Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumonde (I think)


  • This topic is locked This topic is locked
10 replies to this topic

#1 blubbertubs

blubbertubs

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 26 January 2009 - 04:29 PM

Last night I got infected with Virtumonde and its led to a few screwy things with my computer. First of all, I noticed new startup items in msconfig which were not there before, Automatic Updates was somehow turned off and I can't get it to turn back on. Also Firefox now randomly opens a random webpage in a new window. I tried cleaning with Spybot S&D, it found Virtumonde and cleaned it, but it comes back each time. Also windows explorer didn't start automatically when I rebooted and I had to start it myself. Thanks in advance for the help, its greatly appreciated. Here's my DDS log:


DDS (Ver_09-01-19.01) - NTFSx86
Run by lindgc at 16:07:22.51 on Mon 01/26/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1327 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\niSvcLoc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\OrCAD\OrCAD_10.5_Demo\tools\bin\cdsNameServer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\lindgc.LINDGCT43P\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\lindgc.LINDGCT43P\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = ftp://lindgc@ftp.rpi.edu/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\opnlMddc.dll
BHO: {785523b1-f3d4-fe99-26c4-df5829e7dc37}: {73cd7e92-85fd-4c62-99ef-4d3f1b325587} - c:\windows\system32\swlril.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {e05e610d-95e4-4132-849c-7e75d49a719e} - c:\windows\system32\urqPjIyv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IBM RecordNow!]
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [ControlCenter] "c:\program files\ibm fingerprint software\ctlcntr.exe" /startup
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [<NO NAME>]
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [EPSON Stylus C88 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
mRun: [QCTray] c:\progra~1\thinkpad\connec~1\QCTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\ibm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\ibm\bluetooth software\btsendto_ie.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\thinkpad\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120724081296
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121698630500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: AfsLogon - afslogon.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: opnlMddc - opnlMddc.dll
Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll
Notify: QConGina - QConGina.dll
Notify: tphotkey - tphklock.dll
AppInit_DLLs: swlril.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\opnlMddc.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\urqPjIyv
LSA: Notification Packages = scecli pwdmon

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lindgc~1.lin\applic~1\mozilla\firefox\profiles\dfk2ez4k.default\
FF - prefs.js: browser.startup.homepage - hxxp://rpinfo.rpi.edu/
FF - plugin: c:\documents and settings\lindgc.lindgct43p\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2005-4-27 6912]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-6-28 59776]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-6-28 14208]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-6-28 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-6-28 2432]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-6-28 4608]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005-6-28 4442]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090125.005\naveng.sys [2009-1-25 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090125.005\navex15.sys [2009-1-25 876112]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-6-28 6016]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R4 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-4-27 63616]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 CyUsb;Rensselaer IOBoard USB Driver;c:\windows\system32\drivers\IOBrdUSB.sys [2006-11-2 34304]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWK.sys [2006-7-14 8704]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciK.sys [2006-7-14 48128]
S3 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiK.sys [2006-7-14 10752]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-6-28 12288]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]
S3 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-10 24652]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

============== File Associations ===============

scrfile="c:\program files\internet explorer\Iexplore.exe" %1

=============== Created Last 30 ================

2009-01-26 10:41 <DIR> --d----- c:\program files\Trend Micro
2009-01-25 23:23 72,704 a------- c:\windows\system32\qykxgbna.dll
2009-01-25 23:23 129,024 a------- c:\windows\system32\swlril.dll
2009-01-25 23:23 129,024 a------- c:\windows\system32\tgxornhm.dll
2009-01-25 23:22 410,246 a--sh--- c:\windows\system32\vyIjPqru.ini
2009-01-25 23:22 315,904 a------- c:\windows\system32\urqPjIyv.dll
2009-01-25 23:18 21,504 a--sh--- c:\windows\system32\autochk.dll
2009-01-25 23:18 21,504 a--sh--- c:\documents and settings\lindgc.lindgct43p\protect.dll
2009-01-25 23:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2009-01-25 23:17 46,354 a------- c:\windows\system32\nnnlklLf.dll
2009-01-25 23:17 36,352 a------- c:\windows\system32\opnlMddc.dll

==================== Find3M ====================

2009-01-26 16:07 410,246 a--sh--- c:\windows\system32\vyIjPqru.ini2
2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-06 09:59 188,416 a------- c:\windows\system32\ftdiunin.exe
2008-12-06 09:59 176,128 a------- c:\windows\system32\ftd2xx.dll
2008-12-06 09:59 106,496 a------- c:\windows\system32\ftbusui.dll
2008-12-06 09:59 102,400 a------- c:\windows\system32\FTLang.dll
2008-12-06 09:59 61,067 a------- c:\windows\system32\drivers\ftser2k.sys
2008-12-06 09:59 47,249 a------- c:\windows\system32\drivers\ftdibus.sys
2008-12-06 09:59 33,360 a------- c:\windows\system32\ftserui2.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2007-12-15 21:21 349 a------- c:\program files\INSTALL.LOG
2003-12-18 11:33 20,102 a------- c:\program files\Readme.txt
2003-09-03 07:46 10,960 a------- c:\program files\EULA.txt

============= FINISH: 16:08:42.31 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:01 PM

Posted 27 January 2009 - 04:53 AM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 blubbertubs

blubbertubs
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 27 January 2009 - 11:39 AM

Can't say this is the best news I've heard today, but I guess a clean wipe wouldn't be the worst thing in the world. Let's try to see how clean it can get then evaluate that option. Since my first post I installed and ran malwarebytes and removed the infections found so here's the new DDS file. Automatic updates has turned back on, and I haven't seen a random Firefox window open up. I'll install combofix and reply with the results later today when I get back home. Thanks for the help.


DDS (Ver_09-01-19.01) - NTFSx86
Run by lindgc at 11:17:06.90 on Tue 01/27/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1462 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\niSvcLoc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\lindgc.LINDGCT43P\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Documents and Settings\lindgc.LINDGCT43P\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = ftp://lindgc@ftp.rpi.edu/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IBM RecordNow!]
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [ControlCenter] "c:\program files\ibm fingerprint software\ctlcntr.exe" /startup
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [<NO NAME>]
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [EPSON Stylus C88 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
mRun: [QCTray] c:\progra~1\thinkpad\connec~1\QCTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\ibm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\ibm\bluetooth software\btsendto_ie.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\thinkpad\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120724081296
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121698630500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: AfsLogon - afslogon.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll
Notify: QConGina - QConGina.dll
Notify: tphotkey - tphklock.dll
AppInit_DLLs: swlril.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Notification Packages = scecli pwdmon

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lindgc~1.lin\applic~1\mozilla\firefox\profiles\dfk2ez4k.default\
FF - prefs.js: browser.startup.homepage - hxxp://rpinfo.rpi.edu/
FF - plugin: c:\documents and settings\lindgc.lindgct43p\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2005-4-27 6912]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-6-28 59776]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-6-28 14208]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-6-28 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-6-28 2432]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-6-28 4608]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005-6-28 4442]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090126.004\naveng.sys [2009-1-26 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090126.004\navex15.sys [2009-1-26 876112]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-6-28 6016]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R4 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-4-27 63616]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 CyUsb;Rensselaer IOBoard USB Driver;c:\windows\system32\drivers\IOBrdUSB.sys [2006-11-2 34304]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWK.sys [2006-7-14 8704]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciK.sys [2006-7-14 48128]
S3 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiK.sys [2006-7-14 10752]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-6-28 12288]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-01-26 18:43 <DIR> --d----- c:\docume~1\lindgc~1.lin\applic~1\Malwarebytes
2009-01-26 18:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-26 18:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-26 18:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-26 18:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-26 10:41 <DIR> --d----- c:\program files\Trend Micro
2009-01-25 23:23 72,704 a------- c:\windows\system32\qykxgbna.dll
2009-01-25 23:18 21,504 a--sh--- c:\documents and settings\lindgc.lindgct43p\protect.dll

==================== Find3M ====================

2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-06 09:59 188,416 a------- c:\windows\system32\ftdiunin.exe
2008-12-06 09:59 176,128 a------- c:\windows\system32\ftd2xx.dll
2008-12-06 09:59 106,496 a------- c:\windows\system32\ftbusui.dll
2008-12-06 09:59 102,400 a------- c:\windows\system32\FTLang.dll
2008-12-06 09:59 61,067 a------- c:\windows\system32\drivers\ftser2k.sys
2008-12-06 09:59 47,249 a------- c:\windows\system32\drivers\ftdibus.sys
2008-12-06 09:59 33,360 a------- c:\windows\system32\ftserui2.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2007-12-15 21:21 349 a------- c:\program files\INSTALL.LOG
2003-12-18 11:33 20,102 a------- c:\program files\Readme.txt
2003-09-03 07:46 10,960 a------- c:\program files\EULA.txt

============= FINISH: 11:17:54.54 ===============

Attached Files



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:01 PM

Posted 27 January 2009 - 11:52 AM

Hi,

Can you follow the steps with Combofix and post the log in your next reply?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 blubbertubs

blubbertubs
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 27 January 2009 - 09:46 PM

As requested, Combofix log:


ComboFix 09-01-21.04 - lindgc 2009-01-27 21:26:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1430 [GMT -5:00]
Running from: c:\documents and settings\lindgc.LINDGCT43P\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\IE4 Error Log.txt
c:\windows\system32\config.txt
c:\windows\system32\qykxgbna.dll
c:\windows\system32\windows.txt
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-26 18:43 . 2009-01-26 18:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-26 18:43 . 2009-01-26 18:43 <DIR> d-------- c:\documents and settings\lindgc.LINDGCT43P\Application Data\Malwarebytes
2009-01-26 18:43 . 2009-01-26 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-26 18:43 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-26 18:43 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-26 10:41 . 2009-01-26 10:41 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 23:28 . 2009-01-25 23:28 21,504 --ahs---- c:\documents and settings\NetworkService\protect.dll
2009-01-25 23:18 . 2009-01-25 23:18 21,504 --ahs---- c:\documents and settings\lindgc.LINDGCT43P\protect.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 02:32 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-28 02:16 --------- d-----w c:\documents and settings\lindgc.LINDGCT43P\Application Data\.purple
2009-01-27 23:16 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-27 16:41 --------- d-----w c:\documents and settings\lindgc.LINDGCT43P\Application Data\FileZilla
2009-01-27 14:30 --------- d-----w c:\program files\Viewpoint
2009-01-27 14:30 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-27 03:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-26 03:57 --------- d-----w c:\documents and settings\lindgc.LINDGCT43P\Application Data\uTorrent
2009-01-20 02:48 --------- d-----w c:\documents and settings\lindgc.LINDGCT43P\Application Data\gtk-2.0
2009-01-14 21:40 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-13 22:27 --------- d-----w c:\documents and settings\lindgc.LINDGCT43P\Application Data\dvdcss
2008-12-12 12:26 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-11 22:34 --------- d-----w c:\program files\Steam
2008-12-11 22:04 --------- d-----w c:\program files\SpeedFan
2008-12-11 22:00 --------- d-----w c:\program files\Lavalys
2008-12-11 10:57 333,952 ------w c:\windows\system32\drivers\srv.sys
2008-12-06 15:09 --------- d-----w c:\documents and settings\lindgc.LINDGCT43P\Application Data\Arduino
2008-12-06 14:59 61,067 ----a-w c:\windows\system32\drivers\ftser2k.sys
2008-12-06 14:59 47,249 ----a-w c:\windows\system32\drivers\ftdibus.sys
2008-12-03 16:05 --------- d-----w c:\program files\Java
2003-12-18 16:33 20,102 ----a-w c:\program files\Readme.txt
2003-09-03 12:46 10,960 ----a-w c:\program files\EULA.txt
2007-12-10 22:40 6,275,816 ----a-w c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2004-03-01 17:25 114,688 ----a-w c:\program files\internet explorer\plugins\ChimeShim.dll
2004-03-16 01:51 114,688 ------w c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-04-04 94208]
"ControlCenter"="c:\program files\IBM fingerprint software\ctlcntr.exe" [2004-11-04 284766]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-03-23 217088]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-11 344064]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 139264]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-19 127037]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2005-04-27 90112]
"EPSON Stylus C88 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 98304]
"QCTray"="c:\progra~1\ThinkPad\CONNEC~1\QCTray.exe" [2005-03-18 745472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"TpShocks"="TpShocks.exe" [2005-04-05 c:\windows\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2004-11-12 c:\windows\system32\TP4EX.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-11-04 11:51 108636 c:\program files\IBM fingerprint software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AfsLogon]
2004-10-18 13:51 66048 c:\windows\system32\afslogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 05:07 262144 c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-12 22:11 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=swlril.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli pwdmon

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^lindgc.LINDGCT43P^Start Menu^Programs^Startup^ChkDisk.dll]
path=c:\documents and settings\lindgc.LINDGCT43P\Start Menu\Programs\Startup\ChkDisk.dll
backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^lindgc.LINDGCT43P^Start Menu^Programs^Startup^ChkDisk.lnk]
path=c:\documents and settings\lindgc.LINDGCT43P\Start Menu\Programs\Startup\ChkDisk.lnk
backup=c:\windows\pss\ChkDisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
--a------ 2008-07-22 11:45 50520 c:\documents and settings\lindgc.LINDGCT43P\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 07:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-12-02 23:21 133104 c:\documents and settings\lindgc.LINDGCT43P\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
--------- 2004-08-06 04:10 442368 c:\program files\IBM\Messages By IBM\ibmmessages.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-12-11 15:04 1410296 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--------- 2003-08-19 00:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 19:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Maple 10\\jre\\bin\\maple.exe"=
"c:\\Program Files\\Maple 10\\jre\\bin\\java.exe"=
"c:\\Program Files\\National Instruments\\LabVIEW 7.1\\LabVIEW.exe"=
"c:\\Apps\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MATLAB7sp2\\bin\\win32\\MATLAB.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\lindgc.LINDGCT43P\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsdoc.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsinfo.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsmps.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsMsgServer.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsNameServer.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsRemshClient.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsRunHidden.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsUnzip.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdswhich.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsZip.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cds_root.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\clsAdminTool.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\clsbd.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\clu.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\dregprint.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\mpsinfo.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\nmp.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\nmppath.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\obServer.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\van.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\versionviewer.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\capture.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\comp16.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\pcadi.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\pspiceexplorersrvr.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\pstswp.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\regsvr32.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\sch2cap.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\SETBROWS.EXE"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\tutorial\\CAPTUTOR.EXE"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\cdsdoc\\bin\\cdsdocIndexer.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\cdsdoc\\bin\\obServer.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\dfII\\bin\\cdsservipc.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\dfII\\bin\\skill.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\dfII\\bin\\skill_g.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\fet\\bin\\mkdefcfg.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\fet\\bin\\versiontool.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\javaws-1_2_0_02-windows-i586-i.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\java.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\javaw.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\jpicpl32.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\keytool.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\kinit.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\klist.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\ktab.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\orbd.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\policytool.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\rmid.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\rmiregistry.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\servertool.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\tnameserv.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\fvupdateutil.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\gcdin.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\idfin.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\layout.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\libcat.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\lsession.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxascx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxdxf.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxeco.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxfnetx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxminx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxorcad.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxp99x.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxpadx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxpcadx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxprotx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxstrx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxtangx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\mfceco.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\padx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\pcadx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\pcb2max.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\prcat.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\protx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\searchTool.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\setbrows.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\specin.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\strx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\tangx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\tomax.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\tospec.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\update90.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\sroute\\batch32.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\sroute\\sroute.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\tutorial\\laytutor.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pcb\\bin\\specctra.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\IndiceFileGeneration.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\Magneticdesigner.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\modeled.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\MrkSrvr.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\pspice.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\pspiceaa.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\pspiceexplorersrvr.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\psp_cmd.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\regsvr32.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\simmgr.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\simsrvr.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\stmed.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\specctra\\bin\\specctra.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\bin\\cdsdocIndexer.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\bin\\merge.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\bin\\mkvdk.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\bin\\search.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\bin\\setup.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\bin\\v_uninst.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\callback.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\filter.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\htmlini.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\htmserv.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\index.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\jstree.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\jvtree.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\kvoop.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\regsvr32.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\summary.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\viewers\\amovie.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\specctra\\bin\\specctra.com"=
"c:\\Program Files\\UGS\\NX 5.0\\UGII\\ugraf.exe"=
"c:\\Documents and Settings\\lindgc.LINDGCT43P\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7001:UDP"= 7001:UDP:AFS CacheManager Callback (UDP)
"7001:TCP"= 7001:TCP:AFS CacheManager Callback (TCP)

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2005-04-27 6912]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-06-28 59776]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-06-28 14208]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-06-28 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-06-28 2432]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-06-28 4608]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005-06-28 4442]
R3 EraserUtilDrvI7;EraserUtilDrvI7;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [2009-01-27 99376]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-06-28 6016]
R4 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-04-27 63616]
S3 CyUsb;Rensselaer IOBoard USB Driver;c:\windows\system32\drivers\IOBrdUSB.sys [2006-11-02 34304]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWK.sys [2006-07-14 8704]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciK.sys [2006-07-14 48128]
S3 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiK.sys [2006-07-14 10752]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-06-28 12288]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{54ec3bea-80ca-11dd-8565-000e9bd9afbb}]
\Shell\AutoRun\command - F:\autorun.exe
\Shell\phone\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d0bc82e-3175-11dd-84f5-00016cca09f1}]
\Shell\AutoRun\command - f:\wd_windows_tools\WDEULA.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8aa1477-7cf5-11dd-855f-000e9bd9afbb}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-53653465-3920333495-1810933541-1011.job
- c:\documents and settings\lindgc.LINDGCT43P\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 23:21]

2009-01-28 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-04-14 00:01]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-IBM RecordNow! - (no file)
MSConfigStartUp-a425dbd2 - c:\windows\system32\qykxgbna.dll
MSConfigStartUp-AAWTray - c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe
MSConfigStartUp-autochk - c:\windows\system32\autochk.dll
MSConfigStartUp-DAEMON Tools - c:\program files\DAEMON Tools\daemon.exe
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Nero\Lib\NeroCheck.exe


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = ftp://lindgc@ftp.rpi.edu/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\lindgc.LINDGCT43P\Application Data\Mozilla\Firefox\Profiles\dfk2ez4k.default\
FF - prefs.js: browser.startup.homepage - hxxp://rpinfo.rpi.edu/
FF - plugin: c:\documents and settings\lindgc.LINDGCT43P\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 21:34:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-53653465-3920333495-1810933541-1011\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{178882F1-10A9-5DF8-E309-4618A9B80520}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oadgogejeokeimpgepbckolcafgiad"=hex:6a,61,65,6e,6d,68,68,65,6a,6c,62,70,61,6b,
61,70,70,6e,6e,6f,00,f5
"naffmmnchhejhmolmfifgdgiecel"=hex:6a,61,65,6e,67,69,66,62,6f,66,67,6d,65,65,
62,68,64,70,6c,6c,00,f5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1536)
c:\windows\system32\vrlogon.dll
c:\program files\IBM fingerprint software\ExtVapi.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\program files\Common Files\Virtual Token\resmgr.dll
c:\program files\Common Files\Virtual Token\Remote.dll
c:\program files\Common Files\Virtual Token\passport.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\IBM fingerprint software\psfus.dll
c:\windows\system32\tphklock.dll
c:\program files\Common Files\Virtual Token\config.dll
c:\program files\Common Files\Virtual Token\LocPass.dll
c:\program files\Common Files\Virtual Token\SBioPass.dll
c:\program files\Common Files\Virtual Token\psdlg.dll

- - - - - - - > 'lsass.exe'(1600)
c:\windows\system32\pwdmon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Virtual Token\vtserver.exe
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\IBM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\dllhost.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\niSvcLoc.exe
c:\windows\system32\QCONSVC.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\ThinkPad\UltraNav Wizard\UNavTray.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-01-27 21:41:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-28 02:41:46

Pre-Run: 595,501,056 bytes free
Post-Run: 573,468,672 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

404 --- E O F --- 2009-01-14 21:40:23

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:01 PM

Posted 28 January 2009 - 05:04 AM

Hi,

I see you have used MalwareBytes Antimalware in between as well - that's why the logs are a bit confusing now, because they don't make sense. Anyway, no worries.. let's deal with the rest now..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\pss\ChkDisk.lnkStartup
c:\windows\pss\ChkDisk.dllStartup
c:\documents and settings\NetworkService\protect.dll
c:\documents and settings\lindgc.LINDGCT43P\protect.dll
Regnull::
[HKEY_USERS\S-1-5-21-53653465-3920333495-1810933541-1011\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{178882F1-10A9-5DF8-E309-4618A9B80520}*]
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKLM\~\startupfolder\C:^Documents and Settings^lindgc.LINDGCT43P^Start Menu^Programs^Startup^ChkDisk.dll]
[-HKLM\~\startupfolder\C:^Documents and Settings^lindgc.LINDGCT43P^Start Menu^Programs^Startup^ChkDisk.lnk]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 blubbertubs

blubbertubs
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 28 January 2009 - 10:09 AM

Here's the new Combofix log:


ComboFix 09-01-21.04 - lindgc 2009-01-28 9:45:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1486 [GMT -5:00]
Running from: c:\documents and settings\lindgc.LINDGCT43P\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\lindgc.LINDGCT43P\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\lindgc.LINDGCT43P\protect.dll
c:\documents and settings\NetworkService\protect.dll
c:\windows\pss\ChkDisk.dllStartup
c:\windows\pss\ChkDisk.lnkStartup
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\lindgc.LINDGCT43P\protect.dll
c:\documents and settings\NetworkService\protect.dll
c:\windows\pss\ChkDisk.lnkStartup

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-26 18:43 . 2009-01-26 18:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-26 18:43 . 2009-01-26 18:43 <DIR> d-------- c:\documents and settings\lindgc.LINDGCT43P\Application Data\Malwarebytes
2009-01-26 18:43 . 2009-01-26 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-26 18:43 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-26 18:43 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-26 10:41 . 2009-01-26 10:41 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 14:54 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-28 05:51 --------- d-----w c:\documents and settings\lindgc.LINDGCT43P\Application Data\.purple
2009-01-28 03:58 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-28 02:54 --------- d-----w c:\program files\Steam
2009-01-28 02:31 --------- d-----w c:\program files\Viewpoint
2009-01-27 16:41 --------- d-----w c:\documents and settings\lindgc.LINDGCT43P\Application Data\FileZilla
2009-01-27 14:30 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-27 03:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-26 03:57 --------- d-----w c:\documents and settings\lindgc.LINDGCT43P\Application Data\uTorrent
2009-01-20 02:48 --------- d-----w c:\documents and settings\lindgc.LINDGCT43P\Application Data\gtk-2.0
2009-01-14 21:40 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-13 22:27 --------- d-----w c:\documents and settings\lindgc.LINDGCT43P\Application Data\dvdcss
2008-12-12 12:26 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-11 22:00 --------- d-----w c:\program files\Lavalys
2008-12-11 10:57 333,952 ------w c:\windows\system32\drivers\srv.sys
2008-12-06 15:09 --------- d-----w c:\documents and settings\lindgc.LINDGCT43P\Application Data\Arduino
2008-12-06 14:59 61,067 ----a-w c:\windows\system32\drivers\ftser2k.sys
2008-12-06 14:59 47,249 ----a-w c:\windows\system32\drivers\ftdibus.sys
2008-12-03 16:05 --------- d-----w c:\program files\Java
2003-12-18 16:33 20,102 ----a-w c:\program files\Readme.txt
2003-09-03 12:46 10,960 ----a-w c:\program files\EULA.txt
2007-12-10 22:40 6,275,816 ----a-w c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2004-03-01 17:25 114,688 ----a-w c:\program files\internet explorer\plugins\ChimeShim.dll
2004-03-16 01:51 114,688 ------w c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-27_21.40.40.68 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-28 14:53:55 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_37c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-04-04 94208]
"ControlCenter"="c:\program files\IBM fingerprint software\ctlcntr.exe" [2004-11-04 284766]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-03-23 217088]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-11 344064]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 139264]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-19 127037]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2005-04-27 90112]
"EPSON Stylus C88 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 98304]
"QCTray"="c:\progra~1\ThinkPad\CONNEC~1\QCTray.exe" [2005-03-18 745472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"TpShocks"="TpShocks.exe" [2005-04-05 c:\windows\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2004-11-12 c:\windows\system32\TP4EX.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-11-04 11:51 108636 c:\program files\IBM fingerprint software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AfsLogon]
2004-10-18 13:51 66048 c:\windows\system32\afslogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 05:07 262144 c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-12 22:11 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli pwdmon

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
--a------ 2008-07-22 11:45 50520 c:\documents and settings\lindgc.LINDGCT43P\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 07:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-12-02 23:21 133104 c:\documents and settings\lindgc.LINDGCT43P\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
--------- 2004-08-06 04:10 442368 c:\program files\IBM\Messages By IBM\ibmmessages.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-12-11 15:04 1410296 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--------- 2003-08-19 00:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 19:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Maple 10\\jre\\bin\\maple.exe"=
"c:\\Program Files\\Maple 10\\jre\\bin\\java.exe"=
"c:\\Program Files\\National Instruments\\LabVIEW 7.1\\LabVIEW.exe"=
"c:\\Apps\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MATLAB7sp2\\bin\\win32\\MATLAB.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\lindgc.LINDGCT43P\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsdoc.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsinfo.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsmps.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsMsgServer.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsNameServer.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsRemshClient.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsRunHidden.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsUnzip.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdswhich.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cdsZip.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\cds_root.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\clsAdminTool.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\clsbd.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\clu.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\dregprint.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\mpsinfo.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\nmp.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\nmppath.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\obServer.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\van.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\bin\\versionviewer.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\capture.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\comp16.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\pcadi.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\pspiceexplorersrvr.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\pstswp.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\regsvr32.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\sch2cap.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\SETBROWS.EXE"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\capture\\tutorial\\CAPTUTOR.EXE"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\cdsdoc\\bin\\cdsdocIndexer.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\cdsdoc\\bin\\obServer.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\dfII\\bin\\cdsservipc.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\dfII\\bin\\skill.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\dfII\\bin\\skill_g.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\fet\\bin\\mkdefcfg.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\fet\\bin\\versiontool.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\javaws-1_2_0_02-windows-i586-i.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\java.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\javaw.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\jpicpl32.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\keytool.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\kinit.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\klist.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\ktab.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\orbd.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\policytool.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\rmid.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\rmiregistry.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\servertool.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\jre\\bin\\tnameserv.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\fvupdateutil.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\gcdin.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\idfin.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\layout.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\libcat.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\lsession.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxascx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxdxf.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxeco.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxfnetx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxminx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxorcad.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxp99x.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxpadx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxpcadx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxprotx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxstrx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\maxtangx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\mfceco.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\padx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\pcadx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\pcb2max.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\prcat.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\protx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\searchTool.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\setbrows.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\specin.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\strx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\tangx.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\tomax.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\tospec.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\update90.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\sroute\\batch32.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\sroute\\sroute.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\layout\\tutorial\\laytutor.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pcb\\bin\\specctra.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\IndiceFileGeneration.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\Magneticdesigner.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\modeled.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\MrkSrvr.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\pspice.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\pspiceaa.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\pspiceexplorersrvr.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\psp_cmd.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\regsvr32.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\simmgr.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\simsrvr.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\pspice\\stmed.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\specctra\\bin\\specctra.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\bin\\cdsdocIndexer.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\bin\\merge.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\bin\\mkvdk.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\bin\\search.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\bin\\setup.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\bin\\v_uninst.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\callback.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\filter.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\htmlini.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\htmserv.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\index.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\jstree.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\jvtree.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\kvoop.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\regsvr32.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\summary.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\verity\\_nti40\\filters\\viewers\\amovie.exe"=
"c:\\OrCAD\\OrCAD_10.5_Demo\\tools\\specctra\\bin\\specctra.com"=
"c:\\Program Files\\UGS\\NX 5.0\\UGII\\ugraf.exe"=
"c:\\Documents and Settings\\lindgc.LINDGCT43P\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7001:UDP"= 7001:UDP:AFS CacheManager Callback (UDP)
"7001:TCP"= 7001:TCP:AFS CacheManager Callback (TCP)

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2005-04-27 6912]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-06-28 59776]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-06-28 14208]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-06-28 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-06-28 2432]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-06-28 4608]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005-06-28 4442]
R3 EraserUtilDrvI7;EraserUtilDrvI7;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [2009-01-27 99376]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-06-28 6016]
R4 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-04-27 63616]
S3 CyUsb;Rensselaer IOBoard USB Driver;c:\windows\system32\drivers\IOBrdUSB.sys [2006-11-02 34304]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWK.sys [2006-07-14 8704]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciK.sys [2006-07-14 48128]
S3 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiK.sys [2006-07-14 10752]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-06-28 12288]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{54ec3bea-80ca-11dd-8565-000e9bd9afbb}]
\Shell\AutoRun\command - F:\autorun.exe
\Shell\phone\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d0bc82e-3175-11dd-84f5-00016cca09f1}]
\Shell\AutoRun\command - f:\wd_windows_tools\WDEULA.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8aa1477-7cf5-11dd-855f-000e9bd9afbb}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-53653465-3920333495-1810933541-1011.job
- c:\documents and settings\lindgc.LINDGCT43P\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 23:21]

2009-01-28 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-04-14 00:01]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = ftp://lindgc@ftp.rpi.edu/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\lindgc.LINDGCT43P\Application Data\Mozilla\Firefox\Profiles\dfk2ez4k.default\
FF - prefs.js: browser.startup.homepage - hxxp://rpinfo.rpi.edu/
FF - plugin: c:\documents and settings\lindgc.LINDGCT43P\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 09:55:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\explorer.exe [1224] 0x87183DA0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1532)
c:\windows\system32\vrlogon.dll
c:\program files\IBM fingerprint software\ExtVapi.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\program files\Common Files\Virtual Token\resmgr.dll
c:\program files\Common Files\Virtual Token\Remote.dll
c:\program files\Common Files\Virtual Token\passport.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\IBM fingerprint software\psfus.dll
c:\windows\system32\tphklock.dll
c:\program files\Common Files\Virtual Token\config.dll
c:\program files\Common Files\Virtual Token\LocPass.dll
c:\program files\Common Files\Virtual Token\SBioPass.dll
c:\program files\Common Files\Virtual Token\psdlg.dll
c:\program files\Common Files\Virtual Token\BGTcVer.dll
c:\program files\Common Files\Virtual Token\BTcVer.dll

- - - - - - - > 'lsass.exe'(1596)
c:\windows\system32\pwdmon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Virtual Token\vtserver.exe
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\IBM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\dllhost.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\niSvcLoc.exe
c:\windows\system32\QCONSVC.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
c:\program files\ThinkPad\UltraNav Wizard\UNavTray.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-01-28 10:03:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-28 15:03:42
ComboFix2.txt 2009-01-28 02:41:51

Pre-Run: 6,719,598,592 bytes free
Post-Run: 6,703,562,752 bytes free

380 --- E O F --- 2009-01-14 21:40:23

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:01 PM

Posted 28 January 2009 - 10:45 AM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 blubbertubs

blubbertubs
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 28 January 2009 - 12:14 PM

Uninstalled Combofix, everything looks to be back to normal, system is running fine :thumbup2: , thanks for all the help!!

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:01 PM

Posted 28 January 2009 - 12:33 PM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:01 PM

Posted 30 January 2009 - 05:15 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users