Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can someone help - HijackThis Log


  • This topic is locked This topic is locked
9 replies to this topic

#1 sam7224

sam7224

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 19 April 2009 - 11:46 PM

Hello there,

My name is Sam and was wondering if you could help me with a problem i'm having. Today I started getting pop ups about online gaming or spyware downloads on my laptop. I have also noticed that some of my folder settings have changed e.g. known file types no longer display there extension, and the folder options, option is no longer there. Searching for a solution to this I got recommended to post a Hijack this log on this site for help.

I should also note that I have ran spybot search and destroy which found a few things including something called smitfraud which it was unable to remove until startup and still then didnt remove it.

Any help will be greatly appreciated

Anyway here is a copy of my hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:34:47, on 20/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Thunderbird-Tray\TBTray.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\DOCUME~1\T60\LOCALS~1\Temp\2126031702.exe
C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VCSExpress.exe
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
I:\C# Assignment\Rutherthrope Zoo 2005\RutherthorpeZoo2005\WindowsApplication1\bin\Debug\WindowsApplication1.vshost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\VCSExpress.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lenovo.com/welcome/thinkpad
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lenovo.com/welcome/thinkpad
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Harmony Hollow Software Toolbar - {3806b089-6759-411d-b2c3-b7995a9f34d7} - C:\Program Files\Harmony_Hollow_Software\tbHar1.dll
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: (no name) - {31ceef93-39c5-4e89-b151-a81f9a0af307} - C:\WINDOWS\system32\gobewowi.dll
O2 - BHO: C:\WINDOWS\system32\sdfgerfgf3f.dll - {E2BA40A2-74F3-42BD-F434-2604812C8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll
O3 - Toolbar: Harmony Hollow Software Toolbar - {3806b089-6759-411d-b2c3-b7995a9f34d7} - C:\Program Files\Harmony_Hollow_Software\tbHar1.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [puvurazewi] Rundll32.exe "C:\WINDOWS\system32\supekede.dll",s
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [CPMff7403c1] Rundll32.exe "c:\windows\system32\fudoneze.dll",a
O4 - HKLM\..\Run: [fc47305d] rundll32.exe "C:\WINDOWS\system32\bivemufi.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\T60\LOCALS~1\Temp\2126031702.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TB-Tray.lnk = C:\Program Files\Thunderbird-Tray\TBTray.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/thinkpad
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\jotejiho.dll c:\windows\system32\fudoneze.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fudoneze.dll
O22 - SharedTaskScheduler: sdfg54y54yhhgth6w4efvrg - {E2BA40A2-74F3-42BD-F434-2604812C8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fudoneze.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: ACU Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 12717 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:50 PM

Posted 21 April 2009 - 05:25 PM

Hello! :thumbup2:
My name is Sam too and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 sam7224

sam7224
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 21 April 2009 - 06:13 PM

Hello Sam (Always find it strange addressing someone with the same name as me! haha)

Thanks for your reply please find my completed ComboFix log below.

I should also note that the following errors popped up upon restart

Firstly I got a message saying the the following program could not be run

3659687412.exe

Then I got a different error with a red cross about something called 'mulumbou'

Then I got three errors in which were similar to the first one with the program names

2450501366.exe
4036282616.exe
4004876366.exe

I dont know if they have any relevance to this but I thought I should report them as I have only been getting those type of errors since I have started having these problems.



ComboFix 09-04-22.02 - T60 21/04/2009 23:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1222 [GMT 1:00]
Running from: c:\documents and settings\T60\Desktop\ComboFix.exe
AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning disabled* (Updated)
.
ADS - svchost.exe: deleted 32768 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\azokulom.ini
c:\windows\system32\basabufe.dll
c:\windows\system32\etawapef.ini
c:\windows\system32\fugajezu.dll
c:\windows\system32\ifumevib.ini
c:\windows\system32\InM64proc32.dll
c:\windows\system32\kizonivo.dll
c:\windows\system32\OutM64proc32.dll
c:\windows\system32\pthreadGC2.dll
c:\windows\system32\upabujod.ini
c:\windows\system32\yodutiti.dll
c:\windows\Temp\3189622004.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ICF


((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-04-21 22:58 . 2009-04-21 22:58 -------- d-----w C:\37c5e9266c2e51d4c23ad418964edb12
2009-04-21 22:43 . 2009-04-21 22:43 15000 ----a-w c:\windows\system32\hf873uwndf.dll
2009-04-21 22:43 . 2009-04-21 22:43 8704 ----a-w c:\windows\instsp2.exe
2009-04-21 18:37 . 2009-04-21 18:37 22016 ----a-w c:\windows\system32\drivers\extit.sys
2009-04-19 22:38 . 2009-04-19 22:38 83968 ----a-w c:\windows\system32\drivers\ptqxxoqobvpethem.sys
2009-04-19 22:37 . 2009-04-19 22:37 113152 ----a-w C:\buwd.exe
2009-04-19 22:37 . 2009-04-19 22:37 2 ----a-w C:\-62443278
2009-04-19 22:37 . 2009-04-19 22:37 7680 ----a-w C:\jjomgvxe.exe
2009-04-19 22:37 . 2009-04-19 22:37 15000 ----a-w c:\windows\system32\sdfgerfgf3f.dll
2009-04-19 22:37 . 2009-04-19 22:37 23040 ----a-w C:\cdheei.exe
2009-04-15 13:09 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 13:09 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 13:09 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 13:09 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 13:09 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 13:09 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 13:09 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 13:09 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 13:09 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 13:09 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 13:08 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 13:08 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 13:08 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 02:01 . 2009-04-14 02:01 -------- d-----w c:\windows\system32\KB905474
2009-04-14 02:01 . 2009-03-10 21:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-14 02:01 . 2009-03-10 21:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-14 02:01 . 2009-02-09 17:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-13 23:35 . 2009-04-13 23:35 -------- d-----w c:\documents and settings\T60\Application Data\gtk-2.0
2009-04-12 03:37 . 2009-04-12 03:37 -------- d-----w c:\documents and settings\T60\Application Data\PeaZip
2009-04-12 03:30 . 2009-04-12 03:30 186 ----a-w c:\windows\monkey.ini
2009-04-12 03:24 . 2009-04-12 03:24 -------- d-----w c:\documents and settings\T60\Local Settings\Application Data\Harmony_Hollow_Software
2009-04-12 03:24 . 2009-04-12 03:24 -------- d-----w c:\documents and settings\T60\Local Settings\Application Data\Conduit
2009-04-12 03:24 . 2008-12-28 12:14 167936 ----a-w c:\windows\system32\ccrpftv6.ocx
2009-04-10 21:06 . 2009-04-10 21:08 -------- d-----w c:\documents and settings\T60\Application Data\Unyte
2009-04-05 02:41 . 2006-07-25 06:17 139264 ----a-w c:\windows\system32\igfxres.dll
2009-04-05 01:41 . 2009-01-07 03:03 4608 ------w c:\windows\system32\drivers\TSMAPIP.SYS
2009-04-05 01:04 . 2006-07-25 06:21 57344 ----a-w c:\windows\system32\SET4C.tmp
2009-04-04 23:57 . 2008-02-27 12:49 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys
2009-04-04 23:40 . 2009-04-04 23:40 -------- d-----w c:\documents and settings\T60\Application Data\Realtime Soft
2009-04-04 23:40 . 2009-04-04 23:40 -------- d-----w c:\documents and settings\All Users\Application Data\Realtime Soft
2009-03-29 11:04 . 2009-03-30 03:20 -------- d-----w c:\documents and settings\T60\Application Data\Mp3tag
2009-03-29 01:16 . 2009-03-29 01:16 -------- d-----w c:\documents and settings\T60\Application Data\PC Tools
2009-03-29 01:13 . 2009-03-06 15:45 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-03-29 01:13 . 2008-12-18 11:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-29 01:13 . 2009-02-10 10:13 21904 ----a-w c:\windows\system32\drivers\AVRec.sys
2009-03-29 01:13 . 2009-02-10 10:13 28560 ----a-w c:\windows\system32\drivers\AVHook.sys
2009-03-29 01:13 . 2009-02-10 10:13 21904 ----a-w c:\windows\system32\drivers\AVFilter.sys
2009-03-29 01:13 . 2009-03-29 01:16 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-03-24 03:12 . 2004-12-31 06:43 4682 ----a-w c:\windows\system32\npptNT2.sys
2009-03-24 03:12 . 2003-07-16 15:17 5174 ----a-w c:\windows\system32\nppt9x.vxd
2009-03-24 03:06 . 2009-03-24 03:06 -------- d--h--w c:\windows\msdownld.tmp
2009-03-24 03:04 . 2009-03-24 03:04 -------- d-----w C:\GamesCampus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 23:00 . 2008-08-31 22:13 5427 ----a-w c:\windows\system32\EGATHDRV.SYS
2009-04-21 23:00 . 2008-10-05 18:49 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-04-21 23:00 . 2008-10-11 13:50 -------- d-----w c:\documents and settings\T60\Application Data\DMCache
2009-04-21 23:00 . 2009-03-29 01:13 -------- d-----w c:\program files\PC Tools AntiVirus
2009-04-21 23:00 . 2008-12-11 02:21 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-21 22:43 . 2006-04-30 06:56 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-21 22:43 . 2006-04-30 06:56 14336 ----a-w c:\windows\system32\dllcache\svchost.exe
2009-04-21 22:43 . 2009-01-21 22:43 51200 --sha-w c:\windows\system32\ratofoze.exe
2009-04-21 18:41 . 2008-10-09 23:54 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-21 18:37 . 2009-04-20 21:41 -------- d-----w c:\program files\Exterminate It!
2009-04-21 10:43 . 2009-01-21 10:43 52224 --sha-w c:\windows\system32\yilisuda.exe
2009-04-20 22:43 . 2009-01-20 22:43 52224 --sha-w c:\windows\system32\puneromi.exe
2009-04-20 10:43 . 2009-01-20 10:43 52224 --sha-w c:\windows\system32\jedemeja.exe
2009-04-20 04:28 . 2009-04-20 04:28 -------- d-----w c:\program files\Trend Micro
2009-04-19 22:43 . 2009-01-19 22:43 52224 --sha-w c:\windows\system32\hetuvigu.exe
2009-04-19 20:56 . 2008-09-13 06:54 70024 ----a-w c:\documents and settings\T60\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 20:44 . 2008-09-16 03:54 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-19 20:42 . 2009-02-06 14:02 192880 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-18 07:45 . 2008-09-16 03:55 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-04-17 09:32 . 2009-03-11 21:52 -------- d-----w c:\documents and settings\T60\Application Data\FileZilla
2009-04-15 21:05 . 2009-03-09 23:05 -------- d-----w c:\documents and settings\T60\Application Data\Apple Computer
2009-04-15 09:28 . 2009-02-05 12:45 -------- d-----w c:\documents and settings\T60\Application Data\Skype
2009-04-15 07:08 . 2009-02-05 12:45 -------- d-----w c:\documents and settings\T60\Application Data\skypePM
2009-04-13 22:33 . 2009-04-13 22:33 -------- d-----w c:\program files\7-Zip
2009-04-12 17:57 . 2009-03-10 02:13 256 ----a-w c:\documents and settings\T60\pool.bin
2009-04-12 03:24 . 2009-04-12 03:24 -------- d-----w c:\program files\RarMonkey
2009-04-12 03:24 . 2009-04-12 03:24 -------- d-----w c:\program files\Harmony_Hollow_Software
2009-04-12 03:24 . 2009-04-12 03:24 -------- d-----w c:\program files\Conduit
2009-04-05 01:41 . 2008-08-31 21:57 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-05 01:41 . 2008-08-31 21:57 -------- d-----w c:\program files\Lenovo
2009-04-04 23:57 . 2009-04-04 23:57 -------- d-----w c:\program files\Belarc
2009-04-04 23:40 . 2009-04-04 23:40 -------- d-----w c:\program files\Common Files\Realtime Soft
2009-04-04 23:40 . 2009-04-04 23:40 -------- d-----w c:\program files\UltraMon
2009-03-29 11:04 . 2009-03-29 11:04 -------- d-----w c:\program files\Mp3tag
2009-03-29 02:56 . 2009-03-29 02:56 -------- d-----w c:\program files\Power Tab Software
2009-03-29 01:42 . 2008-09-23 00:05 -------- d-----w c:\documents and settings\T60\Application Data\uTorrent
2009-03-29 01:13 . 2009-03-29 01:13 -------- d-----w c:\program files\Common Files\PC Tools
2009-03-24 03:12 . 2009-03-24 03:12 -------- d-----w c:\program files\Common Files\INCA Shared
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-19 21:55 . 2009-03-19 21:55 -------- d-----w c:\program files\Common Files\eSellerate
2009-03-19 21:55 . 2009-03-19 21:55 -------- d-----w c:\program files\TuneSleeve
2009-03-19 21:55 . 2009-03-19 21:55 -------- d-----w c:\documents and settings\All Users\Application Data\eSellerate
2009-03-18 22:10 . 2009-03-18 22:08 8 ----a-w c:\documents and settings\All Users\Application Data\VYAAUFMZPWSP.SYS
2009-03-17 00:29 . 2008-09-22 19:49 -------- d-----w c:\program files\K-Lite Codec Pack
2009-03-12 23:46 . 2009-03-12 23:46 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-12 23:46 . 2009-03-09 23:05 -------- d-----w c:\program files\iTunes
2009-03-12 23:46 . 2008-11-04 22:27 -------- d-----w c:\program files\Bonjour
2009-03-12 23:45 . 2009-03-11 21:45 -------- d-----w c:\program files\FileZilla FTP Client
2009-03-12 23:45 . 2009-03-09 23:04 -------- d-----w c:\program files\QuickTime
2009-03-12 23:44 . 2009-03-09 23:03 -------- d-----w c:\program files\Apple Software Update
2009-03-12 23:44 . 2009-03-12 23:44 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-03-12 23:22 . 2008-08-31 22:01 -------- d-----w c:\program files\Google
2009-03-12 23:22 . 2009-03-05 20:48 -------- d-----w c:\program files\Mozilla Sunbird(2)
2009-03-12 23:21 . 2008-09-27 14:43 -------- d-----w c:\program files\FootyOnline.tv
2009-03-12 23:21 . 2009-03-12 23:21 -------- d-----w c:\program files\Windows Live
2009-03-12 23:21 . 2009-03-08 10:45 -------- d-----w c:\program files\Windows Live(2)
2009-03-12 23:21 . 2009-03-09 23:04 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-09 23:05 . 2009-03-09 23:05 -------- d-----w c:\program files\iPod
2009-03-09 23:05 . 2009-03-09 23:03 -------- d-----w c:\program files\Common Files\Apple
2009-03-08 10:45 . 2008-09-13 17:54 -------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-03-07 00:13 . 2009-03-07 00:13 -------- d-----w c:\documents and settings\T60\Application Data\WaterProof
2009-03-07 00:12 . 2009-03-07 00:12 -------- d-----w c:\program files\WaterProof
2009-03-06 14:22 . 2006-04-30 06:55 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 23:59 . 2009-03-12 23:44 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-05 23:59 . 2009-03-12 23:44 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-05 20:49 . 2009-03-05 20:49 -------- d-----w c:\documents and settings\T60\Application Data\Talkback
2009-03-04 15:19 . 2009-03-04 09:32 -------- d-----w c:\program files\Common Files\Research In Motion
2009-03-04 12:02 . 2009-03-04 12:02 -------- d-----w c:\documents and settings\T60\Application Data\Research In Motion
2009-03-04 09:32 . 2009-03-04 09:32 -------- d-----w c:\program files\Research In Motion
2009-03-03 21:54 . 2009-02-01 12:18 17623 ----a-w C:\output.log
2009-03-03 21:04 . 2009-03-03 21:04 -------- d-----w c:\documents and settings\T60\Application Data\Actual Tools
2009-03-03 21:04 . 2009-03-03 21:04 -------- d-----w c:\program files\Actual Title Buttons
2009-03-03 18:04 . 2009-02-13 00:22 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-02 23:04 . 2008-06-26 08:15 1499136 ------w c:\windows\system32\dllcache\shdocvw.dll
2009-02-24 01:51 . 2009-02-13 00:22 -------- d-----w c:\program files\Microsoft SQL Server
2009-02-24 01:50 . 2008-09-16 03:58 -------- d-----w c:\program files\Microsoft.NET
2009-02-24 01:44 . 2009-02-13 00:18 -------- d-----w c:\program files\Microsoft Visual Studio 9.0
2009-02-24 01:26 . 2008-10-10 00:13 -------- d-----w c:\program files\Thunderbird-Tray
2009-02-23 17:39 . 2008-09-29 21:39 -------- d-----w c:\documents and settings\T60\Application Data\Hamachi
2009-02-22 01:10 . 2008-10-11 13:50 -------- d-----w c:\documents and settings\T60\Application Data\IDM
2009-02-21 15:22 . 2009-02-21 15:22 -------- d-----w c:\program files\Active Keys
2009-02-21 15:22 . 2009-02-21 15:22 -------- d-----w c:\documents and settings\T60\Application Data\Softarium.com
2009-02-20 08:11 . 2008-06-23 15:09 3068416 ------w c:\windows\system32\dllcache\mshtml.dll
2009-02-20 08:10 . 2008-06-26 08:15 619520 ------w c:\windows\system32\dllcache\urlmon.dll
2009-02-20 08:10 . 2008-06-23 15:09 666112 ------w c:\windows\system32\dllcache\wininet.dll
2009-02-20 08:10 . 2006-04-30 06:56 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2009-02-20 08:10 81920 ------w c:\windows\system32\dllcache\ieencode.dll
2009-02-20 08:10 . 2006-04-30 06:55 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 18:56 . 2009-03-17 00:28 67584 ----a-w c:\windows\system32\ff_vfw.dll
2009-02-09 12:10 . 2006-04-30 06:55 729088 ------w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-04-30 06:55 714752 ------w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-04-30 06:55 617472 ------w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2006-04-30 06:55 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-10-15 19:34 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2006-04-30 06:55 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2008-10-15 19:34 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 11:11 . 2006-04-30 06:55 110592 ------w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-15 19:34 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 19:34 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:06 . 2006-04-30 06:55 2145280 ------w c:\windows\system32\ntoskrnl.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2BA40A2-74F3-42BD-F434-2604812C8953}]
2009-04-19 22:37 15000 ----a-w c:\windows\system32\sdfgerfgf3f.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3806b089-6759-411d-b2c3-b7995a9f34d7}"= "c:\program files\Harmony_Hollow_Software\tbHar1.dll" [2009-04-12 1883672]

[HKEY_CLASSES_ROOT\clsid\{3806b089-6759-411d-b2c3-b7995a9f34d7}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3806B089-6759-411D-B2C3-B7995A9F34D7}"= "c:\program files\Harmony_Hollow_Software\tbHar1.dll" [2009-04-12 1883672]

[HKEY_CLASSES_ROOT\clsid\{3806b089-6759-411d-b2c3-b7995a9f34d7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-09-15 2606512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-25 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-23 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-07-04 110592]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-12-25 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-12-25 110592]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2009-02-19 1374096]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-01-07 60704]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-25 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-25 118784]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2006-03-16 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TB-Tray.lnk - c:\program files\Thunderbird-Tray\TBTray.exe [2005-11-8 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{E2BA40A2-74F3-42BD-F434-2604812C8953}"= "c:\windows\system32\sdfgerfgf3f.dll" [2009-04-19 15000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ------w c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-12-25 17:29 32768 ------w c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-04-26 02:20 40448 ------w c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 14:45 28672 ------w c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 11:16 24576 ------w c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd ACGina

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^T60^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\T60\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^T60^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\T60\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^T60^Start Menu^Programs^Startup^TB-Tray.lnk]
path=c:\documents and settings\T60\Start Menu\Programs\Startup\TB-Tray.lnk
backup=c:\windows\pss\TB-Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSSQL$SQLEXPRESS"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\WaterProof\\PHPEdit\\3.0.6\\PHPEdit.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_10\\bin\\java.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5999:UDP"= 5999:UDP:MaxiVista Server

R3 ExterminateIt;ExterminateIt;c:\windows\system32\drivers\extit.sys [2009-04-21 22016]
R3 maxidemo;Maxi_Vista_Demo_Driver; [x]
R3 npggsvc;nProtect GameGuard Service; [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 47128]
R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-06 130424]
S0 Shockprf;Shockprf; [x]
S1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2005-11-08 11520]
S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\Drivers\IBMBLDID.sys [2006-01-13 6016]
S1 ShockMgr;ShockMgr; [x]
S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2006-05-25 4442]
S2 PrivateDisk;PrivateDisk;c:\program files\Lenovo\SafeGuard PrivateDisk\PrivateDiskM.sys [2006-03-13 58368]
S2 smi2;smi2;c:\program files\SMI2\smi2.sys [2006-07-14 3968]
S2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2006-04-26 3456]
S2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 11776]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 3584]
S3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys [2006-07-20 54432]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a7c4616-835f-11dd-aed3-0016cf1cfbb5}]
\Shell\AutoRun\command - F:\Launcher.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\Ad-Aware.job
- c:\progra~1\Lavasoft\Ad-Aware\Ad-Aware.exe [2008-05-19 01:49]

2009-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-21 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-08-31 16:13]

2009-04-19 c:\windows\Tasks\Spybot - Search & Destroy.job
- c:\progra~1\SPYBOT~1\SpybotSD.exe [2008-09-27 08:42]

2009-04-21 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-14 21:18]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
HKLM-Run-puvurazewi - c:\windows\system32\mulumobu.dll
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fugajezu.dll
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lenovo.com/welcome/thinkpad
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\T60\Application Data\Mozilla\Firefox\Profiles\jmri62jf.default\
FF - component: c:\documents and settings\T60\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\T60\Application Data\Mozilla\Firefox\Profiles\jmri62jf.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\T60\Application Data\Mozilla\Firefox\Profiles\jmri62jf.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 23:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3054861396-2549772211-4025143130-1005\Software\G*e*n*i*e*"!\FM Genie Scout 2009 XE]
"GameDir"="c:\\Documents and Settings\\T60\\My Documents\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"="c:\\Documents and Settings\\T60\\My Documents\\Sports Interactive\\Football Manager 2009\\shortlists"
"ScreenshotsDir"="c:\\Documents and Settings\\T60\\My Documents\\Sports Interactive\\Football Manager 2009"
"SaveDir"="c:\\Documents and Settings\\T60\\My Documents\\Sports Interactive\\Football Manager 2009\\"
"HistoryDir"="c:\\Documents and Settings\\T60\\Desktop\\FM Genie Scout 2009 XE\\History Points"
"LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2009\\data\\updates\\update-910\\db\\910\\lang_db.dat"
"LastSaveGame"="c:\\Documents and Settings\\T60\\My Documents\\Sports Interactive\\Football Manager 2009\\games\\SunderlandNetwork.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000066
"UniqueID"="E4-97FF-C26F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"Currency"=dword:00000056

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{60fb51fe-fab4-42d3-9ebf-ec239ee86d55}]
@Denied: (Full) (Everyone)
"Model"=dword:00000164
"Therad"=dword:00000012
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,b1,b5,f9,10,32,d1,ad,21,46,8f,3c,f2,5c,68,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):0c,cf,9f,6d,21,43,7a,e3,98,ec,13,a2,16,88,a9,0a,04,41,33,5f,02,
1f,57,26,04,ac,3c,18,8b,72,fa,77,63,1a,de,a7,6e,30,74,69,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(244)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\windows\system32\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(300)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(4124)
c:\windows\system32\PROCHLP.DLL
c:\windows\system32\msi.dll
c:\windows\system32\sdfgerfgf3f.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\windows\system32\hnetcfg.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\PC Tools AntiVirus\PCTAVSvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\Mozilla Thunderbird\thunderbird.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe
.
**************************************************************************
.
Completion time: 2009-04-21 0:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-21 23:05

Pre-Run: 33,766,486,016 bytes free
Post-Run: 33,771,298,816 bytes free

479 --- E O F --- 2009-04-21 23:01

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:50 PM

Posted 21 April 2009 - 07:10 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\system32\sdfgerfgf3f.dll
c:\windows\system32\yilisuda.exe
c:\windows\system32\puneromi.exe
c:\windows\system32\jedemeja.exe
c:\windows\system32\hetuvigu.exe
c:\windows\system32\hf873uwndf.dll
c:\windows\instsp2.exe
c:\windows\system32\drivers\ptqxxoqobvpethem.sys
C:\buwd.exe
C:\jjomgvxe.exe
C:\cdheei.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2BA40A2-74F3-42BD-F434-2604812C8953}]
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 sam7224

sam7224
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 21 April 2009 - 08:08 PM

Here are the results of the latest combofix log the previous errors that I received hadn't popped up this time.

ComboFix 09-04-22.02 - T60 22/04/2009 1:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1211 [GMT 1:00]
Running from: c:\documents and settings\T60\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\T60\Desktop\CFScript.txt
AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\buwd.exe
C:\cdheei.exe
C:\jjomgvxe.exe
c:\windows\instsp2.exe
c:\windows\system32\drivers\ptqxxoqobvpethem.sys
c:\windows\system32\hetuvigu.exe
c:\windows\system32\hf873uwndf.dll
c:\windows\system32\jedemeja.exe
c:\windows\system32\puneromi.exe
c:\windows\system32\sdfgerfgf3f.dll
c:\windows\system32\yilisuda.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\buwd.exe
C:\cdheei.exe
C:\jjomgvxe.exe
c:\windows\instsp2.exe
c:\windows\system32\drivers\ptqxxoqobvpethem.sys
c:\windows\system32\hetuvigu.exe
c:\windows\system32\hf873uwndf.dll
c:\windows\system32\jedemeja.exe
c:\windows\system32\puneromi.exe
c:\windows\system32\sdfgerfgf3f.dll
c:\windows\system32\yilisuda.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-21 18:37 . 2009-04-21 18:37 22016 ----a-w c:\windows\system32\drivers\extit.sys
2009-04-19 22:37 . 2009-04-19 22:37 2 ----a-w C:\-62443278
2009-04-15 13:09 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 13:09 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 13:09 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 13:09 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 13:09 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 13:09 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 13:09 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 13:09 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 13:09 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 13:09 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 13:08 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 13:08 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 13:08 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 02:01 . 2009-04-14 02:01 -------- d-----w c:\windows\system32\KB905474
2009-04-14 02:01 . 2009-03-10 21:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-14 02:01 . 2009-03-10 21:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-14 02:01 . 2009-02-09 17:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-13 23:35 . 2009-04-13 23:35 -------- d-----w c:\documents and settings\T60\Application Data\gtk-2.0
2009-04-12 03:37 . 2009-04-12 03:37 -------- d-----w c:\documents and settings\T60\Application Data\PeaZip
2009-04-12 03:30 . 2009-04-12 03:30 186 ----a-w c:\windows\monkey.ini
2009-04-12 03:24 . 2009-04-12 03:24 -------- d-----w c:\documents and settings\T60\Local Settings\Application Data\Harmony_Hollow_Software
2009-04-12 03:24 . 2009-04-12 03:24 -------- d-----w c:\documents and settings\T60\Local Settings\Application Data\Conduit
2009-04-12 03:24 . 2008-12-28 12:14 167936 ----a-w c:\windows\system32\ccrpftv6.ocx
2009-04-10 21:06 . 2009-04-10 21:08 -------- d-----w c:\documents and settings\T60\Application Data\Unyte
2009-04-05 02:41 . 2006-07-25 06:17 139264 ----a-w c:\windows\system32\igfxres.dll
2009-04-05 01:41 . 2009-01-07 03:03 4608 ------w c:\windows\system32\drivers\TSMAPIP.SYS
2009-04-05 01:04 . 2006-07-25 06:21 57344 ----a-w c:\windows\system32\SET4C.tmp
2009-04-04 23:57 . 2008-02-27 12:49 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys
2009-04-04 23:40 . 2009-04-04 23:40 -------- d-----w c:\documents and settings\T60\Application Data\Realtime Soft
2009-04-04 23:40 . 2009-04-04 23:40 -------- d-----w c:\documents and settings\All Users\Application Data\Realtime Soft
2009-03-29 11:04 . 2009-03-30 03:20 -------- d-----w c:\documents and settings\T60\Application Data\Mp3tag
2009-03-29 01:16 . 2009-03-29 01:16 -------- d-----w c:\documents and settings\T60\Application Data\PC Tools
2009-03-29 01:13 . 2009-03-06 15:45 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-03-29 01:13 . 2008-12-18 11:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-29 01:13 . 2009-02-10 10:13 21904 ----a-w c:\windows\system32\drivers\AVRec.sys
2009-03-29 01:13 . 2009-02-10 10:13 28560 ----a-w c:\windows\system32\drivers\AVHook.sys
2009-03-29 01:13 . 2009-02-10 10:13 21904 ----a-w c:\windows\system32\drivers\AVFilter.sys
2009-03-29 01:13 . 2009-03-29 01:16 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-03-24 03:12 . 2004-12-31 06:43 4682 ----a-w c:\windows\system32\npptNT2.sys
2009-03-24 03:12 . 2003-07-16 15:17 5174 ----a-w c:\windows\system32\nppt9x.vxd
2009-03-24 03:06 . 2009-03-24 03:06 -------- d--h--w c:\windows\msdownld.tmp
2009-03-24 03:04 . 2009-03-24 03:04 -------- d-----w C:\GamesCampus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 23:00 . 2008-08-31 22:13 5427 ----a-w c:\windows\system32\EGATHDRV.SYS
2009-04-22 00:58 . 2008-10-05 18:49 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-04-22 00:54 . 2009-03-29 01:13 -------- d-----w c:\program files\PC Tools AntiVirus
2009-04-22 00:52 . 2008-10-11 13:50 -------- d-----w c:\documents and settings\T60\Application Data\DMCache
2009-04-22 00:48 . 2008-12-11 02:21 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-21 23:01 . 2008-10-09 23:54 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-21 22:43 . 2006-04-30 06:56 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-21 22:43 . 2006-04-30 06:56 14336 ----a-w c:\windows\system32\dllcache\svchost.exe
2009-04-21 22:43 . 2009-01-21 22:43 51200 --sha-w c:\windows\system32\ratofoze.exe
2009-04-21 18:37 . 2009-04-20 21:41 -------- d-----w c:\program files\Exterminate It!
2009-04-20 04:28 . 2009-04-20 04:28 -------- d-----w c:\program files\Trend Micro
2009-04-19 20:56 . 2008-09-13 06:54 70024 ----a-w c:\documents and settings\T60\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 20:44 . 2008-09-16 03:54 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-19 20:42 . 2009-02-06 14:02 192880 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-18 07:45 . 2008-09-16 03:55 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-04-17 09:32 . 2009-03-11 21:52 -------- d-----w c:\documents and settings\T60\Application Data\FileZilla
2009-04-15 21:05 . 2009-03-09 23:05 -------- d-----w c:\documents and settings\T60\Application Data\Apple Computer
2009-04-15 09:28 . 2009-02-05 12:45 -------- d-----w c:\documents and settings\T60\Application Data\Skype
2009-04-15 07:08 . 2009-02-05 12:45 -------- d-----w c:\documents and settings\T60\Application Data\skypePM
2009-04-13 22:33 . 2009-04-13 22:33 -------- d-----w c:\program files\7-Zip
2009-04-12 17:57 . 2009-03-10 02:13 256 ----a-w c:\documents and settings\T60\pool.bin
2009-04-12 03:24 . 2009-04-12 03:24 -------- d-----w c:\program files\RarMonkey
2009-04-12 03:24 . 2009-04-12 03:24 -------- d-----w c:\program files\Harmony_Hollow_Software
2009-04-12 03:24 . 2009-04-12 03:24 -------- d-----w c:\program files\Conduit
2009-04-05 01:41 . 2008-08-31 21:57 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-05 01:41 . 2008-08-31 21:57 -------- d-----w c:\program files\Lenovo
2009-04-04 23:57 . 2009-04-04 23:57 -------- d-----w c:\program files\Belarc
2009-04-04 23:40 . 2009-04-04 23:40 -------- d-----w c:\program files\Common Files\Realtime Soft
2009-04-04 23:40 . 2009-04-04 23:40 -------- d-----w c:\program files\UltraMon
2009-03-29 11:04 . 2009-03-29 11:04 -------- d-----w c:\program files\Mp3tag
2009-03-29 02:56 . 2009-03-29 02:56 -------- d-----w c:\program files\Power Tab Software
2009-03-29 01:42 . 2008-09-23 00:05 -------- d-----w c:\documents and settings\T60\Application Data\uTorrent
2009-03-29 01:13 . 2009-03-29 01:13 -------- d-----w c:\program files\Common Files\PC Tools
2009-03-24 03:12 . 2009-03-24 03:12 -------- d-----w c:\program files\Common Files\INCA Shared
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-19 21:55 . 2009-03-19 21:55 -------- d-----w c:\program files\Common Files\eSellerate
2009-03-19 21:55 . 2009-03-19 21:55 -------- d-----w c:\program files\TuneSleeve
2009-03-19 21:55 . 2009-03-19 21:55 -------- d-----w c:\documents and settings\All Users\Application Data\eSellerate
2009-03-18 22:10 . 2009-03-18 22:08 8 ----a-w c:\documents and settings\All Users\Application Data\VYAAUFMZPWSP.SYS
2009-03-17 00:29 . 2008-09-22 19:49 -------- d-----w c:\program files\K-Lite Codec Pack
2009-03-12 23:46 . 2009-03-12 23:46 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-12 23:46 . 2009-03-09 23:05 -------- d-----w c:\program files\iTunes
2009-03-12 23:46 . 2008-11-04 22:27 -------- d-----w c:\program files\Bonjour
2009-03-12 23:45 . 2009-03-11 21:45 -------- d-----w c:\program files\FileZilla FTP Client
2009-03-12 23:45 . 2009-03-09 23:04 -------- d-----w c:\program files\QuickTime
2009-03-12 23:44 . 2009-03-09 23:03 -------- d-----w c:\program files\Apple Software Update
2009-03-12 23:44 . 2009-03-12 23:44 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-03-12 23:22 . 2008-08-31 22:01 -------- d-----w c:\program files\Google
2009-03-12 23:22 . 2009-03-05 20:48 -------- d-----w c:\program files\Mozilla Sunbird(2)
2009-03-12 23:21 . 2008-09-27 14:43 -------- d-----w c:\program files\FootyOnline.tv
2009-03-12 23:21 . 2009-03-12 23:21 -------- d-----w c:\program files\Windows Live
2009-03-12 23:21 . 2009-03-08 10:45 -------- d-----w c:\program files\Windows Live(2)
2009-03-12 23:21 . 2009-03-09 23:04 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-09 23:05 . 2009-03-09 23:05 -------- d-----w c:\program files\iPod
2009-03-09 23:05 . 2009-03-09 23:03 -------- d-----w c:\program files\Common Files\Apple
2009-03-08 10:45 . 2008-09-13 17:54 -------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-03-07 00:13 . 2009-03-07 00:13 -------- d-----w c:\documents and settings\T60\Application Data\WaterProof
2009-03-07 00:12 . 2009-03-07 00:12 -------- d-----w c:\program files\WaterProof
2009-03-06 14:22 . 2006-04-30 06:55 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 23:59 . 2009-03-12 23:44 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-05 23:59 . 2009-03-12 23:44 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-05 20:49 . 2009-03-05 20:49 -------- d-----w c:\documents and settings\T60\Application Data\Talkback
2009-03-04 15:19 . 2009-03-04 09:32 -------- d-----w c:\program files\Common Files\Research In Motion
2009-03-04 12:02 . 2009-03-04 12:02 -------- d-----w c:\documents and settings\T60\Application Data\Research In Motion
2009-03-04 09:32 . 2009-03-04 09:32 -------- d-----w c:\program files\Research In Motion
2009-03-03 21:54 . 2009-02-01 12:18 17623 ----a-w C:\output.log
2009-03-03 21:04 . 2009-03-03 21:04 -------- d-----w c:\documents and settings\T60\Application Data\Actual Tools
2009-03-03 21:04 . 2009-03-03 21:04 -------- d-----w c:\program files\Actual Title Buttons
2009-03-03 18:04 . 2009-02-13 00:22 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-02 23:04 . 2008-06-26 08:15 1499136 ------w c:\windows\system32\dllcache\shdocvw.dll
2009-02-24 01:51 . 2009-02-13 00:22 -------- d-----w c:\program files\Microsoft SQL Server
2009-02-24 01:50 . 2008-09-16 03:58 -------- d-----w c:\program files\Microsoft.NET
2009-02-24 01:44 . 2009-02-13 00:18 -------- d-----w c:\program files\Microsoft Visual Studio 9.0
2009-02-24 01:26 . 2008-10-10 00:13 -------- d-----w c:\program files\Thunderbird-Tray
2009-02-23 17:39 . 2008-09-29 21:39 -------- d-----w c:\documents and settings\T60\Application Data\Hamachi
2009-02-22 01:10 . 2008-10-11 13:50 -------- d-----w c:\documents and settings\T60\Application Data\IDM
2009-02-21 15:22 . 2009-02-21 15:22 -------- d-----w c:\program files\Active Keys
2009-02-21 15:22 . 2009-02-21 15:22 -------- d-----w c:\documents and settings\T60\Application Data\Softarium.com
2009-02-20 08:11 . 2008-06-23 15:09 3068416 ------w c:\windows\system32\dllcache\mshtml.dll
2009-02-20 08:10 . 2008-06-26 08:15 619520 ------w c:\windows\system32\dllcache\urlmon.dll
2009-02-20 08:10 . 2008-06-23 15:09 666112 ------w c:\windows\system32\dllcache\wininet.dll
2009-02-20 08:10 . 2006-04-30 06:56 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2009-02-20 08:10 81920 ------w c:\windows\system32\dllcache\ieencode.dll
2009-02-20 08:10 . 2006-04-30 06:55 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 18:56 . 2009-03-17 00:28 67584 ----a-w c:\windows\system32\ff_vfw.dll
2009-02-09 12:10 . 2006-04-30 06:55 729088 ------w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-04-30 06:55 714752 ------w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-04-30 06:55 617472 ------w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2006-04-30 06:55 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-10-15 19:34 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2006-04-30 06:55 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2008-10-15 19:34 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 11:11 . 2006-04-30 06:55 110592 ------w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-15 19:34 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 19:34 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:06 . 2006-04-30 06:55 2145280 ------w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-04-30 06:55 35328 ------w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-10-15 19:34 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ------w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-21_22.59.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-22 00:59 . 2009-04-22 00:59 16384 c:\windows\Temp\Perflib_Perfdata_588.dat
+ 2009-04-22 00:54 . 2009-04-22 00:54 16384 c:\windows\Temp\Perflib_Perfdata_544.dat
+ 2009-04-22 00:54 . 2009-04-22 00:54 16384 c:\windows\Temp\Perflib_Perfdata_404.dat
+ 2009-04-22 00:54 . 2009-04-22 00:54 16384 c:\windows\Temp\Perflib_Perfdata_39c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3806b089-6759-411d-b2c3-b7995a9f34d7}"= "c:\program files\Harmony_Hollow_Software\tbHar1.dll" [2009-04-12 1883672]

[HKEY_CLASSES_ROOT\clsid\{3806b089-6759-411d-b2c3-b7995a9f34d7}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3806B089-6759-411D-B2C3-B7995A9F34D7}"= "c:\program files\Harmony_Hollow_Software\tbHar1.dll" [2009-04-12 1883672]

[HKEY_CLASSES_ROOT\clsid\{3806b089-6759-411d-b2c3-b7995a9f34d7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-09-15 2606512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-25 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-23 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-07-04 110592]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-12-25 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-12-25 110592]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2009-02-19 1374096]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-01-07 60704]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-25 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-25 118784]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2006-03-16 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TB-Tray.lnk - c:\program files\Thunderbird-Tray\TBTray.exe [2005-11-8 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ------w c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-12-25 17:29 32768 ------w c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-04-26 02:20 40448 ------w c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 14:45 28672 ------w c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 11:16 24576 ------w c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd ACGina

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^T60^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\T60\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^T60^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\T60\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^T60^Start Menu^Programs^Startup^TB-Tray.lnk]
path=c:\documents and settings\T60\Start Menu\Programs\Startup\TB-Tray.lnk
backup=c:\windows\pss\TB-Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSSQL$SQLEXPRESS"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\WaterProof\\PHPEdit\\3.0.6\\PHPEdit.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_10\\bin\\java.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5999:UDP"= 5999:UDP:MaxiVista Server

R3 ExterminateIt;ExterminateIt;c:\windows\system32\drivers\extit.sys [2009-04-21 22016]
R3 maxidemo;Maxi_Vista_Demo_Driver; [x]
R3 npggsvc;nProtect GameGuard Service; [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 47128]
R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-06 130424]
S0 Shockprf;Shockprf; [x]
S1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2005-11-08 11520]
S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\Drivers\IBMBLDID.sys [2006-01-13 6016]
S1 ShockMgr;ShockMgr; [x]
S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2006-05-25 4442]
S2 PrivateDisk;PrivateDisk;c:\program files\Lenovo\SafeGuard PrivateDisk\PrivateDiskM.sys [2006-03-13 58368]
S2 smi2;smi2;c:\program files\SMI2\smi2.sys [2006-07-14 3968]
S2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2006-04-26 3456]
S2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 11776]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 3584]
S3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys [2006-07-20 54432]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a7c4616-835f-11dd-aed3-0016cf1cfbb5}]
\Shell\AutoRun\command - F:\Launcher.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\Ad-Aware.job
- c:\progra~1\Lavasoft\Ad-Aware\Ad-Aware.exe [2008-05-19 01:49]

2009-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-22 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-08-31 16:13]

2009-04-19 c:\windows\Tasks\Spybot - Search & Destroy.job
- c:\progra~1\SPYBOT~1\SpybotSD.exe [2008-09-27 08:42]

2009-04-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-14 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lenovo.com/welcome/thinkpad
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\T60\Application Data\Mozilla\Firefox\Profiles\jmri62jf.default\
FF - component: c:\documents and settings\T60\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\T60\Application Data\Mozilla\Firefox\Profiles\jmri62jf.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\T60\Application Data\Mozilla\Firefox\Profiles\jmri62jf.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 01:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3054861396-2549772211-4025143130-1005\Software\G*e*n*i*e*"!\FM Genie Scout 2009 XE]
"GameDir"="c:\\Documents and Settings\\T60\\My Documents\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"="c:\\Documents and Settings\\T60\\My Documents\\Sports Interactive\\Football Manager 2009\\shortlists"
"ScreenshotsDir"="c:\\Documents and Settings\\T60\\My Documents\\Sports Interactive\\Football Manager 2009"
"SaveDir"="c:\\Documents and Settings\\T60\\My Documents\\Sports Interactive\\Football Manager 2009\\"
"HistoryDir"="c:\\Documents and Settings\\T60\\Desktop\\FM Genie Scout 2009 XE\\History Points"
"LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2009\\data\\updates\\update-910\\db\\910\\lang_db.dat"
"LastSaveGame"="c:\\Documents and Settings\\T60\\My Documents\\Sports Interactive\\Football Manager 2009\\games\\SunderlandNetwork.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000066
"UniqueID"="E4-97FF-C26F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"Currency"=dword:00000056

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{60fb51fe-fab4-42d3-9ebf-ec239ee86d55}]
@Denied: (Full) (Everyone)
"Model"=dword:00000164
"Therad"=dword:00000012
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,b1,b5,f9,10,32,d1,ad,21,46,8f,3c,f2,5c,68,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):0c,cf,9f,6d,21,43,7a,e3,98,ec,13,a2,16,88,a9,0a,04,41,33,5f,02,
1f,57,26,04,ac,3c,18,8b,72,fa,77,63,1a,de,a7,6e,30,74,69,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(292)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\windows\system32\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(360)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(984)
c:\windows\system32\PROCHLP.DLL
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\PC Tools AntiVirus\PCTAVSvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\ThinkPad\UltraNav Wizard\UNavTray.exe
c:\program files\Mozilla Thunderbird\thunderbird.exe
.
**************************************************************************
.
Completion time: 2009-04-22 2:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-22 01:05
ComboFix2.txt 2009-04-21 23:05

Pre-Run: 33,334,083,584 bytes free
Post-Run: 33,325,064,192 bytes free

475 --- E O F --- 2009-04-21 23:01

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:50 PM

Posted 22 April 2009 - 10:53 AM

Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 sam7224

sam7224
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 23 April 2009 - 12:42 PM

Hi Sorry for the delayed response the scan took a long time so I had to find an opportunity where I was going to have the laptop in one place for long enough.

The computer seems to be having normally now! I am not sure if it is fixed or not! I was hoping you would be the man to tell me.

Here are the results of the scan

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, April 23, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, April 23, 2009 12:23:49
Records in database: 2071806
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
H:\

Scan statistics:
Files scanned: 148865
Threat name: 6
Infected objects: 5
Suspicious objects: 4
Duration of the scan: 05:08:29


File name / Threat name / Threats count
C:\Program Files\Exterminate It!\Undo\prunnet.zip Suspicious: Password-protected-EXE 1
C:\Program Files\Exterminate It!\Undo\readers.zip Suspicious: Password-protected-EXE 1
C:\Program Files\Exterminate It!\Undo\readers0.zip Suspicious: Password-protected-EXE 1
C:\Program Files\Exterminate It!\Undo\ropenoya.zip Suspicious: Password-protected-EXE 1
C:\Qoobox\Quarantine\C\cdheei.exe.vir Infected: Trojan-Dropper.Win32.Agent.amvz 1
C:\Qoobox\Quarantine\C\jjomgvxe.exe.vir Infected: Trojan-Downloader.Win32.Agent.brrt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ptqxxoqobvpethem.sys.vir Infected: Trojan.Win32.Tdss.aalf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kizonivo.dll.vir Infected: Trojan.Win32.Monder.byqu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sdfgerfgf3f.dll.vir Infected: Trojan-Downloader.Win32.Agent.brhg 1

The selected area was scanned.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:50 PM

Posted 23 April 2009 - 05:56 PM

Nothing there that's not already quarantined, so it looks good! :)

Run an online scan at Secunia Online Software Inspector
  • Click on the red button at the bottom of the screen that says Start Scanner.
  • Follow the prompts to install the scanning software.
  • Do not check the box for Enable thorough system inspection
  • Click the Start button.
  • The program will scan your system and identify insecure versions of software and missing security updates.
  • Using the links provided in the scan, download and install any current and secure versions that are needed.


====================



Let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbup2: :step4:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 sam7224

sam7224
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 23 April 2009 - 06:08 PM

Thank you very much!

I am on my way now to make a donation for your help!

Thanks Again!

Sam

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:50 PM

Posted 24 April 2009 - 09:56 AM

Thank you very much for the donation! It's very much appreciated! :thumbup2:



Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users