 - 10:20 AM

Hi...my laptop was not starting up properly yesterday - took forever. This is a very new computer with no previous issues, so I was concerned and ran SbyBot, which found the win32.sdbot.add backdoor. I removed it with Spybot, ran a full Symantec scan and a full OneCare scan, which came up clean. But when I reran SbyBot it said win32.sdbot.add was still on my machine. I have run a Hijack This scan and was hoping I could get confirmation of whether or not I really did resolve the problem. Thanks so much...here's the log (and I'm working with a Lenovo ThinkPad SL500 with XP Pro, if that helps)...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:09 AM, on 12/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lenovo\ATK Hotkey\GFNEXSrv.exe
C:\Program Files\Lenovo\ATK Hotkey\LFKAS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\LVOSDSVC.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMLCHK.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Lenovo\ATK Hotkey\LCONTROL.exe
C:\Program Files\Lenovo\ATK Hotkey\LFKA.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Lenovo\Client Security Solution\password_manager.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://remoteuser.westat.com/dana-na/auth/...ult/welcome.cgi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.onlineregister.com/lenovo/?PAGE...mp;SRNM=L3E1531
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\LVOSDSVC.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\Lenovo\LENOVO~2\LPMLCHK.exe
O4 - HKLM\..\Run: [LCONTROL] "C:\Program Files\Lenovo\ATK Hotkey\LCONTROL.exe"
O4 - HKLM\..\Run: [LFKA] "C:\Program Files\Lenovo\ATK Hotkey\LFKA.exe"
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX9400Fax Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE /FU "C:\WINDOWS\TEMP\E_SEE.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://remoteuser.westat.com/dana/download...wnloadCitrixCab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://remoteuser.westat.com/dana-cached/s...perSetupSP1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\Lenovo\ATK Hotkey\GFNEXSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: ThinkPad PM Service for SL Series (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Service of LFKA (LFKAS) - Unknown owner - C:\Program Files\Lenovo\ATK Hotkey\LFKAS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

--
End of file - 12056 bytes

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:03:48 AM

Posted 15 December 2008 - 09:59 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Igmupaka

Igmupaka
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 17 December 2008 - 09:50 AM

Thanks for the response. I have not solved the problem, apparently. When I started my computer again this morning it was running super slow and I couldn't access the internet or my antivirus software. Also, so me desktop settings were not correct. So, here is the DDS lot and I've attached the other log as instructed. I'd really appreciate any help I can get on this. Thanks so much.


DDS (Version 1.1.0) - NTFSx86
Run by Denise St. Clair at 8:38:05.01 on Wed 12/17/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2013.1286 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lenovo\ATK Hotkey\GFNEXSrv.exe
C:\Program Files\Lenovo\ATK Hotkey\LFKAS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\LVOSDSVC.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMLCHK.exe
C:\Program Files\Lenovo\ATK Hotkey\LCONTROL.exe
C:\Program Files\Lenovo\ATK Hotkey\LFKA.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lenovo\Client Security Solution\password_manager.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Denise St. Clair\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = https://remoteuser.westat.com/dana-na/auth/...ult/welcome.cgi
mDefault_Page_URL = hxxp://lenovo.live.com
uInternet Connection Wizard,ShellNext = hxxp://www.onlineregister.com/lenovo/?PAGE=thx&LANG=EN&CTRY=United%20States&MODL=27466XU&PRNM=Lenovo&SRNM=L3E1531
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
BHO: {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus CX9400Fax Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticfa.exe /fu "c:\windows\temp\E_SEE.tmp" /EF "HKCU"
uRun: [Uniblue RegistryBooster2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\LVOSDSVC.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [LPManager] c:\progra~1\lenovo\lenovo~2\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\lenovo\lenovo~2\LPMLCHK.exe
mRun: [LCONTROL] "c:\program files\lenovo\atk hotkey\LCONTROL.exe"
mRun: [LFKA] "c:\program files\lenovo\atk hotkey\LFKA.exe"
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\denise~1.cla\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Notification Packages = scecli psqlpwd ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\denise~1.cla\applic~1\mozilla\firefox\profiles\exz0n82i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\Apsx86.sys [2008-5-14 114728]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-5-14 19496]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2008-9-19 11520]
R1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\drivers\IBMBLDID.sys [2008-9-19 4224]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2008-9-19 4442]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-5-9 46144]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-5-5 108392]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-5-5 108392]
R2 LFKAS;Service of LFKA;c:\program files\lenovo\atk hotkey\LFKAS.exe [2008-9-19 208896]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.EXE [2008-9-19 94208]
R2 smihlp;SMI Helper Driver (smihlp);\??\c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2008-6-24 12560]
R2 Symantec AntiVirus;Symantec Endpoint Protection;"c:\program files\symantec\symantec endpoint protection\Rtvscan.exe" [2008-5-5 2234296]
R2 TVT Backup Protection Service;TVT Backup Protection Service;"c:\program files\lenovo\rescue and recovery\rrpservice.exe" [2008-5-14 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-9 253952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-18 99376]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-9-19 108032]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081216.022\NAVENG.SYS [2008-12-16 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081216.022\NAVEX15.SYS [2008-12-16 876112]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe" []
S2 SessionLauncher;SessionLauncher;c:\docume~1\admini~1\locals~1\temp\dx9\SessionLauncher.exe []
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\COH_Mon.sys [2008-5-5 23888]

=============== Created Last 30 ================

2008-12-07 04:35 <DIR> --d--r-- c:\docume~1\denise~1.cla\applic~1\Brother
2008-12-07 04:33 426 a------- c:\windows\BRWMARK.INI
2008-12-07 04:33 34 a------- c:\windows\system32\BD2070N.DAT
2008-12-07 04:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2008-12-03 08:56 <DIR> --d----- c:\program files\Trend Micro
2008-12-02 21:43 577,024 a------- c:\windows\system32\dllcache\user32.dll
2008-12-02 21:41 <DIR> --d----- c:\windows\ERUNT
2008-12-02 21:40 <DIR> --d----- C:\SDFix
2008-12-02 19:24 <DIR> --d----- c:\program files\Exterminate It!
2008-12-02 18:33 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-02 18:33 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-02 18:33 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-02 18:33 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-02 18:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-02 18:28 <DIR> --d----- c:\program files\Spybot - Search & Destroy

==================== Find3M ====================

2008-10-18 20:18 0 ----h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-10-18 20:18 0 ----h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-10-18 09:25 123,952 -------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-18 09:25 60,800 -------- c:\windows\system32\S32EVNT1.DLL
2008-10-18 09:25 10,563 -------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-18 09:25 805 -------- c:\windows\system32\drivers\SYMEVENT.INF
2008-10-18 09:05 50 -------- c:\windows\system32\drivers\LENOVO_2746_6XU.MRK
2008-09-25 01:47 16,384 -------- c:\windows\PWMBTHLP.EXE

============= FINISH: 8:38:21.87 ===============

Attached Files



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:48 AM

Posted 17 December 2008 - 12:14 PM

Hi, Igmupaka :thumbsup:

Welcome.

Posted Image Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Igmupaka

Igmupaka
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 17 December 2008 - 10:35 PM

Thanks so much for the help so far...here are the logs you requested...

Malwarebytes' Anti-Malware 1.31
Database version: 1512
Windows 5.1.2600 Service Pack 2

12/17/2008 8:42:18 PM
mbam-log-2008-12-17 (20-42-18).txt

Scan type: Quick Scan
Objects scanned: 57675
Time elapsed: 4 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ComboFix 08-12-17.01 - Denise St. Clair 2008-12-17 20:47:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2013.1297 [GMT -6:00]
Running from: c:\documents and settings\Denise St. Clair\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.

2008-12-17 20:24 . 2008-12-17 20:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-17 20:24 . 2008-12-17 20:24 <DIR> d-------- c:\documents and settings\Denise St. Clair\Application Data\Malwarebytes
2008-12-17 20:24 . 2008-12-17 20:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-17 20:24 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-17 20:24 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-07 04:35 . 2008-12-07 04:35 <DIR> dr------- c:\documents and settings\Denise St. Clair\Application Data\Brother
2008-12-07 04:33 . 2008-12-07 04:40 426 --a------ c:\windows\BRWMARK.INI
2008-12-07 04:33 . 2008-12-07 04:33 34 --a------ c:\windows\system32\BD2070N.DAT
2008-12-07 04:22 . 2008-12-07 04:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2008-12-03 08:56 . 2008-12-03 08:56 <DIR> d-------- c:\program files\Trend Micro
2008-12-02 22:10 . 2008-12-17 09:02 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-02 21:43 . 2008-12-02 21:43 577,024 --a------ c:\windows\system32\dllcache\user32.dll
2008-12-02 21:41 . 2008-12-02 21:42 <DIR> d-------- c:\windows\ERUNT
2008-12-02 21:40 . 2008-12-02 21:51 <DIR> d-------- C:\SDFix
2008-12-02 19:24 . 2008-12-02 21:29 <DIR> d-------- c:\program files\Exterminate It!
2008-12-02 18:33 . 2008-12-02 18:33 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-02 18:33 . 2008-12-02 18:33 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-02 18:33 . 2008-12-02 18:33 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-02 18:33 . 2008-12-02 18:33 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-02 18:28 . 2008-12-03 08:50 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-02 18:28 . 2008-12-03 08:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 14:42 --------- d-----w c:\documents and settings\Denise St. Clair\Application Data\U3
2008-12-08 06:09 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-07 10:23 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-20 23:03 --------- d-----w c:\program files\Lenovo
2008-11-20 23:03 --------- d-----w c:\program files\Common Files\Lenovo
2008-11-09 22:05 --------- d-----w c:\program files\Common Files\Adobe
2008-11-01 00:50 --------- d-----w c:\program files\PopCap Games
2008-11-01 00:50 --------- d-----w c:\documents and settings\All Users\Application Data\PopCap
2008-10-24 20:11 --------- d-----w c:\program files\Microsoft Office Communicator
2008-10-24 20:02 --------- d-----w c:\program files\MSBuild
2008-10-24 20:02 --------- d-----w c:\program files\Microsoft Works
2008-10-24 19:59 --------- d-----w c:\program files\Microsoft Visual Studio 8
2008-10-19 02:18 0 ---h--w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-10-19 02:18 0 ---h--w c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-10-19 02:17 --------- d-----w c:\program files\Microsoft IntelliPoint
2008-10-19 01:37 --------- d-----w c:\documents and settings\NetworkService\Application Data\Avaya
2008-10-18 23:05 --------- d-----w c:\program files\ThinkVantage
2008-10-18 23:02 --------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2008-10-18 22:59 --------- d-----w c:\program files\Windows Live Toolbar
2008-10-18 22:51 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-10-18 22:33 --------- d-----w c:\program files\Common Files\ArcSoft
2008-10-18 22:33 --------- d-----w c:\program files\ArcSoft
2008-10-18 22:11 --------- d-----w c:\program files\Uniblue
2008-10-18 22:11 --------- d-----w c:\documents and settings\Denise St. Clair\Application Data\Uniblue
2008-10-18 22:08 --------- d-----w c:\program files\Shockwave.com
2008-10-18 22:08 --------- d-----w c:\program files\Batch Mp3 Wav Converter
2008-10-18 19:19 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-18 18:44 --------- d-----w c:\documents and settings\Denise St. Clair\Application Data\Lenovo
2008-10-18 18:44 --------- d-----w c:\documents and settings\All Users\Application Data\Lenovo
2008-10-18 18:44 --------- d-----w c:\documents and settings\Administrator\Application Data\Lenovo
2008-10-18 15:32 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-18 15:25 805 ------w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-18 15:25 60,800 ------w c:\windows\system32\S32EVNT1.DLL
2008-10-18 15:25 123,952 ------w c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-18 15:25 10,563 ------w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-18 15:25 --------- d-----w c:\program files\Symantec
2008-10-18 15:25 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-18 15:12 --------- d-----w c:\documents and settings\Denise St. Clair\Application Data\Leadertech
2008-10-18 15:11 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Avaya
2008-10-18 15:05 50 ------w c:\windows\system32\drivers\LENOVO_2746_6XU.MRK
2008-10-18 08:19 --------- d-----w c:\documents and settings\Denise St. Clair\Application Data\ICAClient
2008-10-18 08:18 --------- d-----w c:\documents and settings\Denise St. Clair\Application Data\Juniper Networks
2008-10-18 08:17 --------- d-----w c:\program files\Citrix
2008-10-18 08:10 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks
2008-10-18 08:08 --------- d-----w c:\program files\Microsoft.NET
2008-10-18 08:07 --------- d-----w c:\program files\Microsoft SQL Server
2008-10-18 07:27 --------- d-----w c:\documents and settings\Denise St. Clair\Application Data\ArcSoft
2008-10-18 06:52 --------- d-----w c:\documents and settings\All Users\Application Data\PopCap Games
2008-10-18 06:47 --------- d-----w c:\program files\SPSS
2008-10-18 06:41 --------- d-----w c:\program files\epson
2008-10-18 06:41 --------- d-----w c:\program files\ABBYY FineReader 6.0 Sprint
2008-10-18 06:40 --------- d-----w c:\documents and settings\All Users\Application Data\ArcSoft
2008-10-18 06:38 --------- d-----w c:\documents and settings\All Users\Application Data\EPSON
2008-10-18 06:29 --------- d-----w c:\documents and settings\Denise St. Clair\Application Data\SAS
2008-10-18 06:20 --------- d-----w c:\program files\SAS
2008-10-18 05:24 --------- d-----w c:\program files\PCDR5
2008-10-18 04:59 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2008-10-18 04:52 --------- d-----w c:\documents and settings\Denise St. Clair\Application Data\Windows Search
2008-09-25 07:47 16,384 ------w c:\windows\PWMBTHLP.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EPSON Stylus CX9400Fax Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE" [2007-03-23 182272]
"Uniblue RegistryBooster2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-05-16 1856544]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-04-10 122880]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-10 524288]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-07-30 60192]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\LVOSDSVC.exe" [2008-03-23 64368]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-04 242976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-04 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-04 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-04 141848]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-14 487424]
"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2008-06-08 165208]
"LPMailChecker"="c:\progra~1\Lenovo\LENOVO~2\LPMLCHK.exe" [2008-06-08 124248]
"LCONTROL"="c:\program files\Lenovo\ATK Hotkey\LCONTROL.exe" [2008-03-19 77824]
"LFKA"="c:\program files\Lenovo\ATK Hotkey\LFKA.exe" [2008-04-15 315392]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-25 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-25 208896]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-08-15 425984]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-13 3073336]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-05-05 115560]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TpShocks"="TpShocks.exe" [2008-06-06 c:\windows\system32\TpShocks.exe]

c:\documents and settings\Denise St. Clair\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2008-06-24 18:31 95496 c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 01:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 01:02 34080 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-08-15 20:37 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\SAS\\SAS 9.1\\sas.exe"=
"c:\\Documents and Settings\\Denise St. Clair\\Application Data\\Juniper Networks\\Juniper Citrix Services Client\\dsCitrixProxy.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Documents and Settings\\Denise St. Clair\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

R0 Shockprf;Shockprf;c:\windows\system32\DRIVERS\Apsx86.sys [2008-05-14 114728]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\DRIVERS\ApsHM86.sys [2008-05-14 19496]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2008-09-19 11520]
R1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\Drivers\IBMBLDID.sys [2008-09-19 4224]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2008-09-19 4442]
R1 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-05-09 46144]
R2 LFKAS;Service of LFKA;c:\program files\Lenovo\ATK Hotkey\LFKAS.exe [2008-09-19 208896]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-09-19 94208]
R2 smihlp;SMI Helper Driver (smihlp);\??\c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2008-06-24 12560]
R2 TVT Backup Protection Service;TVT Backup Protection Service;"c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe" [2008-05-14 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [2008-05-09 253952]
R3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-05-05 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-18 99376]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-09-19 108032]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" []
S2 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe []
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 16:54]

2008-10-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 11:56]

2008-12-18 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-09-25 01:47]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus


.
------- Supplementary Scan -------
.
uStart Page = https://remoteuser.westat.com/dana-na/auth/...ult/welcome.cgi
mDefault_Page_URL = hxxp://lenovo.live.com
uInternet Connection Wizard,ShellNext = hxxp://www.onlineregister.com/lenovo/?PAGE=thx&LANG=EN&CTRY=United%20States&MODL=27466XU&PRNM=Lenovo&SRNM=L3E1531
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
FF - ProfilePath - c:\documents and settings\Denise St. Clair\Application Data\Mozilla\Firefox\Profiles\exz0n82i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 20:55:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\program files\ThinkVantage Fingerprint Software\vti.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'lsass.exe'(1040)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Lenovo\ATK Hotkey\GFNEXSrv.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\Client Security Solution\password_manager.exe
.
**************************************************************************
.
Completion time: 2008-12-17 20:58:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-18 02:58:12

Pre-Run: 94,189,060,096 bytes free
Post-Run: 94,114,279,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

285

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:57 PM, on 12/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lenovo\ATK Hotkey\GFNEXSrv.exe
C:\Program Files\Lenovo\ATK Hotkey\LFKAS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\LVOSDSVC.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMLCHK.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Lenovo\ATK Hotkey\LCONTROL.exe
C:\Program Files\Lenovo\ATK Hotkey\LFKA.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Lenovo\Client Security Solution\password_manager.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Symantec Shared\COH\coh32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://remoteuser.westat.com/dana-na/auth/...ult/welcome.cgi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.onlineregister.com/lenovo/?PAGE...mp;SRNM=L3E1531
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\LVOSDSVC.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\Lenovo\LENOVO~2\LPMLCHK.exe
O4 - HKLM\..\Run: [LCONTROL] "C:\Program Files\Lenovo\ATK Hotkey\LCONTROL.exe"
O4 - HKLM\..\Run: [LFKA] "C:\Program Files\Lenovo\ATK Hotkey\LFKA.exe"
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX9400Fax Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE /FU "C:\WINDOWS\TEMP\E_SEE.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://remoteuser.westat.com/dana/download...wnloadCitrixCab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://remoteuser.westat.com/dana-cached/s...perSetupSP1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\Lenovo\ATK Hotkey\GFNEXSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: ThinkPad PM Service for SL Series (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Service of LFKA (LFKAS) - Unknown owner - C:\Program Files\Lenovo\ATK Hotkey\LFKAS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

--
End of file - 12053 bytes

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:48 AM

Posted 17 December 2008 - 11:10 PM

These logs show no sign of infection. Lets take a deeper look:

Download OTScanit2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanit2 on your desktop. OTScanit2 can be detected as malware by your firewall and Ativirus. Chose Ignore on any warning alert.
  • Close any open browsers.
  • Open the OTScanit2 folder and double-click on OTScanit2.exe to start the program.
  • Leave all settings as they appear as default, except for the following:
  • Under Drivers, select "All".
  • Under Rootkit Search, select Yes
  • Under additional Scan select the following:
    • Reg - ControlSets
    • Reg - Disabled MS Config Items
    • Reg - File Associations
    • Reg - Security Center Settings
    • Reg - Tcpip Persistent Routes
    • EVNT - Event Viewer entries
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:48 AM

Posted 25 December 2008 - 08:09 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users