Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot find iexplore.exe


  • This topic is locked This topic is locked
11 replies to this topic

#1 thedoodle

thedoodle

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 15 January 2009 - 03:39 PM

Hi there,

I've been trawling through some P2P sites and downloading various movies and programs etc and think I've picked up a bit of a bug. Now, whenever I try to open Internet Explorer I get the following message:

C:\Program Files\Internet Explorer\iexplore.exe

Windows cannot find 'C:\Program Files\Internet Explorer\iexplore.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click search.

I'm pretty sure that it relates to a key-generator that I ran for some software as my other new laptop now has the same problem after using the key generator on that too (Question - can I post this here too, or should I start another topic?).

Thanks in advance for any help - much appreciated!

TD

****************************

DDS (Ver_09-01-07.01) - NTFSx86
Run by Kieren at 20:23:17.42 on 15/01/2009
Internet Explorer: 8.0.6001.18241
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.65 [GMT 0:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\IBM\Security\uvmserv.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IBM\Security\certtool.exe
C:\Program Files\IBM\Password Manager\pwmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kieren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Documents and Settings\Kieren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kieren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kieren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kieren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kieren\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\Kieren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kieren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kieren\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: D: {0efb4554-d1fd-3397-ad33-00af4fc2f245} - c:\windows\system32\xwr24215.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: EWPP - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [Google Update] "c:\documents and settings\kieren\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [S3TRAY2] S3Tray2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [ControlCenter] "c:\program files\ibm fingerprint software\ctlcntr.exe" /startup
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UC_Start] c:\program files\ibm\updater\\ucstartup.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [ISS_Certtool] c:\program files\ibm\security\certtool.exe
mRun: [IBM_PWMGR] c:\program files\ibm\password manager\pwmgr.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Camera Detector] c:\progra~1\acdsys~1\devdet~1\DEVDET~1.EXE -autorun
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: microsoft.com\office
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll
Notify: QConGina - QConGina.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli pwdmon

============= SERVICES / DRIVERS ===============

R0 GENERICSMB;IBM - Generic SMB Device Controller;c:\windows\system32\drivers\smbgen.sys [2005-3-15 10240]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-2-2 59520]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-2-2 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-2-2 2432]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-2-2 4608]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2005-2-2 16384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-9 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090115.004\NAVENG.SYS [2009-1-15 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090115.004\NAVEX15.SYS [2009-1-15 876112]
R3 SMBusDH;IBM - SMB Hub Controller;c:\windows\system32\drivers\smbusdh.sys [2005-3-15 11648]
R3 SMBusHC;SMBus Host Controller;c:\windows\system32\drivers\smbushc.sys [2005-3-15 29696]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-9-24 64256]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 smi2;smi2;c:\windows\system32\drivers\smi2.sys [2005-3-15 3968]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-12-22 1245064]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-2-2 12288]

=============== Created Last 30 ================

2009-01-14 21:55 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-01-14 21:55 1,936 a------- c:\windows\system32\drivers\PAGEDFRG.SYS
2009-01-14 03:01 <DIR> --d----- c:\windows\ie8updates
2009-01-13 22:06 <DIR> --d----- c:\program files\SpywareBlaster
2009-01-12 22:43 <DIR> a-dshr-- C:\cmdcons
2009-01-12 22:37 161,792 a------- c:\windows\SWREG.exe
2009-01-12 22:37 98,816 a------- c:\windows\sed.exe
2009-01-12 22:11 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-01-12 22:11 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-01-12 22:11 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-01-12 22:11 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-01-12 22:11 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-01-12 22:10 99,865 a------- c:\windows\system32\dllcache\xlog.exe
2009-01-12 22:10 28,288 a------- c:\windows\system32\dllcache\xjis.nls
2009-01-12 22:10 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys
2009-01-12 22:10 19,455 a------- c:\windows\system32\dllcache\wvchntxx.sys
2009-01-12 22:10 12,063 a------- c:\windows\system32\dllcache\wsiintxx.sys
2009-01-12 22:08 12,415 a------- c:\windows\system32\dllcache\wadv01nt.sys
2009-01-12 22:07 149,376 a------- c:\windows\system32\dllcache\tffsport.sys
2009-01-12 22:06 31,744 a------- c:\windows\system32\dllcache\smb6w.dll
2009-01-12 22:05 245,632 a------- c:\windows\system32\dllcache\s3savmx.dll
2009-01-12 22:04 7,168 a------- c:\windows\system32\dllcache\pnrmc.sys
2009-01-12 22:03 61,696 a------- c:\windows\system32\dllcache\ohci1394.sys
2009-01-12 22:03 198,144 a------- c:\windows\system32\dllcache\nv3.sys
2009-01-12 22:03 123,776 a------- c:\windows\system32\dllcache\nv3.dll
2009-01-12 22:03 51,552 a------- c:\windows\system32\dllcache\ntgrip.sys
2009-01-12 22:03 38,912 a------- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-01-12 22:03 9,344 a------- c:\windows\system32\dllcache\ntapm.sys
2009-01-12 22:03 7,552 a------- c:\windows\system32\dllcache\nsmmc.sys
2009-01-12 22:03 87,040 a------- c:\windows\system32\dllcache\nm6wdm.sys
2009-01-12 22:03 126,080 a------- c:\windows\system32\dllcache\nm5a2wdm.sys
2009-01-12 22:01 49,024 a------- c:\windows\system32\dllcache\mstape.sys
2009-01-12 22:01 12,416 a------- c:\windows\system32\dllcache\msriffwv.sys
2009-01-12 22:01 2,944 a------- c:\windows\system32\dllcache\msmpu401.sys
2009-01-12 22:01 1,875,968 a------- c:\windows\system32\dllcache\msir3jp.lex
2009-01-12 22:01 98,304 a------- c:\windows\system32\dllcache\msir3jp.dll
2009-01-12 21:59 70,730 a------- c:\windows\system32\dllcache\lne100tx.sys
2009-01-12 21:58 102,463 a------- c:\windows\system32\dllcache\imepadsm.dll
2009-01-12 21:57 7,680 a------- c:\windows\system32\dllcache\ftpctrs2.dll
2009-01-12 21:56 236,060 a------- c:\windows\system32\dllcache\ditrace.exe
2009-01-12 21:55 13,312 a------- c:\windows\system32\dllcache\chglogon.exe
2009-01-12 21:54 162,850 a------- c:\windows\system32\dllcache\c_10001.nls
2009-01-12 21:53 24,576 a------- c:\windows\system32\dllcache\agcgauge.ax
2009-01-12 21:52 19,968 a------- c:\windows\system32\dllcache\inetsloc.dll
2009-01-12 21:52 7,680 a------- c:\windows\system32\dllcache\inetmgr.exe
2009-01-12 21:52 169,984 a------- c:\windows\system32\dllcache\iisui.dll
2009-01-12 21:52 14,336 a------- c:\windows\system32\dllcache\iisreset.exe
2009-01-12 21:52 5,632 a------- c:\windows\system32\dllcache\iisrstap.dll
2009-01-12 21:52 6,144 a------- c:\windows\system32\dllcache\ftpsapi2.dll
2009-01-12 21:52 94,720 a------- c:\windows\system32\dllcache\certmap.ocx
2009-01-12 19:44 <DIR> -cd-h--- c:\windows\ie8
2009-01-11 15:57 41,122,888 a------- c:\windows\system32\xa76217595.exe
2009-01-11 15:57 41,122,888 a------- c:\windows\system32\xa76214100.exe
2009-01-11 15:53 172,032 a------- c:\windows\system32\xwr24215.dll
2009-01-11 15:53 172,032 a------- c:\windows\system32\wr24215.dll
2009-01-11 15:53 41,122,888 a------- c:\windows\system32\xa75965021.exe
2009-01-11 15:53 41,122,888 a------- c:\windows\system32\xa75960275.exe
2009-01-10 18:38 32,592 a------- c:\windows\system32\msonpmon.dll
2009-01-10 18:28 <DIR> --d----- c:\windows\SHELLNEW
2008-12-25 16:14 3,532 a------- C:\drmHeader.bin
2008-12-25 12:32 647,872 -------- c:\windows\system32\Mscomct2.ocx
2008-12-25 12:32 53,248 -------- c:\windows\Ctregrun.exe
2008-12-25 12:32 417,792 a------- c:\windows\system32\awrdscdc.ax
2008-12-25 12:32 24,576 -------- c:\windows\system32\msxml3a.dll
2008-12-25 12:31 <DIR> --d----- c:\program files\Audible
2008-12-25 12:27 25,088 -------- c:\windows\system32\CTSVCCTL.EXE
2008-12-25 12:27 44,032 -------- c:\windows\system32\CTSVCCDA.EXE
2008-12-25 12:26 <DIR> --d----- c:\program files\common files\Creative
2008-12-25 12:26 <DIR> --d-h--- c:\program files\Creative Installation Information
2008-12-25 12:26 <DIR> --d----- c:\program files\Creative
2008-12-20 19:35 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2008-12-20 19:35 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2008-12-20 19:35 129,784 -------- c:\windows\system32\pxafs.dll
2008-12-20 19:34 <DIR> --d----- c:\program files\DivX
2008-12-18 21:26 <DIR> --d----- c:\program files\Amazon

==================== Find3M ====================

2009-01-09 09:02 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 09:02 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 09:02 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 09:02 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-14 13:59 5,699,584 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-14 13:26 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 a------- c:\windows\system32\dllcache\srv.sys
2008-11-21 21:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 21:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 21:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 21:47 43,528 -------- c:\windows\system32\drivers\pxhelp20.sys
2008-11-21 21:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 21:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 21:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-18 21:19 38,008 a------- c:\docume~1\kieren\applic~1\GDIPFONTCACHEV1.DAT
2008-11-15 23:16 171,334 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2008-10-24 11:21 455,296 a------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 a------- c:\windows\system32\dllcache\gdi32.dll
2008-03-16 12:52 32 ac------ c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-08-30 16:53 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 20:24:54.94 ===============

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 26 January 2009 - 06:17 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable Norton Antivirus.
  • Right click on thr Norton icon (Posted Image) beside your click and select Disable Auto-Protect.
  • Select a disabled duration of 5 hours to ensure that it will not interfere with this fix.
  • Click OK to apply the settings.
When done properly, you should recieve a pop-up warning saying that protection was disabled. The Norton icon should now look like Posted Image.

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 thedoodle

thedoodle
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 27 January 2009 - 05:48 PM

Hey PP - thanks for your help.

Combofix log below, and I'll post the HJT log following.

TD

ComboFix 09-01-21.04 - 2009-01-27 22:17:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.97 [GMT 0:00]
Running from: c:\documents and settings\Kieren\My Documents\Downloads\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.

2009-01-23 17:33 . 2009-01-23 17:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-19 11:50 . 2009-01-19 11:50 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-14 21:55 . 2009-01-14 21:55 25,992 --a------ c:\windows\system32\pgdfgsvc.exe
2009-01-14 21:55 . 2009-01-14 21:55 1,936 --a------ c:\windows\system32\drivers\PAGEDFRG.SYS
2009-01-14 03:01 . 2009-01-14 03:01 <DIR> d-------- c:\windows\ie8updates
2009-01-13 22:07 . 2009-01-13 22:15 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-13 22:06 . 2009-01-13 22:06 <DIR> d-------- c:\program files\SpywareBlaster
2009-01-12 22:11 . 2008-04-14 01:12 116,224 --a------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-01-12 22:11 . 2001-08-17 22:37 27,648 --a------ c:\windows\system32\dllcache\xrxftplt.exe
2009-01-12 22:11 . 2001-08-17 22:36 23,040 --a------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-01-12 22:11 . 2008-04-14 01:12 18,944 --a------ c:\windows\system32\dllcache\xrxscnui.dll
2009-01-12 22:11 . 2001-08-17 22:37 4,608 --a------ c:\windows\system32\dllcache\xrxflnch.exe
2009-01-12 22:10 . 2001-08-17 22:37 99,865 --a------ c:\windows\system32\dllcache\xlog.exe
2009-01-12 22:10 . 2001-08-18 10:00 28,288 --a------ c:\windows\system32\dllcache\xjis.nls
2009-01-12 22:10 . 2004-08-03 22:29 19,455 --a------ c:\windows\system32\dllcache\wvchntxx.sys
2009-01-12 22:10 . 2001-08-17 12:11 16,970 --a------ c:\windows\system32\dllcache\xem336n5.sys
2009-01-12 22:10 . 2004-08-03 22:29 12,063 --a------ c:\windows\system32\dllcache\wsiintxx.sys
2009-01-12 22:08 . 2001-08-17 13:28 794,654 --a------ c:\windows\system32\dllcache\usr1801.sys
2009-01-12 22:07 . 2001-08-17 12:18 285,760 --a------ c:\windows\system32\dllcache\stlnata.sys
2009-01-12 22:06 . 2001-08-17 22:36 495,616 --a------ c:\windows\system32\dllcache\sblfx.dll
2009-01-12 22:05 . 2001-08-17 13:28 899,146 --a------ c:\windows\system32\dllcache\r2mdkxga.sys
2009-01-12 22:04 . 2001-08-17 14:05 351,616 --a------ c:\windows\system32\dllcache\ovcodek2.sys
2009-01-12 22:03 . 2001-08-17 12:50 198,144 --a------ c:\windows\system32\dllcache\nv3.sys
2009-01-12 22:03 . 2001-08-17 12:20 126,080 --a------ c:\windows\system32\dllcache\nm5a2wdm.sys
2009-01-12 22:03 . 2001-08-17 22:36 123,776 --a------ c:\windows\system32\dllcache\nv3.dll
2009-01-12 22:03 . 2001-08-17 12:20 87,040 --a------ c:\windows\system32\dllcache\nm6wdm.sys
2009-01-12 22:03 . 2008-04-13 19:46 61,696 --a------ c:\windows\system32\dllcache\ohci1394.sys
2009-01-12 22:03 . 2001-08-17 12:49 51,552 --a------ c:\windows\system32\dllcache\ntgrip.sys
2009-01-12 22:03 . 2001-08-17 22:36 38,912 --a------ c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-01-12 22:03 . 2001-08-17 13:47 9,344 --a------ c:\windows\system32\dllcache\ntapm.sys
2009-01-12 22:03 . 2001-08-17 13:53 7,552 --a------ c:\windows\system32\dllcache\nsmmc.sys
2009-01-12 22:01 . 2001-08-18 10:00 1,875,968 --a------ c:\windows\system32\dllcache\msir3jp.lex
2009-01-12 22:01 . 2001-08-18 10:00 98,304 --a------ c:\windows\system32\dllcache\msir3jp.dll
2009-01-12 22:01 . 2008-04-13 19:46 49,024 --a------ c:\windows\system32\dllcache\mstape.sys
2009-01-12 22:01 . 2001-08-17 13:48 12,416 --a------ c:\windows\system32\dllcache\msriffwv.sys
2009-01-12 22:01 . 2001-08-17 14:00 2,944 --a------ c:\windows\system32\dllcache\msmpu401.sys
2009-01-12 21:59 . 2001-08-18 10:00 1,158,818 --a------ c:\windows\system32\dllcache\korwbrkr.lex
2009-01-12 21:58 . 2001-08-18 10:00 10,129,408 --a------ c:\windows\system32\dllcache\hwxkor.dll
2009-01-12 21:57 . 2001-08-17 12:14 952,007 --a------ c:\windows\system32\dllcache\diwan.sys
2009-01-12 21:56 . 2001-08-18 10:00 1,677,824 --a------ c:\windows\system32\dllcache\chsbrkr.dll
2009-01-12 21:55 . 2001-08-17 13:28 714,698 --a------ c:\windows\system32\dllcache\cbmdmkxx.sys
2009-01-12 21:54 . 2001-08-17 13:28 871,388 --a------ c:\windows\system32\dllcache\bcmdm.sys
2009-01-12 21:53 . 2001-08-17 13:28 762,780 --a------ c:\windows\system32\dllcache\3cwmcru.sys
2009-01-12 21:52 . 2001-08-18 10:00 169,984 --a------ c:\windows\system32\dllcache\iisui.dll
2009-01-12 21:52 . 2001-08-18 10:00 94,720 --a------ c:\windows\system32\dllcache\certmap.ocx
2009-01-12 21:52 . 2001-08-18 10:00 19,968 --a------ c:\windows\system32\dllcache\inetsloc.dll
2009-01-12 21:52 . 2001-08-18 10:00 14,336 --a------ c:\windows\system32\dllcache\iisreset.exe
2009-01-12 21:52 . 2001-08-18 10:00 7,680 --a------ c:\windows\system32\dllcache\inetmgr.exe
2009-01-12 21:52 . 2001-08-18 10:00 6,144 --a------ c:\windows\system32\dllcache\ftpsapi2.dll
2009-01-12 21:52 . 2001-08-18 10:00 5,632 --a------ c:\windows\system32\dllcache\iisrstap.dll
2009-01-12 19:44 . 2009-01-12 19:46 <DIR> d--h-c--- c:\windows\ie8
2009-01-11 15:57 . 2009-01-11 15:57 41,122,888 --a------ c:\windows\system32\xa76217595.exe
2009-01-11 15:57 . 2009-01-11 15:57 41,122,888 --a------ c:\windows\system32\xa76214100.exe
2009-01-11 15:53 . 2009-01-11 15:53 41,122,888 --a------ c:\windows\system32\xa75965021.exe
2009-01-11 15:53 . 2009-01-11 15:53 41,122,888 --a------ c:\windows\system32\xa75960275.exe
2009-01-11 15:53 . 2009-01-11 15:53 172,032 --a------ c:\windows\system32\xwr24215.dll
2009-01-11 15:53 . 2009-01-11 15:53 172,032 --a------ c:\windows\system32\wr24215.dll
2009-01-10 18:38 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-01-10 18:35 . 2009-01-10 18:35 <DIR> d-------- c:\program files\Microsoft Works
2009-01-10 18:33 . 2009-01-10 18:33 <DIR> d-------- c:\program files\Microsoft.NET
2009-01-10 18:28 . 2009-01-10 18:30 <DIR> d-------- c:\windows\SHELLNEW
2009-01-10 18:23 . 2009-01-10 18:23 <DIR> dr-h----- C:\MSOCache
2009-01-10 18:23 . 2009-01-23 08:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 22:35 --------- d-----w c:\documents and settings\Kieren\Application Data\skypePM
2009-01-27 22:34 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-27 22:31 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-27 22:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-27 22:21 --------- d-----w c:\documents and settings\Kieren\Application Data\Skype
2009-01-25 14:29 --------- d-----w c:\program files\BitComet
2009-01-19 11:48 --------- d-----w c:\program files\Common Files\Adobe
2009-01-09 09:03 --------- d-----w c:\program files\Symantec
2009-01-09 09:02 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 09:02 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 09:02 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-02 12:35 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-25 16:14 3,532 ----a-w C:\drmHeader.bin
2008-12-25 14:54 --------- d-----w c:\documents and settings\Kieren\Application Data\Creative
2008-12-25 12:45 --------- d-----w c:\documents and settings\All Users\Application Data\Creative
2008-12-25 12:32 --------- d-----w c:\program files\Creative
2008-12-25 12:32 --------- d-----w c:\program files\Audible
2008-12-25 12:28 --------- d--h--w c:\program files\Creative Installation Information
2008-12-25 12:26 --------- d-----w c:\program files\Common Files\Creative
2008-12-21 15:25 --------- d-----w c:\documents and settings\Kieren\Application Data\DivX
2008-12-20 19:35 --------- d-----w c:\program files\DivX
2008-12-18 21:29 --------- d-----w c:\documents and settings\Kieren\Application Data\Amazon
2008-12-18 21:26 --------- d-----w c:\program files\Amazon
2008-12-18 11:07 --------- d-----w c:\program files\QuickTime
2008-12-18 11:06 --------- d-----w c:\program files\Common Files\Apple
2008-12-18 11:01 --------- d-----w c:\program files\Apple Software Update
2008-12-14 13:26 --------- d-----w c:\program files\Java
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-27 20:06 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-18 21:19 38,008 ----a-w c:\documents and settings\Kieren\Application Data\GDIPFONTCACHEV1.DAT
2008-03-16 12:52 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-08-30 16:53 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083020080831\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-12_22.58.21.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-22 03:09:32 5,699,584 -c----w c:\windows\ie8updates\KB960714-IE8\mshtml.dll
+ 2008-07-09 07:38:25 231,288 -c----w c:\windows\ie8updates\KB960714-IE8\spuninst\spuninst.exe
+ 2008-07-09 07:38:37 382,840 -c----w c:\windows\ie8updates\KB960714-IE8\spuninst\updspapi.dll
+ 2007-12-12 15:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2008-11-15 23:16:34 171,334 ----a-w c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat
+ 2008-11-15 23:16:34 171,334 -c--a-w c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat.bak
- 2008-08-22 03:09:32 5,699,584 ----a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-14 13:59:44 5,699,584 ----a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-09-08 10:41:42 333,824 ----a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 ----a-w c:\windows\system32\dllcache\srv.sys
- 2008-12-09 15:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-08-22 03:09:32 5,699,584 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-14 13:59:44 5,699,584 ----a-w c:\windows\system32\mshtml.dll
+ 2009-01-27 22:31:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_238.dat
+ 2009-01-27 22:31:45 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_86c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0EFB4554-D1FD-3397-AD33-00AF4FC2F245}]
2009-01-11 15:53 172032 --a------ c:\windows\system32\xwr24215.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-08 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-07-22 442368]
"Google Update"="c:\documents and settings\Kieren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-06 133104]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-06-16 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-06-16 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-08-18 94208]
"ControlCenter"="c:\program files\IBM fingerprint software\ctlcntr.exe" [2004-09-25 284254]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 208896]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"UC_Start"="c:\program files\IBM\Updater\\ucstartup.exe" [2004-07-15 36864]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-07-22 442368]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-03-19 90112]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2004-08-18 81920]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-07-29 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2004-07-29 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-07-29 395776]
"ISS_Certtool"="c:\program files\IBM\Security\certtool.exe" [2004-11-11 86016]
"IBM_PWMGR"="c:\program files\IBM\Password Manager\pwmgr.exe" [2004-11-11 327680]
"Camera Detector"="c:\progra~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE" [2003-06-17 208896]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 c:\windows\system32\S3Tray2.exe]
"TpShocks"="TpShocks.exe" [2004-03-27 c:\windows\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 c:\windows\system32\TP4EX.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-02-02 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-09-25 00:15 108636 c:\program files\IBM fingerprint software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2004-08-18 11:30 258048 c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
"Debugger"=c:\windows\system32\klomp.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli pwdmon

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Kieren\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Kieren\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27244:TCP"= 27244:TCP:BitComet 27244 TCP
"27244:UDP"= 27244:UDP:BitComet 27244 UDP

R0 GENERICSMB;IBM - Generic SMB Device Controller;c:\windows\system32\drivers\smbgen.sys [2005-03-15 10240]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-02-02 59520]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-02-02 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-02-02 2432]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-02-02 4608]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2005-02-02 16384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-09 99376]
R3 SMBusDH;IBM - SMB Hub Controller;c:\windows\system32\drivers\smbusdh.sys [2005-03-15 11648]
R3 SMBusHC;SMBus Host Controller;c:\windows\system32\drivers\smbushc.sys [2005-03-15 29696]
R4 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-09-24 64256]
R4 smi2;smi2;c:\windows\system32\drivers\smi2.sys [2005-03-15 3968]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-13 23888]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-02-02 12288]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*Deregistered* - Irmon
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LiveUpdate Notice
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - QCONSVC
*Deregistered* - RasMan
*Deregistered* - RegSrvc
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - S24EventMonitor
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - ServiceLayer
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - Symantec Core LC
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TpKmpSVC
*Deregistered* - TrkWks
*Deregistered* - vtserver
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-27 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-496120868-51030831-1257078025-1005.job
- c:\documents and settings\Kieren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-06 22:16]

2009-01-27 c:\windows\Tasks\User_Feed_Synchronization-{6633B427-A95F-4583-8B81-86FFE8D5EE9C}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 03:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\office
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 22:32:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1292)
c:\windows\system32\vrlogon.dll
c:\program files\IBM fingerprint software\ExtVapi.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\program files\Common Files\Virtual Token\resmgr.dll
c:\program files\Common Files\Virtual Token\Remote.dll
c:\program files\Common Files\Virtual Token\passport.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\IBM fingerprint software\psfus.dll
c:\program files\Common Files\Virtual Token\config.dll
c:\program files\Common Files\Virtual Token\LocPass.dll
c:\program files\Common Files\Virtual Token\SBioPass.dll
c:\program files\Common Files\Virtual Token\psdlg.dll

- - - - - - - > 'lsass.exe'(1348)
c:\windows\system32\pwdmon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Virtual Token\vtserver.exe
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\IBM\Security\uvmserv.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ibmsmbus.exe
c:\program files\IBM\Security\TssCore.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\QCONSVC.EXE
c:\windows\system32\RegSrvc.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-01-27 22:41:51 - machine was rebooted [Kieren]
ComboFix-quarantined-files.txt 2009-01-27 22:41:44
ComboFix2.txt 2009-01-12 23:00:30

Pre-Run: 9,723,908,096 bytes free
Post-Run: 9,862,361,088 bytes free

372 --- E O F --- 2009-01-14 07:37:10

#4 thedoodle

thedoodle
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 27 January 2009 - 05:52 PM

DDS (Ver_09-01-19.01) - NTFSx86
Run by at 22:49:14.04 on 27/01/2009
Internet Explorer: 8.0.6001.18241
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.93 [GMT 0:00]

AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *disabled*

============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\IBM\Security\uvmserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IBM\Security\certtool.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\IBM\Password Manager\pwmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Documents and Settings\Kieren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Kieren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kieren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Kieren\My Documents\Downloads\dds (1).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: D: {0efb4554-d1fd-3397-ad33-00af4fc2f245} - c:\windows\system32\xwr24215.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: EWPP - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [Google Update] "c:\documents and settings\kieren\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [S3TRAY2] S3Tray2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [ControlCenter] "c:\program files\ibm fingerprint software\ctlcntr.exe" /startup
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UC_Start] c:\program files\ibm\updater\\ucstartup.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [ISS_Certtool] c:\program files\ibm\security\certtool.exe
mRun: [IBM_PWMGR] c:\program files\ibm\password manager\pwmgr.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Camera Detector] c:\progra~1\acdsys~1\devdet~1\DEVDET~1.EXE -autorun
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: microsoft.com\office
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - hxxp://www.symantec.com/techsupp/activedata/nprdtinf.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} - hxxps://www.select2perform.eu/cabs/QOLCheck.ocx
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll
Notify: QConGina - QConGina.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli pwdmon

============= SERVICES / DRIVERS ===============

R0 GENERICSMB;IBM - Generic SMB Device Controller;c:\windows\system32\drivers\smbgen.sys [2005-3-15 10240]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-2-2 59520]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-2-2 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-2-2 2432]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-2-2 4608]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2005-2-2 16384]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-9 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090127.004\NAVENG.SYS [2009-1-27 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090127.004\NAVEX15.SYS [2009-1-27 876112]
R3 SMBusDH;IBM - SMB Hub Controller;c:\windows\system32\drivers\smbusdh.sys [2005-3-15 11648]
R3 SMBusHC;SMBus Host Controller;c:\windows\system32\drivers\smbushc.sys [2005-3-15 29696]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-9-24 64256]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 smi2;smi2;c:\windows\system32\drivers\smi2.sys [2005-3-15 3968]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-12-22 1245064]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-2-2 12288]

=============== Created Last 30 ================

2009-01-14 21:55 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-01-14 21:55 1,936 a------- c:\windows\system32\drivers\PAGEDFRG.SYS
2009-01-14 03:01 <DIR> --d----- c:\windows\ie8updates
2009-01-13 22:06 <DIR> --d----- c:\program files\SpywareBlaster
2009-01-12 22:43 <DIR> a-dshr-- C:\cmdcons
2009-01-12 22:37 161,792 a------- c:\windows\SWREG.exe
2009-01-12 22:37 98,816 a------- c:\windows\sed.exe
2009-01-12 22:11 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-01-12 22:11 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-01-12 22:11 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-01-12 22:11 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-01-12 22:11 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-01-12 22:10 99,865 a------- c:\windows\system32\dllcache\xlog.exe
2009-01-12 22:10 28,288 a------- c:\windows\system32\dllcache\xjis.nls
2009-01-12 22:10 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys
2009-01-12 22:10 19,455 a------- c:\windows\system32\dllcache\wvchntxx.sys
2009-01-12 22:10 12,063 a------- c:\windows\system32\dllcache\wsiintxx.sys
2009-01-12 22:08 12,415 a------- c:\windows\system32\dllcache\wadv01nt.sys
2009-01-12 22:07 149,376 a------- c:\windows\system32\dllcache\tffsport.sys
2009-01-12 22:06 31,744 a------- c:\windows\system32\dllcache\smb6w.dll
2009-01-12 22:05 245,632 a------- c:\windows\system32\dllcache\s3savmx.dll
2009-01-12 22:04 7,168 a------- c:\windows\system32\dllcache\pnrmc.sys
2009-01-12 22:03 61,696 a------- c:\windows\system32\dllcache\ohci1394.sys
2009-01-12 22:03 198,144 a------- c:\windows\system32\dllcache\nv3.sys
2009-01-12 22:03 123,776 a------- c:\windows\system32\dllcache\nv3.dll
2009-01-12 22:03 51,552 a------- c:\windows\system32\dllcache\ntgrip.sys
2009-01-12 22:03 38,912 a------- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-01-12 22:03 9,344 a------- c:\windows\system32\dllcache\ntapm.sys
2009-01-12 22:03 7,552 a------- c:\windows\system32\dllcache\nsmmc.sys
2009-01-12 22:03 87,040 a------- c:\windows\system32\dllcache\nm6wdm.sys
2009-01-12 22:03 126,080 a------- c:\windows\system32\dllcache\nm5a2wdm.sys
2009-01-12 22:01 49,024 a------- c:\windows\system32\dllcache\mstape.sys
2009-01-12 22:01 12,416 a------- c:\windows\system32\dllcache\msriffwv.sys
2009-01-12 22:01 2,944 a------- c:\windows\system32\dllcache\msmpu401.sys
2009-01-12 22:01 1,875,968 a------- c:\windows\system32\dllcache\msir3jp.lex
2009-01-12 22:01 98,304 a------- c:\windows\system32\dllcache\msir3jp.dll
2009-01-12 21:59 70,730 a------- c:\windows\system32\dllcache\lne100tx.sys
2009-01-12 21:58 102,463 a------- c:\windows\system32\dllcache\imepadsm.dll
2009-01-12 21:57 7,680 a------- c:\windows\system32\dllcache\ftpctrs2.dll
2009-01-12 21:56 236,060 a------- c:\windows\system32\dllcache\ditrace.exe
2009-01-12 21:55 13,312 a------- c:\windows\system32\dllcache\chglogon.exe
2009-01-12 21:54 162,850 a------- c:\windows\system32\dllcache\c_10001.nls
2009-01-12 21:53 24,576 a------- c:\windows\system32\dllcache\agcgauge.ax
2009-01-12 21:52 19,968 a------- c:\windows\system32\dllcache\inetsloc.dll
2009-01-12 21:52 7,680 a------- c:\windows\system32\dllcache\inetmgr.exe
2009-01-12 21:52 169,984 a------- c:\windows\system32\dllcache\iisui.dll
2009-01-12 21:52 14,336 a------- c:\windows\system32\dllcache\iisreset.exe
2009-01-12 21:52 5,632 a------- c:\windows\system32\dllcache\iisrstap.dll
2009-01-12 21:52 6,144 a------- c:\windows\system32\dllcache\ftpsapi2.dll
2009-01-12 21:52 94,720 a------- c:\windows\system32\dllcache\certmap.ocx
2009-01-12 19:44 <DIR> -cd-h--- c:\windows\ie8
2009-01-11 15:57 41,122,888 a------- c:\windows\system32\xa76217595.exe
2009-01-11 15:57 41,122,888 a------- c:\windows\system32\xa76214100.exe
2009-01-11 15:53 172,032 a------- c:\windows\system32\xwr24215.dll
2009-01-11 15:53 172,032 a------- c:\windows\system32\wr24215.dll
2009-01-11 15:53 41,122,888 a------- c:\windows\system32\xa75965021.exe
2009-01-11 15:53 41,122,888 a------- c:\windows\system32\xa75960275.exe
2009-01-10 18:38 32,592 a------- c:\windows\system32\msonpmon.dll
2009-01-10 18:28 <DIR> --d----- c:\windows\SHELLNEW

==================== Find3M ====================

2009-01-09 09:02 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 09:02 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 09:02 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 09:02 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-25 16:14 3,532 a------- C:\drmHeader.bin
2008-12-14 13:59 5,699,584 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-14 13:26 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 a------- c:\windows\system32\dllcache\srv.sys
2008-11-21 21:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 21:47 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-21 21:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 21:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 21:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 21:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 21:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-18 21:19 38,008 a------- c:\docume~1\kieren\applic~1\GDIPFONTCACHEV1.DAT
2008-11-15 23:16 171,334 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2008-03-16 12:52 32 ac------ c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-08-30 16:53 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 22:49:53.29 ===============

Attached Files



#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 27 January 2009 - 08:08 PM

Hello.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/195444/cannot-find-iexploreexe/
    
    File::
    c:\windows\system32\xa76217595.exe
    c:\windows\system32\xa76214100.exe
    c:\windows\system32\xa75965021.exe
    c:\windows\system32\xa75960275.exe
    c:\windows\system32\xwr24215.dll
    c:\windows\system32\klomp.exe
    
    Collect::[59]
    c:\windows\system32\wr24215.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0EFB4554-D1FD-3397-AD33-00AF4FC2F245}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

At the end of its run ComboFix will attempt to upload some files. Please make sure you are connected to the Internet before clicking "OK".

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Please post back with:
-the ComboFix log
-the Malware Bytes scan log

Give me an update on the symptoms.

With Regards,
The Panda

Edited by PropagandaPanda, 27 January 2009 - 08:09 PM.


#6 thedoodle

thedoodle
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 28 January 2009 - 04:54 PM

Hey there PP,

Logs below. After following the instructions above I can get back into IE now. Nothing appears to be not working any more.

Question - my other laptop started doing the same thing not long after the problem started on this machine - is fixing the problem on that machine as simple as following the same steps again ?


THanks again for your help with this - much appreciated.

TD



ComboFix 09-01-21.04 - 2009-01-28 19:32:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.177 [GMT 0:00]
Running from: c:\documents and settings\Kieren\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kieren\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\klomp.exe
c:\windows\system32\xa75960275.exe
c:\windows\system32\xa75965021.exe
c:\windows\system32\xa76214100.exe
c:\windows\system32\xa76217595.exe
c:\windows\system32\xwr24215.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wr24215.dll
c:\windows\system32\xa75960275.exe
c:\windows\system32\xa75965021.exe
c:\windows\system32\xa76214100.exe
c:\windows\system32\xa76217595.exe
c:\windows\system32\xwr24215.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-23 17:33 . 2009-01-23 17:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-19 11:50 . 2009-01-19 11:50 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-14 21:55 . 2009-01-14 21:55 25,992 --a------ c:\windows\system32\pgdfgsvc.exe
2009-01-14 21:55 . 2009-01-14 21:55 1,936 --a------ c:\windows\system32\drivers\PAGEDFRG.SYS
2009-01-14 03:01 . 2009-01-14 03:01 <DIR> d-------- c:\windows\ie8updates
2009-01-13 22:07 . 2009-01-13 22:15 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-13 22:06 . 2009-01-13 22:06 <DIR> d-------- c:\program files\SpywareBlaster
2009-01-12 22:11 . 2008-04-14 01:12 116,224 --a------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-01-12 22:11 . 2001-08-17 22:37 27,648 --a------ c:\windows\system32\dllcache\xrxftplt.exe
2009-01-12 22:11 . 2001-08-17 22:36 23,040 --a------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-01-12 22:11 . 2008-04-14 01:12 18,944 --a------ c:\windows\system32\dllcache\xrxscnui.dll
2009-01-12 22:11 . 2001-08-17 22:37 4,608 --a------ c:\windows\system32\dllcache\xrxflnch.exe
2009-01-12 22:10 . 2001-08-17 22:37 99,865 --a------ c:\windows\system32\dllcache\xlog.exe
2009-01-12 22:10 . 2001-08-18 10:00 28,288 --a------ c:\windows\system32\dllcache\xjis.nls
2009-01-12 22:10 . 2004-08-03 22:29 19,455 --a------ c:\windows\system32\dllcache\wvchntxx.sys
2009-01-12 22:10 . 2001-08-17 12:11 16,970 --a------ c:\windows\system32\dllcache\xem336n5.sys
2009-01-12 22:10 . 2004-08-03 22:29 12,063 --a------ c:\windows\system32\dllcache\wsiintxx.sys
2009-01-12 22:08 . 2001-08-17 13:28 794,654 --a------ c:\windows\system32\dllcache\usr1801.sys
2009-01-12 22:07 . 2001-08-17 12:18 285,760 --a------ c:\windows\system32\dllcache\stlnata.sys
2009-01-12 22:06 . 2001-08-17 22:36 495,616 --a------ c:\windows\system32\dllcache\sblfx.dll
2009-01-12 22:05 . 2001-08-17 13:28 899,146 --a------ c:\windows\system32\dllcache\r2mdkxga.sys
2009-01-12 22:04 . 2001-08-17 14:05 351,616 --a------ c:\windows\system32\dllcache\ovcodek2.sys
2009-01-12 22:03 . 2001-08-17 12:50 198,144 --a------ c:\windows\system32\dllcache\nv3.sys
2009-01-12 22:03 . 2001-08-17 12:20 126,080 --a------ c:\windows\system32\dllcache\nm5a2wdm.sys
2009-01-12 22:03 . 2001-08-17 22:36 123,776 --a------ c:\windows\system32\dllcache\nv3.dll
2009-01-12 22:03 . 2001-08-17 12:20 87,040 --a------ c:\windows\system32\dllcache\nm6wdm.sys
2009-01-12 22:03 . 2008-04-13 19:46 61,696 --a------ c:\windows\system32\dllcache\ohci1394.sys
2009-01-12 22:03 . 2001-08-17 12:49 51,552 --a------ c:\windows\system32\dllcache\ntgrip.sys
2009-01-12 22:03 . 2001-08-17 22:36 38,912 --a------ c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-01-12 22:03 . 2001-08-17 13:47 9,344 --a------ c:\windows\system32\dllcache\ntapm.sys
2009-01-12 22:03 . 2001-08-17 13:53 7,552 --a------ c:\windows\system32\dllcache\nsmmc.sys
2009-01-12 22:01 . 2001-08-18 10:00 1,875,968 --a------ c:\windows\system32\dllcache\msir3jp.lex
2009-01-12 22:01 . 2001-08-18 10:00 98,304 --a------ c:\windows\system32\dllcache\msir3jp.dll
2009-01-12 22:01 . 2008-04-13 19:46 49,024 --a------ c:\windows\system32\dllcache\mstape.sys
2009-01-12 22:01 . 2001-08-17 13:48 12,416 --a------ c:\windows\system32\dllcache\msriffwv.sys
2009-01-12 22:01 . 2001-08-17 14:00 2,944 --a------ c:\windows\system32\dllcache\msmpu401.sys
2009-01-12 21:59 . 2001-08-18 10:00 1,158,818 --a------ c:\windows\system32\dllcache\korwbrkr.lex
2009-01-12 21:58 . 2001-08-18 10:00 10,129,408 --a------ c:\windows\system32\dllcache\hwxkor.dll
2009-01-12 21:57 . 2001-08-17 12:14 952,007 --a------ c:\windows\system32\dllcache\diwan.sys
2009-01-12 21:56 . 2001-08-18 10:00 1,677,824 --a------ c:\windows\system32\dllcache\chsbrkr.dll
2009-01-12 21:55 . 2001-08-17 13:28 714,698 --a------ c:\windows\system32\dllcache\cbmdmkxx.sys
2009-01-12 21:54 . 2001-08-17 13:28 871,388 --a------ c:\windows\system32\dllcache\bcmdm.sys
2009-01-12 21:53 . 2001-08-17 13:28 762,780 --a------ c:\windows\system32\dllcache\3cwmcru.sys
2009-01-12 21:52 . 2001-08-18 10:00 169,984 --a------ c:\windows\system32\dllcache\iisui.dll
2009-01-12 21:52 . 2001-08-18 10:00 94,720 --a------ c:\windows\system32\dllcache\certmap.ocx
2009-01-12 21:52 . 2001-08-18 10:00 19,968 --a------ c:\windows\system32\dllcache\inetsloc.dll
2009-01-12 21:52 . 2001-08-18 10:00 14,336 --a------ c:\windows\system32\dllcache\iisreset.exe
2009-01-12 21:52 . 2001-08-18 10:00 7,680 --a------ c:\windows\system32\dllcache\inetmgr.exe
2009-01-12 21:52 . 2001-08-18 10:00 6,144 --a------ c:\windows\system32\dllcache\ftpsapi2.dll
2009-01-12 21:52 . 2001-08-18 10:00 5,632 --a------ c:\windows\system32\dllcache\iisrstap.dll
2009-01-12 19:44 . 2009-01-12 19:46 <DIR> d--h-c--- c:\windows\ie8
2009-01-10 18:38 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-01-10 18:35 . 2009-01-10 18:35 <DIR> d-------- c:\program files\Microsoft Works
2009-01-10 18:33 . 2009-01-10 18:33 <DIR> d-------- c:\program files\Microsoft.NET
2009-01-10 18:28 . 2009-01-10 18:30 <DIR> d-------- c:\windows\SHELLNEW
2009-01-10 18:23 . 2009-01-10 18:23 <DIR> dr-h----- C:\MSOCache
2009-01-10 18:23 . 2009-01-23 08:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 19:41 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-28 19:34 --------- d-----w c:\documents and settings\Kieren\Application Data\Skype
2009-01-28 16:03 --------- d-----w c:\documents and settings\Kieren\Application Data\skypePM
2009-01-27 22:34 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-27 22:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-25 14:29 --------- d-----w c:\program files\BitComet
2009-01-19 11:48 --------- d-----w c:\program files\Common Files\Adobe
2009-01-09 09:03 --------- d-----w c:\program files\Symantec
2009-01-09 09:02 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 09:02 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 09:02 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-02 12:35 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-25 16:14 3,532 ----a-w C:\drmHeader.bin
2008-12-25 14:54 --------- d-----w c:\documents and settings\Kieren\Application Data\Creative
2008-12-25 12:45 --------- d-----w c:\documents and settings\All Users\Application Data\Creative
2008-12-25 12:32 --------- d-----w c:\program files\Creative
2008-12-25 12:32 --------- d-----w c:\program files\Audible
2008-12-25 12:28 --------- d--h--w c:\program files\Creative Installation Information
2008-12-25 12:26 --------- d-----w c:\program files\Common Files\Creative
2008-12-21 15:25 --------- d-----w c:\documents and settings\Kieren\Application Data\DivX
2008-12-20 19:35 --------- d-----w c:\program files\DivX
2008-12-18 21:29 --------- d-----w c:\documents and settings\Kieren\Application Data\Amazon
2008-12-18 21:26 --------- d-----w c:\program files\Amazon
2008-12-18 11:07 --------- d-----w c:\program files\QuickTime
2008-12-18 11:06 --------- d-----w c:\program files\Common Files\Apple
2008-12-18 11:01 --------- d-----w c:\program files\Apple Software Update
2008-12-14 13:26 --------- d-----w c:\program files\Java
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-18 21:19 38,008 ----a-w c:\documents and settings\Kieren\Application Data\GDIPFONTCACHEV1.DAT
2008-03-16 12:52 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-08-30 16:53 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083020080831\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-12_22.58.21.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-22 03:09:32 5,699,584 -c----w c:\windows\ie8updates\KB960714-IE8\mshtml.dll
+ 2008-07-09 07:38:25 231,288 -c----w c:\windows\ie8updates\KB960714-IE8\spuninst\spuninst.exe
+ 2008-07-09 07:38:37 382,840 -c----w c:\windows\ie8updates\KB960714-IE8\spuninst\updspapi.dll
+ 2007-12-12 15:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2008-11-15 23:16:34 171,334 ----a-w c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat
+ 2008-11-15 23:16:34 171,334 -c--a-w c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat.bak
- 2008-08-22 03:09:32 5,699,584 ----a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-14 13:59:44 5,699,584 ----a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-09-08 10:41:42 333,824 ----a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 ----a-w c:\windows\system32\dllcache\srv.sys
- 2008-12-09 15:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-08-22 03:09:32 5,699,584 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-14 13:59:44 5,699,584 ----a-w c:\windows\system32\mshtml.dll
- 2009-01-12 22:51:18 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_250.dat
+ 2009-01-28 19:41:32 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_250.dat
+ 2009-01-28 19:41:50 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-08 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-07-22 442368]
"Google Update"="c:\documents and settings\Kieren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-06 133104]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-06-16 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-06-16 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-08-18 94208]
"ControlCenter"="c:\program files\IBM fingerprint software\ctlcntr.exe" [2004-09-25 284254]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 208896]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"UC_Start"="c:\program files\IBM\Updater\\ucstartup.exe" [2004-07-15 36864]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-07-22 442368]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-03-19 90112]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2004-08-18 81920]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-07-29 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2004-07-29 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-07-29 395776]
"ISS_Certtool"="c:\program files\IBM\Security\certtool.exe" [2004-11-11 86016]
"IBM_PWMGR"="c:\program files\IBM\Password Manager\pwmgr.exe" [2004-11-11 327680]
"Camera Detector"="c:\progra~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE" [2003-06-17 208896]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 c:\windows\system32\S3Tray2.exe]
"TpShocks"="TpShocks.exe" [2004-03-27 c:\windows\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 c:\windows\system32\TP4EX.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-02-02 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-09-25 00:15 108636 c:\program files\IBM fingerprint software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2004-08-18 11:30 258048 c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli pwdmon

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Kieren\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Kieren\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27244:TCP"= 27244:TCP:BitComet 27244 TCP
"27244:UDP"= 27244:UDP:BitComet 27244 UDP

R0 GENERICSMB;IBM - Generic SMB Device Controller;c:\windows\system32\drivers\smbgen.sys [2005-03-15 10240]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-02-02 59520]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-02-02 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-02-02 2432]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-02-02 4608]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2005-02-02 16384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-09 99376]
R3 SMBusDH;IBM - SMB Hub Controller;c:\windows\system32\drivers\smbusdh.sys [2005-03-15 11648]
R3 SMBusHC;SMBus Host Controller;c:\windows\system32\drivers\smbushc.sys [2005-03-15 29696]
R4 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-09-24 64256]
R4 smi2;smi2;c:\windows\system32\drivers\smi2.sys [2005-03-15 3968]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-13 23888]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-02-02 12288]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*Deregistered* - Irmon
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LiveUpdate Notice
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - QCONSVC
*Deregistered* - RasMan
*Deregistered* - RegSrvc
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - S24EventMonitor
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - ServiceLayer
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - Symantec Core LC
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TpKmpSVC
*Deregistered* - TrkWks
*Deregistered* - vtserver
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-01-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-496120868-51030831-1257078025-1005.job
- c:\documents and settings\Kieren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-06 22:16]

2009-01-28 c:\windows\Tasks\User_Feed_Synchronization-{6633B427-A95F-4583-8B81-86FFE8D5EE9C}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 03:05]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0EFB4554-D1FD-3397-AD33-00AF4FC2F245} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\office
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 19:43:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1292)
c:\windows\system32\vrlogon.dll
c:\program files\IBM fingerprint software\ExtVapi.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\program files\Common Files\Virtual Token\resmgr.dll
c:\program files\Common Files\Virtual Token\Remote.dll
c:\program files\Common Files\Virtual Token\passport.dll
c:\program files\Common Files\Virtual Token\psdlg.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\IBM fingerprint software\psfus.dll
c:\program files\Common Files\Virtual Token\config.dll
c:\program files\Common Files\Virtual Token\LocPass.dll
c:\program files\Common Files\Virtual Token\SBioPass.dll

- - - - - - - > 'lsass.exe'(1348)
c:\windows\system32\pwdmon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Virtual Token\vtserver.exe
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\IBM\Security\uvmserv.exe
c:\windows\system32\ibmsmbus.exe
c:\program files\IBM\Security\TssCore.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\QCONSVC.EXE
c:\windows\system32\RegSrvc.exe
c:\windows\system32\TpKmpSvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-01-28 19:52:55 - machine was rebooted [Kieren]
ComboFix-quarantined-files.txt 2009-01-28 19:52:47
ComboFix2.txt 2009-01-27 22:41:54
ComboFix3.txt 2009-01-12 23:00:30

Pre-Run: 9,650,180,096 bytes free
Post-Run: 9,643,778,048 bytes free

382 --- E O F --- 2009-01-14 07:37:10



*********************

Malwarebytes' Anti-Malware 1.33
Database version: 1702
Windows 5.1.2600 Service Pack 3

28/01/2009 21:49:07
mbam-log-2009-01-28 (21-49-07).txt

Scan type: Quick Scan
Objects scanned: 60354
Time elapsed: 45 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 28 January 2009 - 05:54 PM

Hello.

Looks better.

Question - my other laptop started doing the same thing not long after the problem started on this machine - is fixing the problem on that machine as simple as following the same steps again ?

I would say no. ComboFix is not a tool intended for general disinfection.

What problems exactly please?
---
Let's get an online scan off and check for anything left.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Also take a fresh DDS log. Attach the Attach.exe file too.

With Regards,
The Panda

#8 thedoodle

thedoodle
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 03 February 2009 - 05:49 PM

Thanks PP - log from the F Secure Below, followed by DDS log & attachment.


Re: my other laptop - the symptoms appear to be the same as I had for this machine. Try to open IE and it returns the message:

''Windows cannot find 'C:\Program Files\Internet Explorer\iexplore.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click search''

They both started behaving badly around the time I downloaded some P2P stuff a few weeks back, which made me think it was a similar problem.

Thanks again,

TD



Scanning Report
Tuesday, February 03, 2009 21:06:43 - 22:32:42
Computer name: IBM-0EFC54DED1F
Scanning type: Scan system for malware, rootkits
Target: C:\ F:\


--------------------------------------------------------------------------------

Result: 8 malware found
TrackingCookie.Adinterax (spyware)
System
TrackingCookie.Admeta (spyware)
System
TrackingCookie.Atdmt (spyware)
System
TrackingCookie.Emediate (spyware)
System
TrackingCookie.Webtrends (spyware)
System
Trojan.Win32.Agent (virus)
System
Trojan.Win32.Agent.awyk (virus)
C:\WINDOWS\SYSTEM32\QDBON.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP661\A0105346.DLL (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 45181
System: 4469
Not scanned: 11
Actions:
Disinfected: 0
Renamed: 1
Deleted: 0
None: 7
Submitted: 1
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
C:\DOCUMENTS AND SETTINGS\KIEREN\APPLICATION DATA\SYMANTEC\NPMDATASTORE\CIMSTORE.XML
C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\DESKTOP.INI
C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\LATEST ADVENTURES..!.DOC

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Hydra: 3.6.8511, 2009-02-03
F-Secure AVP: 7.0.171, 2009-02-03
F-Secure Pegasus: 1.20.0, 1970-00-01
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics









****************

DDS (Ver_09-02-01.01) - NTFSx86
Run by Kieren at 22:42:12.97 on 03/02/2009
Internet Explorer: 8.0.6001.18241
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.28 [GMT 0:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\IBM\Security\uvmserv.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Updater\jre\bin\javaw.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IBM\Security\certtool.exe
C:\Program Files\IBM\Password Manager\pwmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kieren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAMTCAE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FARNCAE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kieren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kieren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\Kieren\My Documents\Downloads\dds (2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: EWPP - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [Google Update] "c:\documents and settings\kieren\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [S3TRAY2] S3Tray2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [ControlCenter] "c:\program files\ibm fingerprint software\ctlcntr.exe" /startup
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UC_Start] c:\program files\ibm\updater\\ucstartup.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [ISS_Certtool] c:\program files\ibm\security\certtool.exe
mRun: [IBM_PWMGR] c:\program files\ibm\password manager\pwmgr.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Camera Detector] c:\progra~1\acdsys~1\devdet~1\DEVDET~1.EXE -autorun
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: microsoft.com\office
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - hxxp://www.symantec.com/techsupp/activedata/nprdtinf.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} - hxxps://www.select2perform.eu/cabs/QOLCheck.ocx
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll
Notify: QConGina - QConGina.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli pwdmon

============= SERVICES / DRIVERS ===============

R0 GENERICSMB;IBM - Generic SMB Device Controller;c:\windows\system32\drivers\smbgen.sys [2005-3-15 10240]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-2-2 59520]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-2-2 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-2-2 2432]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-2-2 4608]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2005-2-2 16384]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-9-24 64256]
R2 smi2;smi2;c:\windows\system32\drivers\smi2.sys [2005-3-15 3968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-9 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090203.003\NAVENG.SYS [2009-2-3 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090203.003\NAVEX15.SYS [2009-2-3 876112]
R3 SMBusDH;IBM - SMB Hub Controller;c:\windows\system32\drivers\smbusdh.sys [2005-3-15 11648]
R3 SMBusHC;SMBus Host Controller;c:\windows\system32\drivers\smbushc.sys [2005-3-15 29696]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-2-2 12288]

=============== Created Last 30 ================

2009-02-03 21:02 <DIR> --d----- C:\fsaua.data
2009-01-28 20:42 <DIR> --dsh--- c:\documents and settings\kieren\PrivacIE
2009-01-28 19:58 <DIR> --d----- c:\docume~1\kieren\applic~1\Malwarebytes
2009-01-28 19:57 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-28 19:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-28 19:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-28 19:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 21:55 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-01-14 21:55 1,936 a------- c:\windows\system32\drivers\PAGEDFRG.SYS
2009-01-14 03:01 <DIR> --d----- c:\windows\ie8updates
2009-01-13 22:06 <DIR> --d----- c:\program files\SpywareBlaster
2009-01-12 22:43 <DIR> a-dshr-- C:\cmdcons
2009-01-12 22:37 161,792 a------- c:\windows\SWREG.exe
2009-01-12 22:37 98,816 a------- c:\windows\sed.exe
2009-01-12 22:11 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-01-12 22:11 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-01-12 22:11 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-01-12 22:11 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-01-12 22:11 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-01-12 22:10 99,865 a------- c:\windows\system32\dllcache\xlog.exe
2009-01-12 22:10 28,288 a------- c:\windows\system32\dllcache\xjis.nls
2009-01-12 22:10 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys
2009-01-12 22:10 19,455 a------- c:\windows\system32\dllcache\wvchntxx.sys
2009-01-12 22:10 12,063 a------- c:\windows\system32\dllcache\wsiintxx.sys
2009-01-12 22:08 12,415 a------- c:\windows\system32\dllcache\wadv01nt.sys
2009-01-12 22:07 149,376 a------- c:\windows\system32\dllcache\tffsport.sys
2009-01-12 22:06 31,744 a------- c:\windows\system32\dllcache\smb6w.dll
2009-01-12 22:05 245,632 a------- c:\windows\system32\dllcache\s3savmx.dll
2009-01-12 22:04 7,168 a------- c:\windows\system32\dllcache\pnrmc.sys
2009-01-12 22:03 61,696 a------- c:\windows\system32\dllcache\ohci1394.sys
2009-01-12 22:03 198,144 a------- c:\windows\system32\dllcache\nv3.sys
2009-01-12 22:03 123,776 a------- c:\windows\system32\dllcache\nv3.dll
2009-01-12 22:03 51,552 a------- c:\windows\system32\dllcache\ntgrip.sys
2009-01-12 22:03 38,912 a------- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-01-12 22:03 9,344 a------- c:\windows\system32\dllcache\ntapm.sys
2009-01-12 22:03 7,552 a------- c:\windows\system32\dllcache\nsmmc.sys
2009-01-12 22:03 87,040 a------- c:\windows\system32\dllcache\nm6wdm.sys
2009-01-12 22:03 126,080 a------- c:\windows\system32\dllcache\nm5a2wdm.sys
2009-01-12 22:01 49,024 a------- c:\windows\system32\dllcache\mstape.sys
2009-01-12 22:01 12,416 a------- c:\windows\system32\dllcache\msriffwv.sys
2009-01-12 22:01 2,944 a------- c:\windows\system32\dllcache\msmpu401.sys
2009-01-12 22:01 1,875,968 a------- c:\windows\system32\dllcache\msir3jp.lex
2009-01-12 22:01 98,304 a------- c:\windows\system32\dllcache\msir3jp.dll
2009-01-12 21:59 70,730 a------- c:\windows\system32\dllcache\lne100tx.sys
2009-01-12 21:58 102,463 a------- c:\windows\system32\dllcache\imepadsm.dll
2009-01-12 21:57 7,680 a------- c:\windows\system32\dllcache\ftpctrs2.dll
2009-01-12 21:56 236,060 a------- c:\windows\system32\dllcache\ditrace.exe
2009-01-12 21:55 13,312 a------- c:\windows\system32\dllcache\chglogon.exe
2009-01-12 21:54 162,850 a------- c:\windows\system32\dllcache\c_10001.nls
2009-01-12 21:53 24,576 a------- c:\windows\system32\dllcache\agcgauge.ax
2009-01-12 21:52 19,968 a------- c:\windows\system32\dllcache\inetsloc.dll
2009-01-12 21:52 7,680 a------- c:\windows\system32\dllcache\inetmgr.exe
2009-01-12 21:52 169,984 a------- c:\windows\system32\dllcache\iisui.dll
2009-01-12 21:52 14,336 a------- c:\windows\system32\dllcache\iisreset.exe
2009-01-12 21:52 5,632 a------- c:\windows\system32\dllcache\iisrstap.dll
2009-01-12 21:52 6,144 a------- c:\windows\system32\dllcache\ftpsapi2.dll
2009-01-12 21:52 94,720 a------- c:\windows\system32\dllcache\certmap.ocx
2009-01-12 19:44 <DIR> -cd-h--- c:\windows\ie8
2009-01-10 18:38 32,592 a------- c:\windows\system32\msonpmon.dll
2009-01-10 18:28 <DIR> --d----- c:\windows\SHELLNEW

==================== Find3M ====================

2009-01-09 09:02 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 09:02 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 09:02 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 09:02 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-25 16:14 3,532 a------- C:\drmHeader.bin
2008-12-14 13:59 5,699,584 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-14 13:26 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 a------- c:\windows\system32\dllcache\srv.sys
2008-11-21 21:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 21:47 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-21 21:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 21:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 21:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 21:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 21:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-18 21:19 38,008 a------- c:\docume~1\kieren\applic~1\GDIPFONTCACHEV1.DAT
2008-11-15 23:16 171,334 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2008-03-16 12:52 32 ac------ c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-08-30 16:53 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 22:43:44.20 ===============

Attached Files



#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 03 February 2009 - 06:03 PM

Hello thedoodle.

I think I need to give you that speech on P2P programs.. :thumbsup:

Peer-to-Peer Programs Warning
These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."
-----------------

Looks good. F-Secure just found some leftovers.

Unless there are any issues at the moment. we can wrap up.

Download and Run OTCleanIt
This program will remove the tools we have used.
  • Download OTCleanIt by OldTimer to your desktop.
  • Double click OTCleanIt.exe to start the program.
  • Click the big CleanUp! button.
  • When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Delete the file after use, if it did not delete itself.

Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#10 thedoodle

thedoodle
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 04 February 2009 - 03:05 AM

PP - thanks for your help... and lesson learnt on P2P!

Just two more questions:

1) should I start a new topic for the problems described for my other machine, or would it be reasonable to follow that above?

2) should I delete the files that were downloaded P2P as well?

Thanks again!

TD

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 04 February 2009 - 08:18 AM

Welcome :thumbsup: .

Please start a new topic.

I would suggest that you do delete those files.

With Regards,
The panda

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 11 February 2009 - 04:04 PM

Hello.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users