Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Adware_virtumundo


  • This topic is locked This topic is locked
16 replies to this topic

#1 Siglerbe

Siglerbe

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 08 December 2008 - 07:56 PM

I was reciving random pop ups through Firefox. I did a system scan on trend micro house call and it told me that I was infected with Adware_virtumundo. I tried to remove through trend micro and it came back. Then I tried using Combofix and then Vundofix. Both programs ran and deleted some files and said that they cleared it but obviusly missed something because I am still receiving the block ups. I re-ran Trend Micro House call to get the file name to manually remove it from my registry but it now shows that there is no virus according to trend micro. Below are my logs as direccted

Logfile of random's system information tool 1.04 (written by random/random)
Run by Ben at 2008-12-08 15:01:02
Microsoft Windows XP Professional Service Pack 3
System drive C: has 23 GB (26%) free of 90 GB
Total RAM: 1022 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:04 PM, on 12/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ben\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Ben.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wvmls.fnismls.com/Paragon/Login.asp?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {683AA398-4828-4164-991A-539DA6A75AFF} - C:\WINDOWS\system32\efcBtRJD.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\vtULEvvs.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {e5d630c0-9055-c64a-51c4-ab8b41ea418a} - {a814ae14-b8ba-4c15-a46c-55090c036d5e} - C:\WINDOWS\system32\sqmvjz.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix:
O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone: *.getmedianow.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.showingtime.com
O15 - Trusted Zone: *.sitexdata.com
O15 - Trusted Zone: *.spellchecker.net
O15 - Trusted Zone: *.transactionpoint.com
O15 - Trusted Zone: *.trpoint.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: *.virtualearth.net
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://wvmls.fnismls.com/Paragon/Codebase/...rintControl.cab
O16 - DPF: {10DE6CF7-3E36-445B-985D-07603082B36B} (FormLoader.Loader) - https://forms.orefonline.com/OLF/Runtime/FormLoader_OREF.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} - https://www.ibm.com/pc/support/access/aslib...ntent/AcpIR.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://www.realquest.com/mapviewer/mapviewer.cab
O20 - AppInit_DLLs: jbtlbr.dll zimjho.dll sqmvjz.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: vtULEvvs - C:\WINDOWS\SYSTEM32\vtULEvvs.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\ProShowGold\ScsiAccess.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 7892 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\PMTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{683AA398-4828-4164-991A-539DA6A75AFF}]
C:\WINDOWS\system32\efcBtRJD.dll [2008-12-08 302592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
C:\WINDOWS\system32\vtULEvvs.dll [2008-12-07 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a814ae14-b8ba-4c15-a46c-55090c036d5e}]
C:\WINDOWS\system32\sqmvjz.dll [2008-12-08 129024]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2006-02-14 110592]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-02-14 512000]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2006-11-21 35328]
"EZEJMNAP"=C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [2007-04-27 243248]
"PWRMGRTR"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL []
"BLOG"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL []
"LPManager"=C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe [2007-03-23 120368]
"ACWLIcon"=C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [2007-05-17 126976]
"TP4EX"=C:\WINDOWS\system32\tp4ex.exe [2005-10-17 65536]
"AwaySch"=C:\Program Files\Lenovo\AwayTask\AwaySch.EXE [2006-11-07 91688]
"TPFNF7"=C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe [2007-04-10 58416]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2005-05-20 925696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"BluetoothAuthenticationAgent"=C:\WINDOWS\system32\bthprops.cpl [2008-04-13 110592]
"TVT Scheduler Proxy"=C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [2008-03-04 487424]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="jbtlbr.dll zimjho.dll sqmvjz.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACNotify]
C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll [2007-05-17 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-04-05 114688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtULEvvs]
C:\WINDOWS\system32\vtULEvvs.dll [2008-12-07 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=C:\WINDOWS\system32\vtULEvvs.dll [2008-12-07 34816]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\efcBtRJD
"notification packages"=scecli
ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\Games\Quake 2\quake2.exe"="C:\Games\Quake 2\quake2.exe:*:Enabled:quake2"
"C:\Program Files\Hamachi\hamachi.exe"="C:\Program Files\Hamachi\hamachi.exe:*:Enabled:Hamachi"
"C:\Program Files\TurboTax\Home & Business 2007\32bit\ttax.exe"="C:\Program Files\TurboTax\Home & Business 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\Program Files\TurboTax\Home & Business 2007\32bit\updatemgr.exe"="C:\Program Files\TurboTax\Home & Business 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e15f02c-b4fd-11dc-acd1-001a6b69360e}]
shell\AutoRun\command - E:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30ccb841-22ff-11dc-888a-806d6172696f}]
shell\AutoRun\command - D:\setup.exe


======List of files/folders created in the last 1 months======

2008-12-08 15:01:02 ----D---- C:\rsit
2008-12-08 14:24:37 ----D---- C:\Program Files\Trend Micro
2008-12-08 01:01:21 ----SH---- C:\WINDOWS\system32\moauwuad.ini
2008-12-08 01:01:15 ----A---- C:\WINDOWS\system32\dauwuaom.dll
2008-12-08 00:59:13 ----A---- C:\WINDOWS\system32\sqmvjz.dll
2008-12-08 00:59:10 ----A---- C:\WINDOWS\system32\piyyocgx.dll
2008-12-08 00:58:14 ----ASH---- C:\WINDOWS\system32\DJRtBcfe.ini2
2008-12-08 00:58:13 ----ASH---- C:\WINDOWS\system32\DJRtBcfe.ini
2008-12-08 00:58:06 ----A---- C:\WINDOWS\system32\efcBtRJD.dll
2008-12-08 00:18:50 ----SHD---- C:\RECYCLER
2008-12-08 00:18:33 ----D---- C:\WINDOWS\temp
2008-12-07 23:44:14 ----RASHD---- C:\cmdcons
2008-12-07 23:42:45 ----A---- C:\WINDOWS\zip.exe
2008-12-07 23:42:45 ----A---- C:\WINDOWS\VFIND.exe
2008-12-07 23:42:45 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-07 23:42:45 ----A---- C:\WINDOWS\SWSC.exe
2008-12-07 23:42:45 ----A---- C:\WINDOWS\SWREG.exe
2008-12-07 23:42:45 ----A---- C:\WINDOWS\sed.exe
2008-12-07 23:42:45 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-07 23:42:45 ----A---- C:\WINDOWS\grep.exe
2008-12-07 23:42:45 ----A---- C:\WINDOWS\fdsv.exe
2008-12-07 23:42:36 ----D---- C:\WINDOWS\ERDNT
2008-12-07 13:00:41 ----A---- C:\WINDOWS\system32\4baa8761-.txt
2008-12-07 12:55:03 ----A---- C:\WINDOWS\system32\vtULEvvs.dll
2008-12-01 10:16:20 ----D---- C:\Program Files\Common Files\Lenovo
2008-12-01 10:16:02 ----SHD---- C:\Config.Msi
2008-11-11 18:30:35 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-11 18:30:30 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-11 18:30:23 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$

======List of files/folders modified in the last 1 months======

2008-12-08 14:27:12 ----RD---- C:\Program Files
2008-12-08 14:27:06 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-08 14:19:42 ----D---- C:\Program Files\Mozilla Firefox
2008-12-08 14:17:03 ----A---- C:\WINDOWS\system32\PROCDB.INI
2008-12-08 14:16:50 ----D---- C:\WINDOWS\system32
2008-12-08 14:16:50 ----A---- C:\WINDOWS\system32\IPSCtrl.INI
2008-12-08 14:15:29 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-08 14:15:02 ----D---- C:\WINDOWS\system32\drivers
2008-12-08 14:15:01 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-12-08 13:25:02 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-08 12:02:05 ----HDC---- C:\WINDOWS\$NtUninstallKB902400$
2008-12-08 12:02:05 ----D---- C:\WINDOWS
2008-12-08 11:12:59 ----D---- C:\WINDOWS\system32\Restore
2008-12-08 00:16:20 ----N---- C:\WINDOWS\system.ini
2008-12-08 00:14:09 ----D---- C:\WINDOWS\system32\config
2008-12-08 00:13:00 ----D---- C:\WINDOWS\AppPatch
2008-12-08 00:13:00 ----D---- C:\Program Files\Common Files
2008-12-07 23:46:04 ----SD---- C:\WINDOWS\Tasks
2008-12-07 23:44:19 ----RASH---- C:\boot.ini
2008-12-07 23:42:28 ----D---- C:\WINDOWS\Prefetch
2008-12-07 23:13:46 ----D---- C:\Program Files\Internet Explorer
2008-12-07 21:40:21 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-01 10:17:01 ----SHD---- C:\WINDOWS\Installer
2008-12-01 10:16:20 ----D---- C:\Program Files\Lenovo
2008-11-24 21:32:55 ----D---- C:\Games
2008-11-11 20:32:16 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-11 18:30:37 ----HD---- C:\WINDOWS\inf
2008-11-11 18:30:35 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-11 18:30:33 ----A---- C:\WINDOWS\imsins.BAK
2008-11-11 18:29:52 ----D---- C:\WINDOWS\WinSxS

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ANC;ANC; C:\WINDOWS\System32\drivers\ANC.SYS [2005-11-08 11520]
R1 IBMTPCHK;IBMTPCHK; \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 Smapint;Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [2006-10-02 14848]
R1 TDSMAPI;TDSMAPI; C:\WINDOWS\System32\drivers\TDSMAPI.SYS [2006-10-02 9343]
R1 TPPWRIF;TPPWRIF; C:\WINDOWS\System32\drivers\Tppwrif.sys [2007-04-13 4442]
R1 TSMAPIP;TSMAPIP; C:\WINDOWS\System32\drivers\TSMAPIP.SYS [2007-04-10 12848]
R2 irda;IrDA Protocol; C:\WINDOWS\System32\DRIVERS\irda.sys [2008-04-13 88192]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 PROCDD;IPS Helper Driver; C:\WINDOWS\system32\DRIVERS\PROCDD.SYS [2006-11-06 12080]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2006-06-20 178688]
R3 AEAudioService;AEAudio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2006-08-07 93952]
R3 AR5211;Atheros Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2007-04-05 546112]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-04-05 1989120]
R3 BthEnum;Bluetooth Enumerator Service; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2006-12-22 988800]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2006-12-22 209664]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2007-02-27 21040]
R3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\System32\DRIVERS\nscirda.sys [2008-04-13 28672]
R3 psadd;Lenovo Parties Service Access Device Driver; C:\WINDOWS\system32\DRIVERS\psadd.sys [2007-02-18 21376]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136]
R3 swmx01;Sierra Wireless USB MUX Driver (#01); C:\WINDOWS\system32\DRIVERS\swmx01.sys [2005-11-18 58624]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2006-02-14 177664]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2006-12-22 730112]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-13 101120]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-01-12 246680]
S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2008-11-05 25280]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01); C:\WINDOWS\system32\DRIVERS\SWNC5E01.sys [2005-08-05 73600]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcPrfMgrSvc;Ac Profile Manager Service; C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe [2007-05-17 65536]
R2 AcSvc;Access Connections Main Service; C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe [2007-05-17 184320]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-04-05 454656]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2007-02-27 36400]
R2 IPSSVC;IPS Core Service; C:\WINDOWS\system32\IPSSVC.EXE [2007-01-30 108080]
R2 Irmon;Infrared Monitor; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 ScsiAccess;ScsiAccess; C:\Program Files\ProShowGold\ScsiAccess.exe [2007-11-22 181312]
R2 SUService;System Update; C:\Program Files\Lenovo\System Update\SUService.exe [2008-10-20 28672]
R2 ThinkVantage Registry Monitor Service;ThinkVantage Registry Monitor Service; C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe [2007-09-26 644408]
R2 TVT Scheduler;TVT Scheduler; C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe [2008-03-04 1122304]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]

-----------------EOF-----------------
info.txt logfile of random's system information tool 1.04 2008-12-08 15:01:06

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Access Help-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6FA39A7-26B1-480A-BC74-6D17531AC222}\setup.exe" -l0x9 UNINSTALL
Ad-aware 6 Personal-->C:\PROGRA~1\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 7.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AnswerWorks 4.0 Runtime - English-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Blaze Media Pro-->"C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\setup_blazemp.exe" REMOVE=TRUE MODIFY=FALSE
FileZilla Client 3.0.5.2-->C:\Program Files\FileZilla FTP Client\uninstall.exe
Google Earth-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Help Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{986F64DC-FF15-449D-998F-EE3BCEC6666A}\setup.exe" -l0x9 -AddRemove
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel® PRO Network Connections Drivers-->Prounstl.exe
Java™ 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LimeWire 4.12.14-->"C:\Program Files\LimeWire\uninstall.exe"
Maintenance Manager-->Rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\AWAYTASK.INF
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Nero 6 Demo-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
PC-Doctor 5 for Windows-->C:\Program Files\PCDR5\uninst.exe
Photodex Presenter-->C:\Program Files\Photodex Presenter\uninst.exe
Presentation Director-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{65706020-7B6F-41F2-8047-FC69579E386A}\SETUP.EXE" -l0x9 -AddRemove
Productivity Center Supplement for ThinkPad-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D728E945-256D-4477-B377-6BBA693714AC}\setup.exe" -l0x9 -AddRemove
ProShow Gold-->C:\Program Files\ProShowGold\proshow.exe . -u
Security Update for Microsoft .NET Framework 2.0 (KB928365)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Sierra Wireless MC5720 Package for Access Connections-->MsiExec.exe /X{7DA0C101-5C7C-40C9-A485-68E12780232C}
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
System Update-->MsiExec.exe /X{8675339C-128C-44DD-83BF-0A5D6ABD8297}
ThinkPad Configuration-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC081D4D-DF1B-4CF1-B530-027E4118D846}\setup.exe" -l0x9 -AddRemove
ThinkPad EasyEject Utility -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1297C681-92D7-40EF-93BF-03F66EC5105C}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588\UIU32m.exe -U -ITkp0588k.inf
ThinkPad Power Management Driver-->RunDll32.exe tpinspm.dll,Uninstall
ThinkPad Power Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad UltraNav Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
ThinkPad UltraNav Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17CBC505-D1AE-459D-B445-3D2000A85842}\setup.exe" -l0x9 UNINSTALL
ThinkPad UltraNav Wizard-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}\SETUP.EXE" -l0x9 UNINSTALL
ThinkVantage Access Connections-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7EB114D8-207F-45AE-BABD-1669715F2630}\setup.exe" -l0x9 anything
ThinkVantage Productivity Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}\setup.exe" -l0x9 -AddRemove
TrackPoint Accessibility Features-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA664480-3844-11D5-8C25-444553540000}\SETUP.EXE"
TurboTax Home & Business 2007-->C:\Program Files\TurboTax\Home & Business 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Home & Business 2007\Uninstall.log" -NoGui
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
VZAccess Manager for Lenovo-->MsiExec.exe /X{2C1FB355-49F4-4911-929D-AE97C2DCEDBB}
WebEx-->C:\PROGRA~1\MOZILL~1\plugins\atcliun.exe
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Essentials Media Codec Pack 1.0-->C:\Program Files\Essentials Codec Pack\uninst.exe
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ThinkPad\Utilities;C:\Program Files\ThinkPad\ConnectUtilities;C:\Program Files\Common Files\Lenovo
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0f06
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"TPCCommon"=C:\PROGRA~1\THINKV~1\PrdCtr
"TVT"=C:\Program Files\Lenovo

-----------------EOF-----------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 8, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 08, 2008 20:42:14
Records in database: 1444573
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 73700
Threat name 2
Infected objects 7
Suspicious objects 0
Duration of the scan 01:08:34

File name Threat name Threats count
C:\WINDOWS\system32\vtULEvvs.dll/C:\WINDOWS\system32\vtULEvvs.dll Infected: Trojan-Downloader.Win32.Agent.atga 4
C:\Documents and Settings\Ben\.housecall6.6\Quarantine\apstpldr.dll[1].htm.bac_a03500 Infected: Trojan.Win32.Agent.asus 1
C:\Documents and Settings\Ben\.housecall6.6\Quarantine\wvUNdExY.dll.bac_a03500 Infected: Trojan.Win32.Agent.asus 1
C:\WINDOWS\system32\vtULEvvs.dll Infected: Trojan-Downloader.Win32.Agent.atga 1
The selected area was scanned.

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 13 December 2008 - 06:09 AM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post these logs in your next reply..

1. ComboFix
2. A fresh HijackThis log
3. Attach GMER report


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Siglerbe

Siglerbe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 13 December 2008 - 02:19 PM

Thank You very much. Here are the logs below. Also since my first post, I have been receiving a pop up telling me that I have another Trojan Virus called Trojan.Zlob.G I have done some research that it is an advertisement to get you to buy there fake virus software. However, it is also affecting my computer and no longer allowing me on the internet. I have found a program that will supposedly remove it from my computer. But I did not want to do anything that might interfere with what we are doing. But felt that you should know about the additional infection. Here are the logs in order. Thanks, Ben

ComboFix 08-12-12.05 - Ben 2008-12-13 10:42:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.620 [GMT -8:00]
Running from: E:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Ben\LOCALS~1\Temp\tmp2.tmp
c:\windows\system32\cviyjfwv.dll
c:\windows\system32\dauwuaom.dll
c:\windows\system32\DJRtBcfe.ini
c:\windows\system32\DJRtBcfe.ini2
c:\windows\system32\dpvagspk.ini
c:\windows\system32\efcBtRJD.dll
c:\windows\system32\ggfcoy.dll
c:\windows\system32\hwrbgfxf.dll
c:\windows\system32\moauwuad.ini
c:\windows\system32\orhwwnwt.ini
c:\windows\system32\paapic.dll
c:\windows\system32\piyyocgx.dll
c:\windows\system32\sqmvjz.dll
c:\windows\system32\twnwwhro.dll
c:\windows\system32\vtULEvvs.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
.

2008-12-08 15:01 . 2008-12-08 15:01 <DIR> d-------- C:\rsit
2008-12-08 14:24 . 2008-12-08 14:24 <DIR> d-------- c:\program files\Trend Micro
2008-12-07 23:13 . 2007-12-27 18:50 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-01 10:16 . 2008-12-01 10:16 <DIR> d-------- c:\program files\Common Files\Lenovo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 00:08 --------- d-----w c:\program files\Ad-aware 6
2008-12-08 22:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-01 18:16 --------- d-----w c:\program files\Lenovo
2008-11-06 07:03 --------- d-----w c:\documents and settings\Ben\Application Data\Hamachi
2008-11-06 06:36 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2007-11-07 23:31 17,536 ----a-w c:\documents and settings\Ben\Application Data\GDIPFONTCACHEV1.DAT
2007-11-01 17:18 56,912 ----a-w c:\documents and settings\Ben\g2mdlhlpx.exe
2007-09-27 03:46 19,104 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-09-27 03:46 105,632 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinDNN"="c:\documents and settings\Ben\Application Data\Google\klnxv19819115.exe" [2008-12-10 123392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-04-13 196608]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-04-13 208896]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-23 120368]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 126976]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 58416]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"TP4EX"="tp4ex.exe" [2005-10-17 c:\windows\system32\TP4EX.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-05-17 10:41 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jbtlbr.dll zimjho.dll ggfcoy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Games\\Quake 2\\quake2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2007-06-25 11520]
R1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\Drivers\IBMBLDID.sys [2007-06-25 4224]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2007-06-25 4442]
R3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\DRIVERS\swmx01.sys [2005-11-18 58624]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-23 33752]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\DRIVERS\SWNC5E01.sys [2005-08-05 73600]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e15f02c-b4fd-11dc-acd1-001a6b69360e}]
\Shell\AutoRun\command - E:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30ccb841-22ff-11dc-888a-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-13 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-04-13 00:15]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5d5bd854-6f2f-446b-acbf-d73e502c0d7c} - c:\windows\system32\ggfcoy.dll
BHO-{F97DC910-7C81-4508-92D5-F4CA1CA892BF} - c:\windows\system32\efcBtRJD.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://wvmls.fnismls.com/Paragon/Login.asp?
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: *.fnismls.com
Trusted Zone: *.getmedianow.com
Trusted Zone: *.live.com
Trusted Zone: *.showingtime.com
Trusted Zone: *.sitexdata.com
Trusted Zone: *.spellchecker.net
Trusted Zone: *.transactionpoint.com
Trusted Zone: *.trpoint.com
Trusted Zone: *.virtualearth.net

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\FNISPrintControl.DLL - O16 -: {0854D220-A90A-466D-BC02-6683183802B7}
hxxp://wvmls.fnismls.com/Paragon/Codebase/FNISPrintControl.cab

c:\windows\Downloaded Program Files\FormLoader.dll - O16 -: {10DE6CF7-3E36-445B-985D-07603082B36B}
hxxps://forms.orefonline.com/OLF/Runtime/FormLoader_OREF.CAB
c:\windows\Downloaded Program Files\FormLoader.INF

c:\windows\Downloaded Program Files\mapviewer.ocx - O16 -: {F375116A-793C-11D2-BFE1-444553540001}
hxxp://www.realquest.com/mapviewer/mapviewer.cab
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\mutu2s84.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%3Fui%3Dhtml%26zy%3Dl&ltmpl=default&ltmplcache=2&hl=en
FF - plugin: c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\mutu2s84.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Ben\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npActiveGS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 10:50:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(652)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\ProShowGold\scsiaccess.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-12-13 10:52:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-13 18:52:18

Pre-Run: 24,478,769,152 bytes free
Post-Run: 24,579,104,768 bytes free

193 --- E O F --- 2008-11-12 02:31:43

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:13 AM, on 12/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wvmls.fnismls.com/Paragon/Login.asp?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix:
O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone: *.getmedianow.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.showingtime.com
O15 - Trusted Zone: *.sitexdata.com
O15 - Trusted Zone: *.spellchecker.net
O15 - Trusted Zone: *.transactionpoint.com
O15 - Trusted Zone: *.trpoint.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: *.virtualearth.net
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://wvmls.fnismls.com/Paragon/Codebase/...rintControl.cab
O16 - DPF: {10DE6CF7-3E36-445B-985D-07603082B36B} (FormLoader.Loader) - https://forms.orefonline.com/OLF/Runtime/FormLoader_OREF.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} - https://www.ibm.com/pc/support/access/aslib...ntent/AcpIR.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://www.realquest.com/mapviewer/mapviewer.cab
O20 - AppInit_DLLs: jbtlbr.dll zimjho.dll ggfcoy.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\ProShowGold\ScsiAccess.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 7471 bytes

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-13 11:12:17
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.14 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\notepad.exe[436] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00D29180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\notepad.exe[436] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 00D2B000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\notepad.exe[436] ws2_32.dll!send 71AB4C27 5 Bytes JMP 00D29340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\notepad.exe[436] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D296E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\notepad.exe[436] ws2_32.dll!recv 71AB676F 5 Bytes JMP 00D298D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Documents and Settings\Ben\Desktop\gmer\gmer.exe[1272] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 010D9180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Documents and Settings\Ben\Desktop\gmer\gmer.exe[1272] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 010DB000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Documents and Settings\Ben\Desktop\gmer\gmer.exe[1272] ws2_32.dll!send 71AB4C27 5 Bytes JMP 010D9340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Documents and Settings\Ben\Desktop\gmer\gmer.exe[1272] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010D96E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Documents and Settings\Ben\Desktop\gmer\gmer.exe[1272] ws2_32.dll!recv 71AB676F 5 Bytes JMP 010D98D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Documents and Settings\Ben\Application Data\Google\klnxv19819115.exe[2100] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 003B9180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Documents and Settings\Ben\Application Data\Google\klnxv19819115.exe[2100] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 003BB000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Documents and Settings\Ben\Application Data\Google\klnxv19819115.exe[2100] ws2_32.dll!send 71AB4C27 5 Bytes JMP 003B9340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Documents and Settings\Ben\Application Data\Google\klnxv19819115.exe[2100] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 003B96E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Documents and Settings\Ben\Application Data\Google\klnxv19819115.exe[2100] ws2_32.dll!recv 71AB676F 5 Bytes JMP 003B98D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[2324] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01009180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[2324] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 0100B000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[2324] ws2_32.dll!send 71AB4C27 5 Bytes JMP 01009340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[2324] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010096E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[2324] ws2_32.dll!recv 71AB676F 5 Bytes JMP 010098D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2340] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 011B9180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2340] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 011BB000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2340] ws2_32.dll!send 71AB4C27 5 Bytes JMP 011B9340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2340] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011B96E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2340] ws2_32.dll!recv 71AB676F 5 Bytes JMP 011B98D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\explorer.exe[2356] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01B29180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\explorer.exe[2356] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 01B2B000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\explorer.exe[2356] ws2_32.dll!send 71AB4C27 5 Bytes JMP 01B29340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\explorer.exe[2356] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01B296E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\explorer.exe[2356] ws2_32.dll!recv 71AB676F 5 Bytes JMP 01B298D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Winamp\winampa.exe[2416] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 003E9180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Winamp\winampa.exe[2416] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 003EB000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Winamp\winampa.exe[2416] ws2_32.dll!send 71AB4C27 5 Bytes JMP 003E9340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Winamp\winampa.exe[2416] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 003E96E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Winamp\winampa.exe[2416] ws2_32.dll!recv 71AB676F 5 Bytes JMP 003E98D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[2436] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 003D9180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[2436] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 003DB000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[2436] ws2_32.dll!send 71AB4C27 5 Bytes JMP 003D9340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[2436] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 003D96E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[2436] ws2_32.dll!recv 71AB676F 5 Bytes JMP 003D98D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\rundll32.exe[2452] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00DD9180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\rundll32.exe[2452] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 00DDB000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\rundll32.exe[2452] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DD9340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\rundll32.exe[2452] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DD96E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\rundll32.exe[2452] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DD98D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe[2492] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01909180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe[2492] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 0190B000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe[2492] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01909340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe[2492] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 019096E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe[2492] WS2_32.dll!recv 71AB676F 5 Bytes JMP 019098D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe[2500] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00EA9180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe[2500] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 00EAB000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe[2500] ws2_32.dll!send 71AB4C27 5 Bytes JMP 00EA9340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe[2500] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EA96E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe[2500] ws2_32.dll!recv 71AB676F 5 Bytes JMP 00EA98D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Lenovo\AwayTask\AwaySch.EXE[2520] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 003E9180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Lenovo\AwayTask\AwaySch.EXE[2520] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 003EB000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Lenovo\AwayTask\AwaySch.EXE[2520] ws2_32.dll!send 71AB4C27 5 Bytes JMP 003E9340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Lenovo\AwayTask\AwaySch.EXE[2520] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 003E96E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Lenovo\AwayTask\AwaySch.EXE[2520] ws2_32.dll!recv 71AB676F 5 Bytes JMP 003E98D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[2532] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 003D9180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[2532] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 003DB000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[2532] ws2_32.dll!send 71AB4C27 5 Bytes JMP 003D9340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[2532] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 003D96E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[2532] ws2_32.dll!recv 71AB676F 5 Bytes JMP 003D98D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[2580] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 011D9180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[2580] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 011DB000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[2580] ws2_32.dll!send 71AB4C27 5 Bytes JMP 011D9340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[2580] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011D96E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[2580] ws2_32.dll!recv 71AB676F 5 Bytes JMP 011D98D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\rundll32.exe[2684] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 009B9180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\rundll32.exe[2684] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 009BB000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\rundll32.exe[2684] ws2_32.dll!send 71AB4C27 5 Bytes JMP 009B9340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\rundll32.exe[2684] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 009B96E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\rundll32.exe[2684] ws2_32.dll!recv 71AB676F 5 Bytes JMP 009B98D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Trend Micro\HijackThis\HijackThis.exe[2848] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01AB9180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Trend Micro\HijackThis\HijackThis.exe[2848] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 01ABB000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Trend Micro\HijackThis\HijackThis.exe[2848] ws2_32.dll!send 71AB4C27 5 Bytes JMP 01AB9340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Trend Micro\HijackThis\HijackThis.exe[2848] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01AB96E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\Program Files\Trend Micro\HijackThis\HijackThis.exe[2848] ws2_32.dll!recv 71AB676F 5 Bytes JMP 01AB98D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\wuauclt.exe[3000] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01159180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\wuauclt.exe[3000] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 0115B000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\wuauclt.exe[3000] ws2_32.dll!send 71AB4C27 5 Bytes JMP 01159340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\wuauclt.exe[3000] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011596E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\wuauclt.exe[3000] ws2_32.dll!recv 71AB676F 5 Bytes JMP 011598D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3156] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00D29180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3156] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 00D2B000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3156] ws2_32.dll!send 71AB4C27 5 Bytes JMP 00D29340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3156] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D296E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\NOTEPAD.EXE[3156] ws2_32.dll!recv 71AB676F 5 Bytes JMP 00D298D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\wscntfy.exe[3832] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00AE9180 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\wscntfy.exe[3832] ntdll.dll!NtQuerySystemInformation 7C90D910 5 Bytes JMP 00AEB000 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\wscntfy.exe[3832] ws2_32.dll!send 71AB4C27 5 Bytes JMP 00AE9340 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\wscntfy.exe[3832] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00AE96E8 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll
.text C:\WINDOWS\system32\wscntfy.exe[3832] ws2_32.dll!recv 71AB676F 5 Bytes JMP 00AE98D0 C:\Documents and Settings\Ben\Application Data\Google\dfxovl.dll

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\BTHUSB \Device\00000094 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000094 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

---- Processes - GMER 1.0.14 ----

Process C:\Documents and Settings\Ben\Application Data\Google\klnxv19819115.exe (*** hidden *** ) 2100

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197ef507ec
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00197ef507ec
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\run@WinDNN "C:\Documents and Settings\Ben\Application Data\Google\klnxv19819115.exe" 2

---- EOF - GMER 1.0.14 ----

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 13 December 2008 - 03:14 PM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Folder::
c:\documents and settings\Ben\Application Data\Google

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinDNN"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • Malwarebytes'.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Siglerbe

Siglerbe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 13 December 2008 - 06:19 PM

I followed all steps as described. EXCEPT I was unable to update the malwarebytes' before scanning my computer because one of the virus is not allowing my computer to access the internet. I think it is the Trojan.Zlob.G virus. I am doing the other downloads and posting on here via my wife's laptop. Here are the logs as requested.

- Ben

ComboFix 08-12-12.05 - Ben 2008-12-13 14:08:35.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.613 [GMT -8:00]
Running from: E:\ComboFix.exe
Command switches used :: c:\documents and settings\Ben\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ben\Application Data\Google
c:\documents and settings\Ben\Application Data\Google\dfxovl.dll
c:\documents and settings\Ben\Application Data\Google\GoogleEarth\myplaces.backup.kml
c:\documents and settings\Ben\Application Data\Google\GoogleEarth\myplaces.kml
c:\documents and settings\Ben\Application Data\Google\GoogleEarth\myplaces.kml.tmp
c:\documents and settings\Ben\Application Data\Google\klnxv19819115.exe
c:\documents and settings\Ben\Application Data\Google\T-Scan\n.gif
c:\documents and settings\Ben\Application Data\Google\T-Scan\t.gif
c:\documents and settings\Ben\Application Data\Google\T-Scan\y.gif

.
((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
.

2008-12-13 11:03 . 2008-12-13 11:03 250 --a------ c:\windows\gmer.ini
2008-12-08 15:01 . 2008-12-08 15:01 <DIR> d-------- C:\rsit
2008-12-08 14:24 . 2008-12-08 14:24 <DIR> d-------- c:\program files\Trend Micro
2008-12-07 23:13 . 2007-12-27 18:50 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-01 10:16 . 2008-12-01 10:16 <DIR> d-------- c:\program files\Common Files\Lenovo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 00:08 --------- d-----w c:\program files\Ad-aware 6
2008-12-08 22:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-01 18:16 --------- d-----w c:\program files\Lenovo
2008-11-06 07:03 --------- d-----w c:\documents and settings\Ben\Application Data\Hamachi
2008-11-06 06:36 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2007-11-07 23:31 17,536 ----a-w c:\documents and settings\Ben\Application Data\GDIPFONTCACHEV1.DAT
2007-11-01 17:18 56,912 ----a-w c:\documents and settings\Ben\g2mdlhlpx.exe
2007-09-27 03:46 19,104 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-09-27 03:46 105,632 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-13_10.52.01.75 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-13 19:02:59 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 05:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2008-12-13 19:02:59 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-04-13 196608]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-04-13 208896]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-23 120368]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 126976]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 58416]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"TP4EX"="tp4ex.exe" [2005-10-17 c:\windows\system32\TP4EX.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-05-17 10:41 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Games\\Quake 2\\quake2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2007-06-25 11520]
R1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\Drivers\IBMBLDID.sys [2007-06-25 4224]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2007-06-25 4442]
R3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\DRIVERS\swmx01.sys [2005-11-18 58624]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-23 33752]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\DRIVERS\SWNC5E01.sys [2005-08-05 73600]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e15f02c-b4fd-11dc-acd1-001a6b69360e}]
\Shell\AutoRun\command - E:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30ccb841-22ff-11dc-888a-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-13 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-04-13 00:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wvmls.fnismls.com/Paragon/Login.asp?
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: *.fnismls.com
Trusted Zone: *.getmedianow.com
Trusted Zone: *.live.com
Trusted Zone: *.showingtime.com
Trusted Zone: *.sitexdata.com
Trusted Zone: *.spellchecker.net
Trusted Zone: *.transactionpoint.com
Trusted Zone: *.trpoint.com
Trusted Zone: *.virtualearth.net

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\FNISPrintControl.DLL - O16 -: {0854D220-A90A-466D-BC02-6683183802B7}
hxxp://wvmls.fnismls.com/Paragon/Codebase/FNISPrintControl.cab

c:\windows\Downloaded Program Files\FormLoader.dll - O16 -: {10DE6CF7-3E36-445B-985D-07603082B36B}
hxxps://forms.orefonline.com/OLF/Runtime/FormLoader_OREF.CAB
c:\windows\Downloaded Program Files\FormLoader.INF

c:\windows\Downloaded Program Files\mapviewer.ocx - O16 -: {F375116A-793C-11D2-BFE1-444553540001}
hxxp://www.realquest.com/mapviewer/mapviewer.cab
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\mutu2s84.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%3Fui%3Dhtml%26zy%3Dl&ltmpl=default&ltmplcache=2&hl=en
FF - plugin: c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\mutu2s84.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Ben\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npActiveGS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 14:11:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(652)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\ProShowGold\scsiaccess.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-12-13 14:13:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-13 22:13:43
ComboFix2.txt 2008-12-13 18:52:21

Pre-Run: 24,565,022,720 bytes free
Post-Run: 24,551,936,000 bytes free

188 --- E O F --- 2008-11-12 02:31:43

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/13/2008 3:12:00 PM
mbam-log-2008-12-13 (15-12-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 117223
Time elapsed: 46 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\cviyjfwv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ggfcoy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hwrbgfxf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\paapic.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\piyyocgx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sqmvjz.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{066593CC-5CA6-4277-9551-B6BD17653227}\RP2\A0000009.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{066593CC-5CA6-4277-9551-B6BD17653227}\RP2\A0000013.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{066593CC-5CA6-4277-9551-B6BD17653227}\RP2\A0000014.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{066593CC-5CA6-4277-9551-B6BD17653227}\RP2\A0000017.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{066593CC-5CA6-4277-9551-B6BD17653227}\RP2\A0000018.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{066593CC-5CA6-4277-9551-B6BD17653227}\RP2\A0000019.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 13 December 2008 - 11:24 PM

We Need to Verify your DNS Configuration
  • Please download DNSCheck and save it to your desktop.
  • Double click Posted Image on your desktop.
  • Follow the on-screen instructions. When done, a log will open, and be saved to the desktop.
  • Please copy and paste that log in your next reply.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Siglerbe

Siglerbe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 14 December 2008 - 01:32 PM

Here you go.

Thanks Again,

Ben

DNSCheck v.0.8.15
Checking No-Exist Redirector
Fake name: urlnautqehkmybfhwsyk.com
Fails to forward resolve. -- OK!
Checking site: google.com
DNSAPI and NSLOOKUP are in agreement. -- OK!
209.85.171.100: resolves to cg-in-f100.google.com -- OK!
72.14.205.100: resolves to qb-in-f100.google.com -- OK!
74.125.45.100: resolves to yx-in-f100.google.com -- OK!
Checking site: yahoo.com
DNSAPI and NSLOOKUP are in agreement. -- OK!
206.190.60.37: resolves to w2.rc.vip.re4.yahoo.com -- OK!
68.180.206.184: resolves to w2.rc.vip.sp1.yahoo.com -- OK!
Checking site: bleepingcomputer.com
DNSAPI and NSLOOKUP are in agreement. -- OK!
208.43.87.2: resolves to www.bleepingcomputer.com -- OK!
Checking site: geekstogo.com
DNSAPI and NSLOOKUP are in agreement. -- OK!
208.43.44.138: resolves to geek15.geekstogo.com -- OK!
Checking site: malwarebytes.org
DNSAPI and NSLOOKUP are in agreement. -- OK!
69.162.79.74: resolves to alpha.malwarebytes.org -- OK!

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 15 December 2008 - 02:51 AM

Please download WinsockXPFix from HERE.
  • Double-click on WinsockXPFix and click on Fix
It will ask you to restart your computer in attempt to fix the internet connection. Please do so..


Now, can you connected to the internet? :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Siglerbe

Siglerbe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 15 December 2008 - 02:05 PM

Yes,

Everything seems to be fixed and operating properly. Thank you very much for you time and assistance.

- Ben

#10 Siglerbe

Siglerbe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 15 December 2008 - 02:34 PM

Nope, Sorry. As soon as I posted that last reply, I got a pop up again. Just like everything started last time. It is a lot better, but not quite gone. I am able to use my internet and the only sign that I am still infected is that pop up just came up again. Would you like me to re-scan my computer?

- Ben

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 15 December 2008 - 10:11 PM

Post me a fresh RSIT log please and also a screenshot of the pop-up :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 Siglerbe

Siglerbe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 16 December 2008 - 01:06 PM

I am sorry, I am not sure if this was the log that you wanted. Also I will get you a screen shot next time it occurs. I will describe it though. It simply opened a new window in Firefox and it took me to the Online DEX website.

- Ben

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:35 AM, on 12/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wvmls.fnismls.com/Paragon/Login.asp?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix:
O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone: *.getmedianow.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.showingtime.com
O15 - Trusted Zone: *.sitexdata.com
O15 - Trusted Zone: *.spellchecker.net
O15 - Trusted Zone: *.transactionpoint.com
O15 - Trusted Zone: *.trpoint.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: *.virtualearth.net
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://wvmls.fnismls.com/Paragon/Codebase/...rintControl.cab
O16 - DPF: {10DE6CF7-3E36-445B-985D-07603082B36B} (FormLoader.Loader) - https://forms.orefonline.com/OLF/Runtime/FormLoader_OREF.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} - https://www.ibm.com/pc/support/access/aslib...ntent/AcpIR.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://www.realquest.com/mapviewer/mapviewer.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\ProShowGold\ScsiAccess.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 7555 bytes

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 17 December 2008 - 11:34 PM

Fix these via HijackThis if you don't set it yourself in IE trusted zones..

O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone: *.getmedianow.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.showingtime.com
O15 - Trusted Zone: *.sitexdata.com
O15 - Trusted Zone: *.spellchecker.net
O15 - Trusted Zone: *.transactionpoint.com
O15 - Trusted Zone: *.trpoint.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: *.virtualearth.net




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 Siglerbe

Siglerbe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 20 December 2008 - 06:28 PM

I fixed the Items that you told me to in Hijack this and downloaded and ran the program as instructed but only was given one log file. I ran it a second time and still only received one. Here it is.

- Ben

Logfile of random's system information tool 1.05 (written by random/random)
Run by Ben at 2008-12-20 15:25:55
Microsoft Windows XP Professional Service Pack 3
System drive C: has 23 GB (26%) free of 90 GB
Total RAM: 1022 MB (50% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:56 PM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ben\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Ben.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wvmls.fnismls.com/Paragon/Login.asp?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix:
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://wvmls.fnismls.com/Paragon/Codebase/...rintControl.cab
O16 - DPF: {10DE6CF7-3E36-445B-985D-07603082B36B} (FormLoader.Loader) - https://forms.orefonline.com/OLF/Runtime/FormLoader_OREF.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} - https://www.ibm.com/pc/support/access/aslib...ntent/AcpIR.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://www.realquest.com/mapviewer/mapviewer.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\ProShowGold\ScsiAccess.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 7211 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\PMTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2006-02-14 110592]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-02-14 512000]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2006-11-21 35328]
"EZEJMNAP"=C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [2007-04-27 243248]
"PWRMGRTR"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL []
"BLOG"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL []
"LPManager"=C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe [2007-03-23 120368]
"ACWLIcon"=C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [2007-05-17 126976]
"TP4EX"=C:\WINDOWS\system32\tp4ex.exe [2005-10-17 65536]
"AwaySch"=C:\Program Files\Lenovo\AwayTask\AwaySch.EXE [2006-11-07 91688]
"TPFNF7"=C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe [2007-04-10 58416]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2005-05-20 925696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"BluetoothAuthenticationAgent"=C:\WINDOWS\system32\bthprops.cpl [2008-04-13 110592]
"TVT Scheduler Proxy"=C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [2008-03-04 487424]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2008-12-03 399504]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACNotify]
C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll [2007-05-17 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-04-05 114688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\Games\Quake 2\quake2.exe"="C:\Games\Quake 2\quake2.exe:*:Enabled:quake2"
"C:\Program Files\TurboTax\Home & Business 2007\32bit\ttax.exe"="C:\Program Files\TurboTax\Home & Business 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\Program Files\TurboTax\Home & Business 2007\32bit\updatemgr.exe"="C:\Program Files\TurboTax\Home & Business 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e15f02c-b4fd-11dc-acd1-001a6b69360e}]
shell\AutoRun\command - E:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30ccb841-22ff-11dc-888a-806d6172696f}]
shell\AutoRun\command - D:\setup.exe


======List of files/folders created in the last 3 months======

2008-12-14 10:30:23 ----SHD---- C:\RECYCLER
2008-12-13 14:18:12 ----D---- C:\Documents and Settings\Ben\Application Data\Malwarebytes
2008-12-13 14:18:07 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-13 14:18:07 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-13 14:13:48 ----D---- C:\WINDOWS\temp
2008-12-13 14:13:46 ----A---- C:\ComboFix.txt
2008-12-13 11:03:00 ----A---- C:\WINDOWS\gmer.ini
2008-12-13 11:02:59 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-12-13 11:02:59 ----A---- C:\WINDOWS\gmer.exe
2008-12-13 11:02:59 ----A---- C:\WINDOWS\gmer.dll
2008-12-13 10:40:58 ----D---- C:\Qoobox
2008-12-08 15:01:02 ----D---- C:\rsit
2008-12-08 14:24:37 ----D---- C:\Program Files\Trend Micro
2008-12-07 23:44:14 ----RASHD---- C:\cmdcons
2008-12-07 23:42:45 ----A---- C:\WINDOWS\zip.exe
2008-12-07 23:42:45 ----A---- C:\WINDOWS\VFIND.exe
2008-12-07 23:42:45 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-07 23:42:45 ----A---- C:\WINDOWS\SWSC.exe
2008-12-07 23:42:45 ----A---- C:\WINDOWS\SWREG.exe
2008-12-07 23:42:45 ----A---- C:\WINDOWS\sed.exe
2008-12-07 23:42:45 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-07 23:42:45 ----A---- C:\WINDOWS\grep.exe
2008-12-07 23:42:45 ----A---- C:\WINDOWS\fdsv.exe
2008-12-07 23:42:36 ----D---- C:\WINDOWS\ERDNT
2008-12-07 13:00:41 ----A---- C:\WINDOWS\system32\4baa8761-.txt
2008-12-01 10:16:20 ----D---- C:\Program Files\Common Files\Lenovo
2008-12-01 10:16:02 ----SHD---- C:\Config.Msi
2008-11-11 18:30:35 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-11 18:30:30 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-11 18:30:23 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-10-23 09:39:07 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-15 14:58:24 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-15 14:58:20 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-15 14:58:15 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-15 14:58:11 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-15 14:58:04 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-15 14:56:57 ----HDC---- C:\WINDOWS\$NtUninstallKB956390$
2008-09-30 16:43:34 ----A---- C:\WINDOWS\system32\msxml4.dll
2008-09-23 14:46:00 ----D---- C:\Program Files\NOS
2008-09-23 14:46:00 ----D---- C:\Documents and Settings\All Users\Application Data\NOS

======List of files/folders modified in the last 3 months======

2008-12-20 15:00:18 ----D---- C:\Program Files\Mozilla Firefox
2008-12-14 14:07:20 ----D---- C:\WINDOWS\Prefetch
2008-12-13 14:18:10 ----D---- C:\WINDOWS\system32\drivers
2008-12-13 14:18:07 ----RD---- C:\Program Files
2008-12-13 14:13:49 ----D---- C:\WINDOWS\system32
2008-12-13 14:13:48 ----D---- C:\WINDOWS
2008-12-13 14:13:12 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-13 14:11:33 ----A---- C:\WINDOWS\system.ini
2008-12-13 14:11:15 ----A---- C:\WINDOWS\system32\PROCDB.INI
2008-12-13 14:11:06 ----A---- C:\WINDOWS\system32\IPSCtrl.INI
2008-12-13 14:09:32 ----D---- C:\WINDOWS\system32\config
2008-12-13 14:09:06 ----D---- C:\WINDOWS\AppPatch
2008-12-13 14:09:06 ----D---- C:\Program Files\Common Files
2008-12-13 14:08:25 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-13 10:41:07 ----SHD---- C:\System Volume Information
2008-12-13 10:41:07 ----D---- C:\WINDOWS\system32\Restore
2008-12-13 10:36:59 ----HD---- C:\WINDOWS\inf
2008-12-10 16:08:15 ----D---- C:\Program Files\Ad-aware 6
2008-12-08 14:15:01 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-12-08 13:25:02 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-08 12:02:05 ----HDC---- C:\WINDOWS\$NtUninstallKB902400$
2008-12-07 23:46:04 ----SD---- C:\WINDOWS\Tasks
2008-12-07 23:44:19 ----RASH---- C:\boot.ini
2008-12-07 23:13:46 ----D---- C:\Program Files\Internet Explorer
2008-12-07 21:40:21 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-01 10:17:01 ----SHD---- C:\WINDOWS\Installer
2008-12-01 10:16:20 ----D---- C:\Program Files\Lenovo
2008-11-24 21:32:55 ----D---- C:\Games
2008-11-11 20:32:16 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-11 18:30:35 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-11 18:30:33 ----A---- C:\WINDOWS\imsins.BAK
2008-11-11 18:29:52 ----D---- C:\WINDOWS\WinSxS
2008-11-05 23:03:11 ----D---- C:\Documents and Settings\Ben\Application Data\Hamachi
2008-11-04 09:33:53 ----D---- C:\WINDOWS\Help
2008-11-03 16:10:25 ----A---- C:\WINDOWS\system32\MRT.exe
2008-10-28 11:42:33 ----D---- C:\WINDOWS\network diagnostic
2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuweb.dll
2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuaueng.dll
2008-10-16 14:12:22 ----A---- C:\WINDOWS\system32\wucltui.dll
2008-10-16 14:12:20 ----A---- C:\WINDOWS\system32\wuapi.dll
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wups2.dll
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wuauclt.exe
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\cdm.dll
2008-10-16 14:09:40 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2008-10-16 14:08:58 ----A---- C:\WINDOWS\system32\wups.dll
2008-10-16 14:07:44 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2008-10-16 14:07:14 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2008-10-15 08:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll
2008-09-29 16:00:46 ----SD---- C:\Documents and Settings\Ben\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ANC;ANC; C:\WINDOWS\System32\drivers\ANC.SYS [2005-11-08 11520]
R1 IBMTPCHK;IBMTPCHK; \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 Smapint;Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [2006-10-02 14848]
R1 TDSMAPI;TDSMAPI; C:\WINDOWS\System32\drivers\TDSMAPI.SYS [2006-10-02 9343]
R1 TPPWRIF;TPPWRIF; C:\WINDOWS\System32\drivers\Tppwrif.sys [2007-04-13 4442]
R1 TSMAPIP;TSMAPIP; C:\WINDOWS\System32\drivers\TSMAPIP.SYS [2007-04-10 12848]
R2 irda;IrDA Protocol; C:\WINDOWS\System32\DRIVERS\irda.sys [2008-04-13 88192]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 PROCDD;IPS Helper Driver; C:\WINDOWS\system32\DRIVERS\PROCDD.SYS [2006-11-06 12080]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2006-06-20 178688]
R3 AEAudioService;AEAudio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2006-08-07 93952]
R3 AR5211;Atheros Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2007-04-05 546112]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-04-05 1989120]
R3 BthEnum;Bluetooth Enumerator Service; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2006-12-22 988800]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2006-12-22 209664]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2007-02-27 21040]
R3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\System32\DRIVERS\nscirda.sys [2008-04-13 28672]
R3 psadd;Lenovo Parties Service Access Device Driver; C:\WINDOWS\system32\DRIVERS\psadd.sys [2007-02-18 21376]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136]
R3 swmx01;Sierra Wireless USB MUX Driver (#01); C:\WINDOWS\system32\DRIVERS\swmx01.sys [2005-11-18 58624]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2006-02-14 177664]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2006-12-22 730112]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-13 101120]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-01-12 246680]
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-12-13 85969]
S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2008-11-05 25280]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01); C:\WINDOWS\system32\DRIVERS\SWNC5E01.sys [2005-08-05 73600]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcPrfMgrSvc;Ac Profile Manager Service; C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe [2007-05-17 65536]
R2 AcSvc;Access Connections Main Service; C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe [2007-05-17 184320]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-04-05 454656]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2007-02-27 36400]
R2 IPSSVC;IPS Core Service; C:\WINDOWS\system32\IPSSVC.EXE [2007-01-30 108080]
R2 Irmon;Infrared Monitor; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 ScsiAccess;ScsiAccess; C:\Program Files\ProShowGold\ScsiAccess.exe [2007-11-22 181312]
R2 SUService;System Update; C:\Program Files\Lenovo\System Update\SUService.exe [2008-10-20 28672]
R2 ThinkVantage Registry Monitor Service;ThinkVantage Registry Monitor Service; C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe [2007-09-26 644408]
R2 TVT Scheduler;TVT Scheduler; C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe [2008-03-04 1122304]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]

-----------------EOF-----------------

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 20 December 2008 - 11:50 PM

Looks very good.. How is the computer now?.. Lets do an online scan to make sure we get them all :thumbsup:



Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users