Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC suddenly slow as molasses/suspect trojan


  • This topic is locked This topic is locked
4 replies to this topic

#1 davidroyfrench

davidroyfrench

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 26 April 2009 - 06:27 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by RoyF at 19:18:08.18 on Sun 04/26/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.231 [GMT -4:00]

AV: Rogers Online Protection Anti-Virus *On-access scanning enabled* (Updated)
AV: Norton Security Online *On-access scanning disabled* (Updated)
FW: Rogers Online Protection Firewall *enabled*
FW: Norton Security Online *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Rogers Online Protection\Rogers Online Protection\rps.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgentComHandler.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ORiNOCO\WirelessClient\Utility\orinoco.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Documents and Settings\RoyF.ROYFLC\Local Settings\Temporary Internet Files\Content.IE5\G9MR0PEN\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
mStart Page = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/*http://rogers.yahoo.com
mSearch Bar = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\rogers online protection\rogers online protection\pkR.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} -
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TP4EX] tp4ex.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [proxim_orinoco_11abg] c:\program files\orinoco\wirelessclient\utility\orinoco.exe
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe
mRun: [QCWLIcon] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RogersServicepointAgent.exe] "c:\program files\rogers online protection\rogers servicepoint agent\RogersServicepointAgent.exe" /AUTORUN
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [Ihotaxozaboc] rundll32.exe "c:\windows\ajivivamebopevu.dll",e
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\adobe acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

============= SERVICES / DRIVERS ===============

R0 KL1;KL1;c:\windows\system32\drivers\kl1.sys [2009-4-2 112144]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2004-9-8 52136]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2004-9-8 9728]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2004-9-8 2295]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-4-2 196368]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2004-9-8 15360]
R2 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2004-9-8 4225]
R3 Radialpoint Security Services;Rogers Online Protection;c:\program files\rogers online protection\rogers online protection\RpsSecurityAwareR.exe [2009-2-27 97520]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2004-9-8 12288]

=============== Created Last 30 ================

2009-04-26 11:46 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-04-26 11:31 81,920 a------- c:\windows\system32\Startup.cpl
2009-04-18 12:19 218 a------- c:\windows\Uzacegobeyeyogom.dat
2009-04-16 20:06 <DIR> --d----- c:\docume~1\royf~1.roy\applic~1\IObit
2009-04-16 20:06 <DIR> --d----- c:\program files\IObit
2009-04-16 13:38 283,648 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-16 13:38 60,416 -------- c:\windows\system32\dllcache\colbact.dll
2009-04-16 13:38 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-16 13:38 399,360 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 13:38 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-16 13:38 473,088 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-16 13:38 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 13:38 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 13:38 616,960 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-16 13:38 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-16 13:36 1,193,414 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 13:36 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-14 17:01 <DIR> --d----- c:\windows\system32\KB905474
2009-04-13 13:32 <DIR> --d----- c:\program files\Trend Micro
2009-04-11 15:20 <DIR> --d----- c:\program files\MSXML 6.0
2009-04-11 15:16 <DIR> --d-hr-- C:\AHCache
2009-04-10 09:06 <DIR> --d----- c:\docume~1\royf~1.roy\applic~1\QUAD Backups
2009-04-10 09:05 <DIR> --d----- c:\program files\QUAD Utilities
2009-04-02 21:00 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-04-02 18:14 5,526,560 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-02 18:14 107,552 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-02 18:14 74,108 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-02 18:14 10,748 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-02 18:12 112,144 a------- c:\windows\system32\drivers\kl1.sys
2009-04-02 18:11 53,192 a------- c:\windows\system32\drivers\rp_skt32.sys
2009-04-02 18:11 48,384 a------- c:\windows\system32\drivers\rp_pkt32.sys
2009-04-02 18:10 <DIR> --d----- c:\program files\Raxco
2009-04-02 18:04 <DIR> --d----- c:\docume~1\royf~1.roy\applic~1\Rogers Online Protection
2009-04-02 18:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Rogers Online Protection
2009-04-02 18:04 <DIR> --d----- c:\program files\Rogers Online Protection

==================== Find3M ====================

2009-03-21 10:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-02 19:52 1,495,552 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-19 05:58 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-02-16 20:46 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 06:20 723,456 a------- c:\windows\system32\lsasrv.dll
2009-02-09 06:20 399,360 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:20 723,456 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 06:20 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 06:20 616,960 a------- c:\windows\system32\advapi32.dll
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 06:19 1,846,272 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-06 13:24 2,180,480 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 13:24 2,180,480 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 13:22 2,136,064 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 13:14 110,592 a------- c:\windows\system32\services.exe
2009-02-06 12:54 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 12:49 2,057,728 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 12:49 2,057,728 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 12:49 2,015,744 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 16:08 55,808 a------- c:\windows\system32\secur32.dll
2009-02-03 16:08 55,808 -------- c:\windows\system32\dllcache\secur32.dll
2006-03-26 17:42 2,375 a------- c:\program files\Microsoft Office Visio 2003.lnk
2005-10-16 04:10 56,064 a------- c:\docume~1\royf~1.roy\applic~1\GDIPFONTCACHEV1.DAT
2005-09-12 20:02 11,853,384 a------- c:\program files\snagit.exe

============= FINISH: 19:19:15.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:36 PM

Posted 10 May 2009 - 03:55 AM

Hello

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Before we can continue, please post a fresh DSS log back here :thumbup2:
Posted Image

#3 davidroyfrench

davidroyfrench
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 11 May 2009 - 05:07 PM

Fresh post


DDS (Ver_09-03-16.01) - NTFSx86
Run by RoyF at 18:01:21.21 on Mon 05/11/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.236 [GMT -4:00]

AV: Rogers Online Protection Anti-Virus *On-access scanning enabled* (Updated)
AV: Norton Security Online *On-access scanning disabled* (Updated)
FW: Rogers Online Protection Firewall *enabled*
FW: Norton Security Online *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ORiNOCO\WirelessClient\Utility\orinoco.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\RoyF.ROYFLC\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
mStart Page = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/*http://rogers.yahoo.com
mSearch Bar = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\rogers online protection\rogers online protection\pkR.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} -
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TP4EX] tp4ex.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [proxim_orinoco_11abg] c:\program files\orinoco\wirelessclient\utility\orinoco.exe
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe
mRun: [QCWLIcon] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RogersServicepointAgent.exe] "c:\program files\rogers online protection\rogers servicepoint agent\RogersServicepointAgent.exe" /AUTORUN
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [Ihotaxozaboc] rundll32.exe "c:\windows\ajivivamebopevu.dll",e
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\adobe acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

============= SERVICES / DRIVERS ===============

R0 KL1;KL1;c:\windows\system32\drivers\kl1.sys [2009-4-2 112144]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2004-9-8 52136]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2004-9-8 9728]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2004-9-8 2295]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-4-2 196368]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2004-9-8 15360]
R2 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2004-9-8 4225]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2004-9-8 12288]
S3 Radialpoint Security Services;Rogers Online Protection;c:\program files\rogers online protection\rogers online protection\RpsSecurityAwareR.exe [2009-2-27 97520]

=============== Created Last 30 ================

2009-05-09 21:51 <DIR> --d----- c:\program files\iPod
2009-05-09 21:51 <DIR> --d----- c:\program files\iTunes
2009-05-09 21:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-09 21:42 <DIR> --d----- c:\program files\Bonjour
2009-04-26 11:46 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-04-26 11:31 81,920 a------- c:\windows\system32\Startup.cpl
2009-04-18 12:19 218 a------- c:\windows\Uzacegobeyeyogom.dat
2009-04-16 20:06 <DIR> --d----- c:\docume~1\royf~1.roy\applic~1\IObit
2009-04-16 20:06 <DIR> --d----- c:\program files\IObit
2009-04-16 13:38 283,648 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-16 13:38 60,416 -------- c:\windows\system32\dllcache\colbact.dll
2009-04-16 13:38 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-16 13:38 399,360 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 13:38 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-16 13:38 473,088 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-16 13:38 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 13:38 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 13:38 616,960 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-16 13:38 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-16 13:36 1,193,414 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 13:36 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-14 17:01 <DIR> --d----- c:\windows\system32\KB905474
2009-04-13 13:32 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-05-11 18:01 155,680 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-05-11 17:59 6,942,240 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-06 23:12 87,860 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-06 23:12 12,644 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-03-21 10:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 10:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-02 19:52 1,495,552 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-19 05:58 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-02-16 20:46 410,984 a------- c:\windows\system32\deploytk.dll
2006-03-26 17:42 2,375 a------- c:\program files\Microsoft Office Visio 2003.lnk
2005-10-16 04:10 56,064 a------- c:\docume~1\royf~1.roy\applic~1\GDIPFONTCACHEV1.DAT
2005-09-12 20:02 11,853,384 a------- c:\program files\snagit.exe

============= FINISH: 18:01:33.28 ===============

Attached Files



#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:36 PM

Posted 12 May 2009 - 06:34 AM

Hello :thumbup2:

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
Posted Image

#5 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:36 PM

Posted 18 May 2009 - 07:46 AM

This thread will now be closed.
If you need this topic reopened, please contact me.

This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users