Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit - Hijack This wont Run


  • This topic is locked This topic is locked
2 replies to this topic

#1 ChrisL100

ChrisL100

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 01 June 2009 - 02:21 PM

So my computer is infected. Google won't work. Occasionally I get a million IE windows. I can't run Spybot, Hijack this, or malwarebytes.

Silent Runner Gave me this:


"Silent Runners.vbs", revision 59, [url="http://www.silentrunners.org/"]http://www.silentrunners.org/[/url]Operating System: Windows XP SP2Output limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"TClockEx" = "C:\Program Files\TClockEx\TCLOCKEX.EXE" ["Dale Nurden"]"StrokeIt" = "C:\Program Files\Strokeit\strokeit.exe" [null data]"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]"NetSetMan" = "C:\Program Files\NetSetMan\NetSetMan.exe -h" ["Ilja Herlein"]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"TrackPointSrv" = "tp4serv.exe" ["Lenovo Group Limited"]"PWRMGRTR" = "rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor" [MS]"EZEJMNAP" = "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" ["Lenovo Group Limited"]"TPKMAPHELPER" = "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper" ["Lenovo"]"TpShocks" = "TpShocks.exe" ["Lenovo."]"TPHOTKEY" = "C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [null data]"TP4EX" = "tp4ex.exe" ["Lenovo Group Limited"]"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]"SoundMAX" = ""C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray" ["Analog Devices, Inc."]"igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]"igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]"LPManager" = "C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" ["Lenovo Group Limited"]"ACTray" = "C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [null data]"ACWLIcon" = "C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [null data]"cssauth" = ""C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent" ["Lenovo Group Limited"]"avgnt" = ""C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min" ["Avira GmbH"]"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = "C:\Program Files\Google\Gmail Notifier\gnotify.exe" ["Google Inc."]"BlackBerryAutoUpdate" = "C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background" ["Research In Motion Limited"]"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)  -> {HKLM...CLSID} = "AcroIEHlprObj Class"                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)  -> {HKLM...CLSID} = "DriveLetterAccess"                   \InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)  -> {HKLM...CLSID} = "SSVHelper Class"                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"  -> {HKLM...CLSID} = "Display Panning CPL Extension"                   \InProcServer32\(Default) = "deskpan.dll" [file not found]"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"  -> {HKLM...CLSID} = "History Band"                   \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"  -> {HKLM...CLSID} = "My Bluetooth Places"                   \InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."]"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"  -> {HKLM...CLSID} = "7-Zip Shell Extension"                   \InProcServer32\(Default) = "C:\Program Files\ThinkVantage\SMA\7z\7-zip.dll" ["Igor Pavlov"]"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"  -> {HKLM...CLSID} = "DriveLetterAccess"                   \InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"  -> {HKLM...CLSID} = "WinRAR"                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"                   \InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Outlook Desktop Icon Handler"  -> {HKLM...CLSID} = "Microsoft Outlook"                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"  -> {HKLM...CLSID} = "Outlook File Icon Extension"                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"  -> {HKLM...CLSID} = (no title provided)                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]"{36D94110-787C-4828-9C1B-0DAFEBC36069}" = "EditPlus 3"  -> {HKLM...CLSID} = "EditPlus 3"                   \InProcServer32\(Default) = "C:\Program Files\Dodatki\Total CMA Pack\Tools\EditPlus\eppshell.dll" [null data]"{709C6E11-538F-4759-86AC-6ACB302AA0DE}" = "Desktop Manager"  -> {HKLM...CLSID} = "Desktop Manager"                   \InProcServer32\(Default) = "C:\WINDOWS\system32\msvdm.dll" [null data]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"  -> {HKLM...CLSID} = "WPDShServiceObj Class"                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]"MediaCatalogWebDBOLE" = "{eafed5f8-1f93-4e7c-8bdf-6c7a8925867d}"  -> {HKLM...CLSID} = (no title provided)                   \InProcServer32\(Default) = "C:\Program Files\Common Files\MediaCatalogWebDB\MediaCatalogWebDBOLE.dll" [null data]HKLM\SOFTWA	RE\Microsoft\Windows NT\CurrentVersion\Winlogon\<<!>> "GinaDLL" = "vrlogon.dll" ["UPEK Inc."]HKLM\SYSTEM\CurrentControlSet\Control\Lsa\<<!>> "Notification Packages" = "scecli"|"psqlpwd"|"ACGina"HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<<!>> ACNotify\DLLName = "ACNotify.dll" [file not found]<<!>> AwayNotify\DLLName = "C:\Program Files\Lenovo\AwayTask\AwayNotify.dll" ["Lenovo Group Limited"]<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]<<!>> psfus\DLLName = "psqlpwd.dll" ["UPEK Inc."]<<!>> tpfnf2\DLLName = "notifyf2.dll" [null data]<<!>> tphotkey\DLLName = "tphklock.dll" [null data]HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"  -> {HKLM...CLSID} = (no title provided)                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"  -> {HKLM...CLSID} = "PDF Shell Extension"                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"  -> {HKLM...CLSID} = "WinRAR"                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"  -> {HKLM...CLSID} = "WinRAR"                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"  -> {HKLM...CLSID} = "MBAMShlExt Class"                   \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"                   \InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"  -> {HKLM...CLSID} = "WinRAR"                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"  -> {HKLM...CLSID} = "MBAMShlExt Class"                   \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]Group Policies {GPedit.msc branch and setting}:-----------------------------------------------Note: detected settings may not have any effect.HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoSMHelp" = (REG_BINARY) hex:01 00 00 00{User Configuration|Administrative Templates|Start Menu and Taskbar|Remove Help menu from Start Menu}HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Shutdown: Allow system to be shut down without having to log on}"undockwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Devices: Allow undock without having to log on}Active Desktop and Wallpaper:-----------------------------Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateEnabled Screen Saver:---------------------HKCU\Control Panel\Desktop\"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]Windows Portable Device AutoPlay Handlers-----------------------------------------HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ACDSeePro25ImportPicturesOnArrival\"Provider" = "ACDSee Pro 2.5""InvokeProgID" = "ACDSee Pro 2.5.AutoPlayHandlerImport""InvokeVerb" = "Import"HKLM\SOFTWARE\Classes\ACDSee Pro 2.5.AutoPlayHandlerImport\shell\Import\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee Pro\2.5\ACDSeeQVPro25.exe" /detect:%1" ["ACD Systems"]ACDSeePro25ImportVideoFilesOnArrival\"Provider" = "ACDSee Pro 2.5""InvokeProgID" = "ACDSee Pro 2.5.AutoPlayHandlerImport""InvokeVerb" = "Import"HKLM\SOFTWARE\Classes\ACDSee Pro 2.5.AutoPlayHandlerImport\shell\Import\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee Pro\2.5\ACDSeeQVPro25.exe" /detect:%1" ["ACD Systems"]ACDSeePro25PlayVideoFilesOnArrival\"Provider" = "ACDSee Pro 2.5""InvokeProgID" = "ACDSee Pro 2.5.AutoPlayHandler""InvokeVerb" = "Open"HKLM\SOFTWARE\Classes\ACDSee Pro 2.5.AutoPlayHandler\shell\Open\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee Pro\2.5\ACDSeeQVPro25.exe" "%1"" ["ACD Systems"]ACDSeePro25ShowPicturesOnArrival\"Provider" = "ACDSee Pro 2.5""InvokeProgID" = "ACDSee Pro 2.5.AutoPlayHandler""InvokeVerb" = "Open"HKLM\SOFTWARE\Classes\ACDSee Pro 2.5.AutoPlayHandler\shell\Open\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee Pro\2.5\ACDSeeQVPro25.exe" "%1"" ["ACD Systems"]AdobePhotoshopElements7ShowPicturesOnArrival\"Provider" = "Adobe Photoshop Elements 7.0""InvokeProgID" = "PhotoshopElements.Application.7""InvokeVerb" = "launch"HKLM\SOFTWARE\Classes\PhotoshopElements.Application.7\shell\launch\command\(Default) = ""C:\Program Files\Adobe\Photoshop Elements 7.0\PseProxy.exe" -v "%1"" ["Adobe Systems Incorporated"]BridgeCS3ImportMediaOnArrival\"Provider" = "Adobe Bridge CS3""InvokeProgID" = "Adobe.adobebridge""InvokeVerb" = "launch"HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "C:\Program Files\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]BridgeCS4ImportMediaOnArrival\"Provider" = "Adobe Bridge CS4""InvokeProgID" = "Adobe.adobebridgeCS4""InvokeVerb" = "launch"HKLM\SOFTWARE\Classes\Adobe.adobebridgeCS4\shell\launch\command\(Default) = "C:\Program Files\Adobe\Adobe Bridge CS4\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]BridgeCS4NonVolumeHandler\"Provider" = "Adobe Bridge CS4""ProgID" = "Adobe.adobebridgeMTP_1"HKLM\SOFTWARE\Classes\Adobe.adobebridgeMTP_1\CLSID\(Default) = "{1E6C711B-6D70-4a65-8AB6-745DC19BE2A6}"  -> {HKLM...CLSID} = "Adobe Bridge CS4"                   \LocalServer32\(Default) = "C:\Program Files\Adobe\Adobe Bridge CS4\bridgeproxy.exe -m" ["Adobe Systems, Inc."]IviDVDEventHandler\"Provider" = "InterVideo WinDVD""InvokeProgID" = "Ivi.MediaFile""InvokeVerb" = "play"HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = ""C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1" ["InterVideo Inc."]IviVideoCDHandler\"Provider" = "InterVideo WinDVD""InvokeProgID" = "Ivi.MediaFile""InvokeVerb" = "play"HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = ""C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1" ["InterVideo Inc."]Lightroom2AutoPlayHandler\"Provider" = "Adobe Photoshop Lightroom 2.0""InvokeProgID" = "Adobe.AdobeLightroom""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\Adobe.AdobeLightroom\shell\open\command\(Default) = "C:\Program Files\Adobe\Adobe Photoshop Lightroom 2\Lightroom.exe "%L"" ["Adobe Systems"]MSWPDShellNamespaceHandler\"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501""CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}""InitCmdLine" = " "  -> {HKLM...CLSID} = "WPDShextAutoplay"                   \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]PSE70NonVolumeHandler\"Provider" = "Adobe Photoshop Elements 7.0""ProgID" = "PSE70.AutoPlay_1"HKLM\SOFTWARE\Classes\PSE70.AutoPlay_1\CLSID\(Default) = "{7A60296B-1EC7-499a-9A65-E7A4B560B3B8}"  -> {HKLM...CLSID} = "Adobe Photoshop Elements 7.0"                   \LocalServer32\(Default) = ""C:\Program Files\Adobe\Photoshop Elements 7.0\PseProxy" -m" ["Adobe Systems Incorporated"]SonicSCAudioCDTask\"Provider" = "RecordNow Audio""InvokeProgID" = "Sonic.SonicCentral""InvokeVerb" = "AudioCDTask"HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\AudioCDTask\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {EBD22732-1CC3-4CD7-9A45-B8D98DA0E784}" [null data]SonicSCCopyCD\"Provider" = "RecordNow Copy""InvokeProgID" = "Sonic.SonicCentral""InvokeVerb" = "ExactCopyJob"HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]SonicSCCopyDisc\"Provider" = "RecordNow Copy""InvokeProgID" = "Sonic.SonicCentral""InvokeVerb" = "ExactCopyJob"HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]SonicSCDataProject\"Provider" = "RecordNow Data""InvokeProgID" = "Sonic.SonicCentral""InvokeVerb" = "DataGuide"HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataGuide\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch Data" [null data]SonicSCDataTask\"Provider" = "RecordNow Data""InvokeProgID" = "Sonic.SonicCentral""InvokeVerb" = "DataTask"HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataTask\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {0BAC5C34-DF45-4C0F-8D64-8E92DCCF007D}" [null data]WinampMTPHandler\"Provider" = "Winamp""ProgID" = "Shell.HWEventHandlerShellExecute""InitCmdLine" = "C:\Program Files\Winamp\winamp.exe"HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]WinampPlayMediaOnArrival\"Provider" = "Winamp""InvokeProgID" = "Winamp.File""InvokeVerb" = "Play"HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"  -> {HKLM...CLSID} = (no title provided)                   \LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]Startup items in "chris" & "All Users" startup folders:-------------------------------------------------------C:\Documents and Settings\Chris.GLOBAL\Start Menu\Programs\Startup"MagicDisc" -> shortcut to: "C:\Program Files\MagicDisc\MagicDisc.exe" ["MagicISO, Inc."]<<!>> "MagicDisc.lnk.disabled" [null data]C:\Documents and Settings\All Users\Start Menu\Programs\Startup"UltraMon" -> shortcut to: "C:\WINDOWS\Installer\{AF0FA6D7-96F3-468A-ABB7-28BE006EA8E9}\IcoUltraMon.ico /auto" [null data]Enabled Scheduled Tasks:------------------------"PMTask" -> launches: "C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE" [null data]"{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}" -> launches: "C:\WINDOWS\TEMP\tempo-403046.tmp" [null data]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]Transport Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05Toolbars, Explorer Bars, Extensions:------------------------------------Explorer BarsHKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]Extensions (Tools menu items, main toolbar menu buttons)HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\"MenuText" = "Sun Java Console""CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"  -> {HKCU...CLSID} = "Java Plug-in"                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]{92780B25-18CC-41C8-B9BE-3C9C571A8263}\"ButtonText" = "Research"{CCA281CA-C863-46EF-9331-5C8D4460577F}\"ButtonText" = "@btrez.dll,-4015""MenuText" = "@btrez.dll,-12650""Script" = "C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm" [null data]{FB5F1910-F110-11D2-BB9E-00C04F795683}\"ButtonText" = "Messenger""MenuText" = "Windows Messenger""Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]Running Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]Ac Profile Manager Service, AcPrfMgrSvc, "C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe" [null data]Access Connections Main Service, AcSvc, "C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe" ["Lenovo"]Adobe Active File Monitor V7, AdobeActiveFileMonitor7.0, "C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe" ["Adobe Systems Incorporated"]ASTSRV, ASTSRV, "C:\Windows\System32\ASTSRV.exe" ["Nalpeiron Ltd."]Avira AntiVir Guard, AntiVirService, ""C:\Program Files\Avira\AntiVir Desktop\avguard.exe"" ["Avira GmbH"]Avira AntiVir Scheduler, AntiVirSchedulerService, ""C:\Program Files\Avira\AntiVir Desktop\sched.exe"" ["Avira GmbH"]Bluetooth Service, btwdins, "C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."]IBM KCU Service, TpKmpSVC, "C:\WINDOWS\system32\TpKmpSVC.exe" [null data]Intel® PROSet/Wireless Event Log, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]Intel® PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]Intel® PROSet/Wireless Service, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]IPS Core Service, IPSSVC, "C:\WINDOWS\system32\IPSSVC.EXE" ["Lenovo Group Limited"]Lavasoft Ad-Aware Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe"" ["Lavasoft"]Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]System Update, SUService, "c:\program files\lenovo\system update\suservice.exe" [null data]ThinkPad HDD APS Logging Service, TPHDEXLGSVC, "System32\TPHDEXLG.exe" ["Lenovo."]ThinkPad PM Service, IBMPMSVC, "C:\WINDOWS\system32\ibmpmsvc.exe" ["Lenovo."]ThinkVantage Registry Monitor Service, ThinkVantage Registry Monitor Service, ""C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe"" ["Lenovo Group Limited"]TSS Core Service, TSSCoreService, ""C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe"" ["IBM"]TVT Backup Service, TVT Backup Service, ""C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe"" ["Lenovo Group Limited"]TVT Scheduler, TVT Scheduler, ""C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe"" ["Lenovo Group Limited"]tvtnetwk, tvtnetwk, "C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe" [null data]Windows Media Player Network Sharing Service, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS]Print Monitors:---------------HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation."]FPP3:\Driver = "fppmon3.dll" ["FinePrint Software, LLC"]Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]---------- (launch time: 2009-06-01 15:09:21)<<!>>: Suspicious data at a malware launch point.+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds,  launch it from a command prompt or a shortcut with the -all parameter.+ To search all directories of local fixed drives for DESKTOP.INI  DLL launch points, use the -supp parameter or answer "No" at the  first message box and "Yes" at the second message box.---------- (total run time: 52 seconds, including 18 seconds for message boxes)



Thanks...

BC AdBot (Login to Remove)

 


m

#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:54 PM

Posted 12 June 2009 - 10:16 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,697 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:54 PM

Posted 15 June 2009 - 07:19 PM

Due to the lack of feedback, this Topic is now closed.

In case you still have problems, please send me a Private message to reopen this topic within the next 5 days. Beyond that point, please start a new topic.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users