Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.Beagle/W32.Bagle


  • This topic is locked This topic is locked
13 replies to this topic

#1 rush242

rush242

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 13 May 2009 - 10:49 PM

Hey All, I clicked on something. D'oh!

Either way, the computer is running slow, NOD32 did not start, CCleaner won't start, Spybot S&D won't start, and when I tried to start NOD32, I get:

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe is not a valid win32 application

When I start Firefox, it has to be reset to the default browser each time, and it doesn't open the home page (Google) it just opens a blank page. The F-Secure online scanner will not download the files it needs. That's about all I've found. There's no "strange behavior" per se, other than that noted. I'm using XP SP3.

All of this was posted in "Am I infected? What do I do?" at http://www.bleepingcomputer.com/forums/t/226601/eguiexe-is-not-a-valid-win32-application/ I used Dr. Web CureIt which is posted there, and MBAM which is posted there as well.


And they sent me here. Thank you, in advance!

[EDIT] Cut ATTACH.txt and attach the file instead. Also, NOD32 will still not start and something keeps switching the default browser to MSIE, but Spybot S&D, and CCleaner will start.

DDS.txt:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Rush at 22:26:11.82 on 05/13/09
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1241 [GMT -5:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox 3 Beta 3\firefox.exe
C:\Documents and Settings\Rush\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://by124w.bay124.mail.live.com/mail/mail.aspx?&ip=10.1.106.222&d=d2151&mf=0&rru=getmsg%3fcurmbox%3d00000000%252d0000%252d0000%252d0000%252d000000000001%26a%3dbea39ab81e4d52be1ef3215e5760daaa5770b8c4782a3a02e0bc1ad804b658a1%26msg%3d6E02D2AF%2dC026%2d4109%2d9EA5%2dAC00FAFCA88E%26start%3d0%26len%3d47587
mWindow Title = Windows Internet Explorer by Rush
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {CB789373-04D5-4EF4-9C16-871463FD0830} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\boincm~1.lnk - c:\program files\boinc\boincmgr.exe
mPolicies-system: AllowMultipleTSSessions = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
TCP: {4AC3DF7D-EDD3-4E9B-AC5B-0D52E7F10764} = 208.67.222.222,208.67.220.220
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rush\applic~1\mozilla\firefox\profiles\925q64q7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\mozilla firefox 3 beta 3\plugins\npmusicn.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2007-3-8 16384]
R2 BOINC;BOINC;c:\program files\boinc\boinc.exe [2008-8-7 721664]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2008-3-4 57344]
S1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys --> c:\windows\system32\drivers\epfwtdir.sys [?]
S2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-6-10 468224]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 RTCore32;RTCore32;c:\program files\rmclock\RTCore32.sys [2008-3-11 4608]
S3 wwEngineSvc;wwEngineSvc;c:\program files\webroot\washer\WasherSvc.exe [2007-11-2 598856]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [2008-9-1 104320]
S4 aawservice;aawservice;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-05-13 15:37 --d----- c:\documents and settings\rush\DoctorWeb
2009-05-13 10:50 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-13 10:49 --d----- c:\program files\SUPERAntiSpyware
2009-05-13 10:49 --d----- c:\docume~1\rush\applic~1\SUPERAntiSpyware.com
2009-05-13 02:09 a-dshr-- C:\cmdcons
2009-05-13 02:08 161,792 a------- c:\windows\SWREG.exe
2009-05-13 02:08 98,816 a------- c:\windows\sed.exe
2009-04-27 19:58 --d----- c:\docume~1\rush\applic~1\BOM
2009-04-14 19:34 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 19:34 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 19:34 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 19:34 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 19:34 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 19:34 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 19:33 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-14 19:33 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll

==================== Find3M ====================

2009-05-13 01:49 364,629 a------- c:\windows\system32\acs.exe
2009-05-01 00:21 121,559 a------- c:\windows\jgzr.dat
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-23 21:40 354,560 a------- c:\windows\system32\TuneUpDefragService.exe
2009-03-22 21:56 0 ac--hr-- c:\windows\system32\drivers\IBM_2373_8U0_TP.MRK
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 13:09 78,336 a------- c:\windows\system32\ieencode.dll
2008-05-15 16:43 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051520080516\index.dat
2008-05-15 19:06 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051620080517\index.dat

============= FINISH: 22:26:49.43 ===============

Attached Files


Edited by rush242, 14 May 2009 - 06:54 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:24 PM

Posted 27 May 2009 - 03:47 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 rush242

rush242
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 27 May 2009 - 04:02 PM

I managed to get the newest NOD32 installed, and it killed a bit more, but I don't know if NOD32 got it all.

Thanks for your help.



DDS (Ver_09-05-14.01) - NTFSx86
Run by Rush at 15:54:15.56 on 05/27/09
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1204 [GMT -5:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BOINC\boincmgr.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\RMClock\RMClock.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Documents and Settings\Rush\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer by Rush
mWindow Title = Windows Internet Explorer by Rush
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {CB789373-04D5-4EF4-9C16-871463FD0830} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ClocX] c:\program files\clocx\ClocX.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\boincm~1.lnk - c:\program files\boinc\boincmgr.exe
mPolicies-system: AllowMultipleTSSessions = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
TCP: {4AC3DF7D-EDD3-4E9B-AC5B-0D52E7F10764} = 208.67.222.222,208.67.220.220
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rush\applic~1\mozilla\firefox\profiles\925q64q7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: network.proxy.type - 4

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2007-3-8 16384]
R2 BOINC;BOINC;c:\program files\boinc\boinc.exe [2008-8-7 721664]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-5-18 604416]
R3 RTCore32;RTCore32;c:\program files\rmclock\RTCore32.sys [2008-3-11 4608]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2008-3-4 57344]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 wwEngineSvc;wwEngineSvc;c:\program files\webroot\washer\WasherSvc.exe [2007-11-2 598856]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [2008-9-1 104320]
S4 aawservice;aawservice;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-05-26 22:38 <DIR> --d----- c:\program files\ClocX
2009-05-26 15:24 <DIR> --d----- C:\spoolerlogs
2009-05-25 16:18 <DIR> --dsh--- c:\documents and settings\rush\IECompatCache
2009-05-25 16:12 <DIR> --dsh--- c:\documents and settings\rush\IETldCache
2009-05-25 14:34 <DIR> --d----- c:\windows\ie8updates
2009-05-25 14:34 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-25 14:31 <DIR> -cd-h--- c:\windows\ie8
2009-05-25 10:33 361,216 a------- c:\windows\system32\TuneUpDefragService.exe
2009-05-19 00:22 28,928 a------- c:\windows\system32\uxtuneup.dll
2009-05-18 23:28 604,416 a------- c:\windows\system32\TUProgSt.exe
2009-05-18 23:28 <DIR> --d----- c:\program files\TuneUp Utilities 2009
2009-05-18 23:27 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\{55A29068-F2CE-456C-9148-C869879E2357}
2009-05-17 21:54 1,257,566 a----r-- c:\windows\system32\dsa.dll
2009-05-17 21:54 82,017 a----r-- c:\windows\system32\dsaNac.dll
2009-05-17 21:54 254,023 a------- c:\windows\system32\wsfwDS.dll
2009-05-17 21:54 249,925 a------- c:\windows\system32\wsimd.dll
2009-05-17 21:54 5,361 a------- c:\windows\system32\wsimdp.inf
2009-05-17 21:54 100,996 a------- c:\windows\system32\net5211.inf
2009-05-17 21:54 57,344 a------- c:\windows\system32\wsimd.sys
2009-05-17 21:54 2,179 a------- c:\windows\system32\wsimd.inf
2009-05-17 20:52 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-17 20:52 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-17 20:46 <DIR> --d----- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-05-13 15:37 <DIR> --d----- c:\documents and settings\rush\DoctorWeb
2009-05-13 10:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-13 10:49 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-13 10:49 <DIR> --d----- c:\docume~1\rush\applic~1\SUPERAntiSpyware.com
2009-05-13 02:09 <DIR> a-dshr-- C:\cmdcons
2009-05-13 02:08 161,792 a------- c:\windows\SWREG.exe
2009-05-13 02:08 98,816 a------- c:\windows\sed.exe
2009-04-27 19:58 <DIR> --d----- c:\docume~1\rush\applic~1\BOM

==================== Find3M ====================

2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-01 00:21 121,559 a------- c:\windows\jgzr.dat
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2008-05-15 16:43 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051520080516\index.dat
2008-05-15 19:06 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051620080517\index.dat

============= FINISH: 15:54:52.72 ===============

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:24 AM

Posted 28 May 2009 - 10:38 AM

Hi rush242,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

We are going to repair some broken file associations and run ComboFix. Please make sure you rename ComboFix before saving it to the desktop.
  • Go to start > Run. Copy and paste the following line in the run box and click OK.

    cmd /c (assoc.JSE=JSEFile & assoc.VBE=VBEFile & assoc.vbs=VBSFile)

    A window flashes. It is normal.

  • Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

    Link 1
    Link 2
    Link 3

    Posted Image


    Posted Image
    --------------------------------------------------------------------
    Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)

    Double click on Combo-Fix.exe & follow the prompts. When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



#5 rush242

rush242
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 28 May 2009 - 11:45 AM

Thank you for your help. I do appreciate it!

ComboFix log:

ComboFix 09-05-26.05 - Rush 05/28/09 11:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1166 [GMT -5:00]
Running from: c:\documents and settings\Rush\Desktop\Combo-Fix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\msvci70c.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-28 14:28 . 2009-05-28 14:28 94 ----a-w c:\documents and settings\All Users\Application Data\BOINC\slots\2\wrapper_5.19_windows_intelx86.exe
2009-05-28 14:28 . 2009-05-28 14:28 93 ----a-w c:\documents and settings\All Users\Application Data\BOINC\slots\2\enigma2_0.76_windows_intelx86.exe
2009-05-28 13:15 . 2009-05-28 13:15 82 ----a-w c:\documents and settings\All Users\Application Data\BOINC\slots\0\AK_v8_win_SSE2.exe
2009-05-27 03:38 . 2009-05-27 03:38 -------- d-----w c:\program files\ClocX
2009-05-27 03:07 . 2009-05-27 03:07 3371383 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-26 20:24 . 2009-05-26 20:24 -------- d-----w C:\spoolerlogs
2009-05-26 15:12 . 2009-05-26 15:12 94 ----a-w c:\documents and settings\All Users\Application Data\BOINC\slots\1\libfftw3f-3-1-1a_upx.dll
2009-05-26 15:12 . 2009-05-26 15:12 106 ----a-w c:\documents and settings\All Users\Application Data\BOINC\slots\1\setiathome_6.03_windows_intelx86.exe
2009-05-25 21:18 . 2009-05-25 21:18 -------- d-sh--w c:\documents and settings\Rush\IECompatCache
2009-05-25 21:12 . 2009-05-25 21:12 -------- d-sh--w c:\documents and settings\Rush\IETldCache
2009-05-25 19:34 . 2009-05-25 19:34 -------- d-----w c:\windows\ie8updates
2009-05-25 19:34 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-25 19:31 . 2009-05-25 19:33 -------- dc-h--w c:\windows\ie8
2009-05-25 15:33 . 2009-05-25 15:33 361216 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-05-19 05:22 . 2009-04-27 19:21 28928 ----a-w c:\windows\system32\uxtuneup.dll
2009-05-19 04:28 . 2009-05-19 04:28 604416 ----a-w c:\windows\system32\TUProgSt.exe
2009-05-19 04:28 . 2009-05-19 04:42 -------- d-----w c:\program files\TuneUp Utilities 2009
2009-05-19 04:27 . 2009-05-19 04:27 -------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-05-18 02:54 . 2007-03-21 18:46 249925 ----a-w c:\windows\system32\wsimd.dll
2009-05-18 02:54 . 2007-03-21 18:46 254023 ----a-w c:\windows\system32\wsfwDS.dll
2009-05-18 02:54 . 2007-03-21 18:33 82017 ----a-r c:\windows\system32\dsaNac.dll
2009-05-18 02:54 . 2007-03-21 18:33 1257566 ----a-r c:\windows\system32\dsa.dll
2009-05-18 02:54 . 2007-07-03 23:46 57344 ----a-w c:\windows\system32\wsimd.sys
2009-05-18 01:52 . 2009-05-18 01:52 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-18 01:52 . 2009-05-18 01:52 -------- d-----w c:\program files\Java
2009-05-18 01:46 . 2009-05-27 20:46 -------- d-----w c:\program files\Mozilla Firefox 3.5 Beta 4
2009-05-13 20:37 . 2009-05-13 20:43 -------- d-----w c:\documents and settings\Rush\DoctorWeb
2009-05-13 15:50 . 2009-05-13 15:50 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-13 15:49 . 2009-05-18 03:07 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-13 15:49 . 2009-05-18 03:07 -------- d-----w c:\documents and settings\Rush\Application Data\SUPERAntiSpyware.com
2009-05-13 13:02 . 2009-05-13 13:02 -------- d-----w c:\documents and settings\Jen

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-28 15:14 . 2008-08-11 14:04 -------- d-----w c:\documents and settings\All Users\Application Data\BOINC
2009-05-27 19:04 . 2008-06-18 22:23 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-27 03:07 . 2008-08-08 20:02 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-27 00:24 . 2008-12-01 21:35 -------- d-----w c:\program files\Trillian
2009-05-26 22:27 . 2009-03-24 04:31 1363968 ----a-w c:\documents and settings\NetworkService\NTUSER.DAT.tmp
2009-05-26 22:26 . 2009-05-26 22:26 1363968 ----a-w c:\documents and settings\LocalService\NTUSER.DAT.tmp
2009-05-26 18:20 . 2008-08-08 20:02 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 18:19 . 2008-08-08 20:02 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-26 04:27 . 2009-04-28 00:58 -------- d-----w c:\documents and settings\Rush\Application Data\BOM
2009-05-19 05:01 . 2009-03-24 04:05 -------- d-----w c:\program files\jv16 PowerTools 2009
2009-05-18 17:29 . 2009-03-24 04:05 228 ----a-w c:\windows\system32\edacded0_x.dat
2009-05-18 03:42 . 2008-02-13 10:03 -------- d-----w c:\program files\Mozilla Firefox 3 Beta 3
2009-05-18 02:41 . 2008-08-08 19:57 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-18 00:04 . 2007-11-21 01:18 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-15 03:01 . 2008-02-07 15:27 -------- d-----w c:\program files\ABC Amber LIT Converter
2009-05-15 02:11 . 2008-08-08 19:56 -------- d-----w c:\program files\SpywareBlaster
2009-05-13 08:03 . 2007-09-27 15:52 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-13 07:14 . 2008-03-11 10:29 -------- d-----w c:\program files\RMClock
2009-05-05 03:29 . 2007-03-09 04:42 72792 -c--a-w c:\documents and settings\Rush\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-01 05:28 . 2009-01-02 01:16 -------- d-----w c:\documents and settings\All Users\Application Data\Examsoft
2009-05-01 05:21 . 2009-01-02 01:16 121559 ----a-w c:\windows\jgzr.dat
2009-04-18 04:07 . 2009-01-13 00:18 -------- d-----w c:\documents and settings\Rush\Application Data\GoodSync
2009-04-06 18:59 . 2008-09-30 23:51 -------- d-----w c:\program files\Hewlett-Packard
2009-03-24 02:57 . 2009-03-24 02:57 1536000 ----a-w c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181414-18154.dll
2009-03-24 02:57 . 2009-01-28 20:03 242976 ----a-w c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-03-21 17:56 . 2009-03-21 17:55 294912 ----a-w c:\documents and settings\All Users\Application Data\BOINC\projects\setiweb.ssl.berkeley.edu_beta\ap_graphics_5.04_windows_intelx86.exe
2009-03-21 17:56 . 2009-03-21 17:55 479232 ----a-w c:\documents and settings\All Users\Application Data\BOINC\projects\setiweb.ssl.berkeley.edu_beta\astropulse_5.04_windows_intelx86.exe
2009-03-08 09:34 . 2006-02-28 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2006-02-28 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 . 2006-02-28 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2006-02-28 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:32 . 2006-02-28 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2006-02-28 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 . 2006-02-28 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:31 . 2006-02-28 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 . 2006-02-28 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:22 . 2006-02-28 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 18:10 . 2009-03-05 18:10 167936 ----a-w c:\documents and settings\Rush\Application Data\Thinstall\Portable - WinZip Professional v11.1.7466\1000000b00002i\verclsid.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ClocX"="c:\program files\ClocX\ClocX.exe" [2007-07-26 270336]
"RMClock"="c:\program files\RMClock\RMClockLauncher.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2008-08-07 58112]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-18 148888]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-06-27 88363]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BOINC Manager.lnk - c:\program files\BOINC\boincmgr.exe [2008-8-7 4190976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"AllowMultipleTSSessions"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 23:45 28672 ----a-w c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 00:16 24576 ----a-w c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\Rush\Application Data\iolo\

[HKLM\~\startupfolder\C:^Documents and Settings^Rush^Start Menu^Programs^Startup^BOINC Manager.lnk]
backup=c:\windows\pss\BOINC Manager.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BOINC\\boinc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Documents and Settings\\Rush\\Desktop\\Downloads\\BOINC\\Boinc_6.1.0.32_v5_release_x86\\boinc.exe"=
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\\Program Files\\ExamSoft\\SoftLnch.exe
"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\\Program Files\\ExamSoft\\SofTest.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [02/06/09 14:23 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [02/06/09 14:24 93336]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [03/08/07 23:53 16384]
R2 BOINC;BOINC;c:\program files\BOINC\boinc.exe [08/07/08 08:07 721664]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [02/06/09 14:23 727720]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [05/18/09 23:28 604416]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [03/04/08 04:43 57344]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/06/07 15:22 34064]
S3 wwEngineSvc;wwEngineSvc;c:\program files\Webroot\Washer\WasherSvc.exe [11/02/07 15:18 598856]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [09/01/08 16:41 104320]

--- Other Services/Drivers In Memory ---

*Deregistered* - RTCore32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-28 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 20:37]

2009-05-28 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2007-03-09 06:38]

2009-05-18 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2009-03-13 13:37]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
mWindow Title = Windows Internet Explorer by Rush
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {4AC3DF7D-EDD3-4E9B-AC5B-0D52E7F10764} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Rush\Application Data\Mozilla\Firefox\Profiles\925q64q7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: network.proxy.type - 4

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-28 11:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-1580436667-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{344E8A93-642D-7A72-BB71-7894350FE682}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abonigcihofdicienjnfkmfdoalnffgnoj"=hex:65,62,6f,6e,6c,65,6a,61,67,70,62,69,
6b,6a,61,67,6f,6b,6b,66,68,64,65,67,62,6d,6c,70,61,6b,6f,66,6f,6a,69,67,6e,\
"bbonigcihofdicienjgghmhenplcjdcnhcah"=hex:61,62,6a,64,6c,66,66,69,69,66,69,64,
70,66,6f,66,64,68,6e,6b,66,61,65,64,6b,63,68,6f,70,63,69,6a,6e,70,00,67

[HKEY_USERS\S-1-5-21-1715567821-1580436667-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{87E61901-2CE9-3B5C-9106-BFD8CF378B69}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abpcdlagpmannjaanncdklbihjhbflnbeg"=hex:61,62,6e,66,62,6c,6c,61,6d,6c,69,67,
62,6e,69,67,70,6b,66,6e,62,68,65,70,69,70,62,64,66,6e,6e,6e,68,68,00,77
"bbpcdlagpmannjaannjplcbebbefdihekhhj"=hex:61,62,69,66,70,6d,66,6c,67,64,6d,64,
6a,67,6b,6f,6e,68,63,67,69,65,6d,70,63,6f,62,67,6a,65,67,61,6f,6f,00,77

[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
@Denied: (3) (LocalSystem)
"AppDataDir"="c:\\Documents and Settings\\All Users\\Application Data\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"ProductBase"=dword:00000000
"ProductCode"="{2204AF25-80E5-468E-B46D-795685B35DEB}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="3.0.667.0"
"UniqueId"="00125FC148999535"
"ScannerBuild"=dword:00000bcb
"ScannerVersionId"=dword:00000c78
"ScannerVersion"=""
"FixId"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(504)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
Completion time: 2009-05-28 11:25
ComboFix-quarantined-files.txt 2009-05-28 16:25
ComboFix2.txt 2009-05-13 13:02
ComboFix3.txt 2009-05-13 07:22
ComboFix4.txt 2008-08-08 15:35

Pre-Run: 128,675,631,104 bytes free
Post-Run: 128,671,424,512 bytes free

278 --- E O F --- 2009-05-25 19:35



HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:35, on 05/28/09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BOINC\boincmgr.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKCU\..\Run: [RMClock] "C:\Program Files\RMClock\RMClockLauncher.exe"
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AC3DF7D-EDD3-4E9B-AC5B-0D52E7F10764}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOINC - Space Sciences Laboratory - C:\Program Files\BOINC\boinc.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NsEngine - NovaStor Corporation - C:\Program Files\NovaStor\NovaBACKUP\NSENGINE.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\drivers\psasrv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (default) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: wwEngineSvc - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 10488 bytes

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:24 AM

Posted 28 May 2009 - 03:09 PM

Well done. :thumbup2:
  • Download [http://www.kztechs.com/eng/download.html]System Repair Engineer (SREng2.zip)[/url]
    • Extract it to Desktop and double click SREngLdr.EXE to run it
    • Select System Repair from the left pane.
    • Click on File Association
    • Select all entries that has an Error status click [Repair]
    • Refer to this image for an example:

      Posted Image
    • Close SREng now.
  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    REGNULL::
    [HKEY_USERS\S-1-5-21-1715567821-1580436667-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{344E8A93-642D-7A72-BB71-7894350FE682}*]
    [HKEY_USERS\S-1-5-21-1715567821-1580436667-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{87E61901-2CE9-3B5C-9106-BFD8CF378B69}*]
    RegLockDel::
    [HKEY_USERS\S-1-5-21-1715567821-1580436667-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{344E8A93-642D-7A72-BB71-7894350FE682}]
    [HKEY_USERS\S-1-5-21-1715567821-1580436667-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{87E61901-2CE9-3B5C-9106-BFD8CF378B69}] 
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv"=-
    Reglock::
    [HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Tell me how is your computer running.


#7 rush242

rush242
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 28 May 2009 - 04:15 PM

Thank you again. Below is the updated combofix log after dragging and dropping CFScript.txt onto it.

I'll reboot the computer and follow up in a bit.



ComboFix 09-05-28.01 - Rush 05/28/09 16:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1351 [GMT -5:00]
Running from: c:\documents and settings\Rush\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Rush\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-28 19:53 . 2009-05-28 19:53 94 ----a-w c:\documents and settings\All Users\Application Data\BOINC\slots\2\wrapper_5.19_windows_intelx86.exe
2009-05-28 19:53 . 2009-05-28 19:53 93 ----a-w c:\documents and settings\All Users\Application Data\BOINC\slots\2\enigma2_0.76_windows_intelx86.exe
2009-05-28 16:31 . 2009-05-28 16:31 -------- d-sh--w c:\documents and settings\Rush\PrivacIE
2009-05-28 16:30 . 2009-05-28 16:30 -------- d-----w c:\program files\Trend Micro
2009-05-28 13:15 . 2009-05-28 13:15 82 ----a-w c:\documents and settings\All Users\Application Data\BOINC\slots\0\AK_v8_win_SSE2.exe
2009-05-27 03:38 . 2009-05-27 03:38 -------- d-----w c:\program files\ClocX
2009-05-27 03:07 . 2009-05-27 03:07 3371383 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-26 20:24 . 2009-05-26 20:24 -------- d-----w C:\spoolerlogs
2009-05-26 15:12 . 2009-05-26 15:12 94 ----a-w c:\documents and settings\All Users\Application Data\BOINC\slots\1\libfftw3f-3-1-1a_upx.dll
2009-05-26 15:12 . 2009-05-26 15:12 106 ----a-w c:\documents and settings\All Users\Application Data\BOINC\slots\1\setiathome_6.03_windows_intelx86.exe
2009-05-25 21:18 . 2009-05-25 21:18 -------- d-sh--w c:\documents and settings\Rush\IECompatCache
2009-05-25 21:12 . 2009-05-25 21:12 -------- d-sh--w c:\documents and settings\Rush\IETldCache
2009-05-25 19:34 . 2009-05-25 19:34 -------- d-----w c:\windows\ie8updates
2009-05-25 19:34 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-25 19:31 . 2009-05-25 19:33 -------- dc-h--w c:\windows\ie8
2009-05-25 15:33 . 2009-05-25 15:33 361216 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-05-19 05:22 . 2009-04-27 19:21 28928 ----a-w c:\windows\system32\uxtuneup.dll
2009-05-19 04:28 . 2009-05-19 04:28 604416 ----a-w c:\windows\system32\TUProgSt.exe
2009-05-19 04:28 . 2009-05-19 04:42 -------- d-----w c:\program files\TuneUp Utilities 2009
2009-05-19 04:27 . 2009-05-19 04:27 -------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-05-18 02:54 . 2007-03-21 18:46 249925 ----a-w c:\windows\system32\wsimd.dll
2009-05-18 02:54 . 2007-03-21 18:46 254023 ----a-w c:\windows\system32\wsfwDS.dll
2009-05-18 02:54 . 2007-03-21 18:33 82017 ----a-r c:\windows\system32\dsaNac.dll
2009-05-18 02:54 . 2007-03-21 18:33 1257566 ----a-r c:\windows\system32\dsa.dll
2009-05-18 02:54 . 2007-07-03 23:46 57344 ----a-w c:\windows\system32\wsimd.sys
2009-05-18 01:52 . 2009-05-18 01:52 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-18 01:52 . 2009-05-18 01:52 -------- d-----w c:\program files\Java
2009-05-18 01:46 . 2009-05-28 16:27 -------- d-----w c:\program files\Mozilla Firefox 3.5 Beta 4
2009-05-13 20:37 . 2009-05-13 20:43 -------- d-----w c:\documents and settings\Rush\DoctorWeb
2009-05-13 15:50 . 2009-05-13 15:50 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-13 15:49 . 2009-05-18 03:07 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-13 15:49 . 2009-05-18 03:07 -------- d-----w c:\documents and settings\Rush\Application Data\SUPERAntiSpyware.com
2009-05-13 13:02 . 2009-05-13 13:02 -------- d-----w c:\documents and settings\Jen

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-28 20:36 . 2008-08-11 14:04 -------- d-----w c:\documents and settings\All Users\Application Data\BOINC
2009-05-28 19:14 . 2008-06-18 22:23 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-27 03:07 . 2008-08-08 20:02 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-27 00:24 . 2008-12-01 21:35 -------- d-----w c:\program files\Trillian
2009-05-26 22:27 . 2009-03-24 04:31 1363968 ----a-w c:\documents and settings\NetworkService\NTUSER.DAT.tmp
2009-05-26 22:26 . 2009-05-26 22:26 1363968 ----a-w c:\documents and settings\LocalService\NTUSER.DAT.tmp
2009-05-26 18:20 . 2008-08-08 20:02 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 18:19 . 2008-08-08 20:02 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-26 04:27 . 2009-04-28 00:58 -------- d-----w c:\documents and settings\Rush\Application Data\BOM
2009-05-19 05:01 . 2009-03-24 04:05 -------- d-----w c:\program files\jv16 PowerTools 2009
2009-05-18 17:29 . 2009-03-24 04:05 228 ----a-w c:\windows\system32\edacded0_x.dat
2009-05-18 03:42 . 2008-02-13 10:03 -------- d-----w c:\program files\Mozilla Firefox 3 Beta 3
2009-05-18 02:41 . 2008-08-08 19:57 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-18 00:04 . 2007-11-21 01:18 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-15 03:01 . 2008-02-07 15:27 -------- d-----w c:\program files\ABC Amber LIT Converter
2009-05-15 02:11 . 2008-08-08 19:56 -------- d-----w c:\program files\SpywareBlaster
2009-05-13 08:03 . 2007-09-27 15:52 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-13 07:14 . 2008-03-11 10:29 -------- d-----w c:\program files\RMClock
2009-05-05 03:29 . 2007-03-09 04:42 72792 -c--a-w c:\documents and settings\Rush\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-01 05:28 . 2009-01-02 01:16 -------- d-----w c:\documents and settings\All Users\Application Data\Examsoft
2009-05-01 05:21 . 2009-01-02 01:16 121559 ----a-w c:\windows\jgzr.dat
2009-04-18 04:07 . 2009-01-13 00:18 -------- d-----w c:\documents and settings\Rush\Application Data\GoodSync
2009-04-06 18:59 . 2008-09-30 23:51 -------- d-----w c:\program files\Hewlett-Packard
2009-03-24 02:57 . 2009-03-24 02:57 1536000 ----a-w c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181414-18154.dll
2009-03-24 02:57 . 2009-01-28 20:03 242976 ----a-w c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-03-21 17:56 . 2009-03-21 17:55 294912 ----a-w c:\documents and settings\All Users\Application Data\BOINC\projects\setiweb.ssl.berkeley.edu_beta\ap_graphics_5.04_windows_intelx86.exe
2009-03-21 17:56 . 2009-03-21 17:55 479232 ----a-w c:\documents and settings\All Users\Application Data\BOINC\projects\setiweb.ssl.berkeley.edu_beta\astropulse_5.04_windows_intelx86.exe
2009-03-08 09:34 . 2006-02-28 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2006-02-28 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 . 2006-02-28 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2006-02-28 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:32 . 2006-02-28 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2006-02-28 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 . 2006-02-28 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:31 . 2006-02-28 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 . 2006-02-28 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:22 . 2006-02-28 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 18:10 . 2009-03-05 18:10 167936 ----a-w c:\documents and settings\Rush\Application Data\Thinstall\Portable - WinZip Professional v11.1.7466\1000000b00002i\verclsid.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ClocX"="c:\program files\ClocX\ClocX.exe" [2007-07-26 270336]
"RMClock"="c:\program files\RMClock\RMClockLauncher.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2008-08-07 58112]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-18 148888]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-06-27 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BOINC Manager.lnk - c:\program files\BOINC\boincmgr.exe [2008-8-7 4190976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"AllowMultipleTSSessions"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 23:45 28672 ----a-w c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 00:16 24576 ----a-w c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\Rush\Application Data\iolo\

[HKLM\~\startupfolder\C:^Documents and Settings^Rush^Start Menu^Programs^Startup^BOINC Manager.lnk]
backup=c:\windows\pss\BOINC Manager.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BOINC\\boinc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Documents and Settings\\Rush\\Desktop\\Downloads\\BOINC\\Boinc_6.1.0.32_v5_release_x86\\boinc.exe"=
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\\Program Files\\ExamSoft\\SoftLnch.exe
"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\\Program Files\\ExamSoft\\SofTest.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [02/06/09 14:23 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [02/06/09 14:24 93336]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [03/08/07 23:53 16384]
R2 BOINC;BOINC;c:\program files\BOINC\boinc.exe [08/07/08 08:07 721664]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [02/06/09 14:23 727720]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [05/18/09 23:28 604416]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [03/04/08 04:43 57344]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/06/07 15:22 34064]
S3 wwEngineSvc;wwEngineSvc;c:\program files\Webroot\Washer\WasherSvc.exe [11/02/07 15:18 598856]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [09/01/08 16:41 104320]

--- Other Services/Drivers In Memory ---

*Deregistered* - RTCore32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-28 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 20:37]

2009-05-28 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2007-03-09 06:38]

2009-05-18 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2009-03-13 13:37]
.
.
------- Supplementary Scan -------
.
mWindow Title = Windows Internet Explorer by Rush
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {4AC3DF7D-EDD3-4E9B-AC5B-0D52E7F10764} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Rush\Application Data\Mozilla\Firefox\Profiles\925q64q7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: network.proxy.type - 4

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-28 16:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(504)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'explorer.exe'(4568)
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-28 16:05
ComboFix-quarantined-files.txt 2009-05-28 21:05
ComboFix2.txt 2009-05-28 16:25
ComboFix3.txt 2009-05-13 13:02
ComboFix4.txt 2009-05-13 07:22
ComboFix5.txt 2009-05-28 21:00

Pre-Run: 128,944,107,520 bytes free
Post-Run: 128,931,282,944 bytes free

240 --- E O F --- 2009-05-25 19:35

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:24 AM

Posted 28 May 2009 - 04:23 PM

Well done :thumbup2:

How is the computer running now?

#9 rush242

rush242
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 28 May 2009 - 04:28 PM

Everything seems to be running nicely. The mouse has returned to normal speed (something I had forgotten to mention) and there are no issues with NOD32, CCleaner, or Spybot S&D, and Firefox seems to remain the default browser.

Any other thoughts? Other than not to click on things I know better than to click on? :thumbup2:

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:24 AM

Posted 28 May 2009 - 04:52 PM

Everything looks good. :thumbup2:

Go to start > run and copy and paste or type next command in the field then hit enter:

ComboFix /u

Note: There's a space between Combofix and /

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore.

The first reboot might be a little slow, the next one will be faster.

Optional Recommendations:
  • Your log looks clean. But your computer is still very much susceptible in particular to hacking and intrusion from outside. I strongly advise you to install a firewall before surfing. The windows firewall is not good enough. The Windows firewall provides protection from outside threats as long as the malware is not on your system. When the malware gets to your computer Windows firewall is no more effective. You find more information on firewalls below.
    Click for more information on:Understanding and Using Firewalls

    There are several good free programs available like:
    Sunbelt-Kerio

    Online Armor Free edition

  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  • The rule of thumb: One AntiVirus with real-time protection, one firewall (other than Windows firewall) and one antispyware with real-time protection. Any additional anti-malware shouldn't be running. You might have two or three antispyware but they should not be running at the same time and should be set not to start with Windows.
Happy Surfing!

#11 rush242

rush242
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 28 May 2009 - 05:04 PM

Thanks for the heads up and the recommendations! However no combination of ComboFix /u or Combo-Fix /u or anything else will do what you said. It just says "Windows cannot find 'ComboFix.' Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, then click Search."

Thoughts? I would like to do all those things.

Edited by rush242, 28 May 2009 - 05:07 PM.


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:24 AM

Posted 28 May 2009 - 05:20 PM

Good you mention it. The Combofix should be on your desktop. Run the following command:

"%userprofile%\desktop\Combo-fix" /u

If it did not work delete your copy of Combofix and download a fresh one to your desktop without renaming it. Then run the command:

"%userprofile%\desktop\Combofix.exe" /u

#13 rush242

rush242
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 28 May 2009 - 05:25 PM

The first one worked like a charm!

Thank you again!!

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:24 AM

Posted 28 May 2009 - 05:29 PM

You are most welcome, glad I could help.

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users