Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Packed.Generic.45 and others


  • This topic is locked This topic is locked
14 replies to this topic

#1 PauloA

PauloA

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 13 July 2009 - 01:42 PM

Norton Anti-virus displayes a number of pop-up messages informing me that I'm trying to send spam email although I'm not actually trying to send any email. I noticed (alerted by anti-virus Scan) that within the windows/temp directory there is a folder called "AEXAM" which contains many temp files being generated every minute.

I've run Norton a few times without success in cleaning my laptop. I've also not installed AVG (unable to update virus definitions), and it also doesn't find anything. I've run Malwarebytes, and it found some items, but the symptoms are still present.

Not sure what else I should try, but I'm hoping you have some suggestions.

Below is the copy/paste of the DD.txt file. Attached I'm including the attach.txt file as per instructions.




DDS (Ver_09-06-26.01) - NTFSx86 NETWORK
Run by PaArCA at 13:59:43.40 on Mon 07/13/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.1022.668 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
c:\_integra\bin\shstart.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Documents and Settings\paarca\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 72.55.191.6:3128
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\_integra\bin\shstart.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: BHOManager Class: {474264bc-9571-47c1-85b9-780f756dc9ce} - c:\windows\system32\BHOManager.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~2\VPTray.exe
mRun: [CCM User Profile Manager] "c:\_integra\upm\bin\CCM_User.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [IBM Warranty Notification] "c:\program files\ibm\acp\erts0749\ERTS0749.exe /nointro"
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Macro Manager] c:\program files\grasssoft\macro expert\MacroManager.exe /q
mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\loadru~1.lnk - c:\program files\hp\loadrunner\launch_service\bin\magentproc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\VRT188.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {020EA84E-76BD-4D97-8BF4-9C402E412137} - hxxp://o1.agendize.com/w1/inserter/AgendiZe.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0B895E9F-B0CD-450F-9268-BA4AD07EEDFF} - hxxp://lcs.corpnet.ifsworld.com/login/secured/docmaw/IFSDropArea.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {283E8568-F214-4FBA-862B-10BCE7767C3A} - hxxp://lcs.corpnet.ifsworld.com/login/secured/docmaw/IFSCliMgrOCX.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} - hxxps://download.infotriever.com/bin/ifhelper.cab
DPF: {3AC3D009-2E89-4F1E-9F51-04D4FBD50122} - hxxp://mkephone1/shorewaredirector/clientinstall/ShoretelClientInstall.ocx
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232121510750
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232121592031
DPF: {6ECC406C-20E6-4E52-9D2A-2CC6038AB6AA} - hxxp://lcs.corpnet.ifsworld.com/login/secured/docmaw/IFSCliMgrOCX.CAB
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
DPF: {86174DA1-DDAC-4885-9ABD-9913368954F9} - hxxp://naauxexsttc.corpnet.ifsworld.com/b2e/docmaw/IFSCliMgrOCX.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {ABAB9A52-40A5-11D5-9551-00105A477B3A} - hxxp://olympus.corpnet.ifsworld.com/login/docmaw/IFSCliMgrOCX.CAB
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D11EAD7A-174C-42AA-9DBE-7CD485BE4D6F} - file:///C:/ifs/IFSDoc/2004/Documentation/en/TMGeneral/PrinterControl2.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
DPF: {DBCF5694-9B18-4401-9566-EEC94A14250E} - hxxp://ifsbizna.corpnet.ifsworld.com/login/secured/docmaw/IFSCliMgrOCX.CAB
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://ifs.webex.com/client/T25L/webex/ieatgpc.cab
TCP: NameServer = 151.106.12.101
Handler: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} -
Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - c:\program files\microsoft\outlook web access smime client\mimectl.dll
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\560\G2AWinLogon.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
AppInit_DLLs: AMINIT32.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: ShHook Class: {a5949e07-8536-4625-a3d0-2dd83f559990} - c:\windows\system32\ShellHook.dll
LSA: Notification Packages = scecli ACGina psqlpwd

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-12 108552]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2007-11-22 132736]
R3 smedrv;SMEDriver;c:\windows\system32\drivers\smedrv.sys [2006-12-21 9516]
S1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-7-16 11520]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-12 327688]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-12 27784]
S1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
S1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-11-17 11165]
S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-7-16 4224]
S1 IfsDrives;IfsDrives;c:\windows\system32\drivers\IfsDrives.sys [2007-11-22 4608]
S1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2005-12-19 337592]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2008-7-16 4442]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-12 298776]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
S2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2006-3-24 202400]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
S2 Macro Expert;Macro Expert;c:\program files\grasssoft\macro expert\MacroService.exe [2009-6-17 212480]
S2 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2006-6-15 115952]
S2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2007-11-22 14976]
S2 smefs;SMEFileSystem;c:\windows\system32\drivers\smefs.sys [2006-12-21 20476]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-8-14 10896]
S2 SQLAgent$QLM;SQLAgent$QLM;c:\program files\qlm\mssql$qlm\binn\sqlagent.exe -i qlm --> c:\program files\qlm\mssql$qlm\binn\sqlagent.EXE -i QLM [?]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2004-11-1 106496]
S3 BTUSBFLT;WIDCOMM Bluetooth USB Filter Driver;\??\c:\windows\system32\drivers\btusbflt.sys --> c:\windows\system32\drivers\btusbflt.sys [?]
S3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProbe.SYS [2006-12-21 8416]
S3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-7-10 101936]
S3 IFS S&M Web Service;IFS S&M Web Service;c:\program files\ifs applications\sales & marketing web access\vmoWebService.exe [2005-3-24 94208]
S3 IFSApache2-RACE;IFS Apache2 - RACE;c:\ifs\race\fndext\3.0.0\apache2\bin\Apache.exe [2007-1-11 13824]
S3 IfsBatchServer1RACE;IFS BatchServer1 - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSCBSBridgeRACE;IFS CBS Bridge - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSCBSServerRACE;IFS CBS Server - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IfsConnectServer1RACE;IFS ConnectServer1 - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IfsContentSearchServer;IFS Content Search Server;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSDemandServerRACE;IFS Demand Server - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSJBossServerRACE;IFS Extended Server - RACE (JBoss);c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IfsMobileServerRACE;IFS Mobile Server - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSPrintServerRACE;IFS Print Server - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSTimeReportingExecutorRACE;IFS Time Reporting Executor - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSTimeReportingFrontRACE;IFS Time Reporting Front - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSWaveLinkRACE;IFS WaveLink - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2007-1-26 68954]
S3 Mail-Gear;Mail-Gear;c:\ifs\common\mailgear\mailgear.exe [2007-1-11 918016]
S3 MSSQL$QLM;MSSQL$QLM;c:\program files\qlm\mssql$qlm\binn\sqlservr.exe -sqlm --> c:\program files\qlm\mssql$qlm\binn\sqlservr.exe -sQLM [?]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090711.006\naveng.sys [2009-7-11 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090711.006\navex15.sys [2009-7-11 876144]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 OracleOra92Agent;OracleOra92Agent;c:\oracle\ora92\bin\agntsrvc.exe [2002-4-26 28944]
S3 OracleOra92ClientCache;OracleOra92ClientCache;c:\oracle\ora92\bin\ONRSD.EXE [2002-4-26 242328]
S3 OracleOra92HTTPServer;OracleOra92HTTPServer;c:\oracle\ora92\apache\apache\Apache.exe [2002-4-18 4096]
S3 OracleOra92PagingServer;OracleOra92PagingServer;c:\oracle\ora92\bin\pagntsrv.exe [2002-6-4 49152]
S3 OracleOra92SNMPPeerEncapsulator;OracleOra92SNMPPeerEncapsulator;c:\oracle\ora92\bin\encsvc.exe [2002-2-13 187392]
S3 OracleOra92SNMPPeerMasterAgent;OracleOra92SNMPPeerMasterAgent;c:\oracle\ora92\bin\agntsvc.exe [2002-2-13 254464]
S3 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.2.0\db_1\bin\tnslsnr --> c:\oracle\product\10.2.0\db_1\bin\TNSLSNR [?]
S3 OracleServiceAPPS7;OracleServiceAPPS7;c:\oracle\product\10.2.0\db_1\bin\oracle.exe apps7 --> c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE APPS7 [?]
S3 OracleServiceRACE;OracleServiceRACE;c:\oracle\ora92\bin\oracle.exe race --> c:\oracle\ora92\bin\ORACLE.EXE RACE [?]
S3 OracleServiceTTCCG1;OracleServiceTTCCG1;c:\oracle\ora92\bin\oracle.exe ttccg1 --> c:\oracle\ora92\bin\ORACLE.EXE TTCCG1 [?]
S3 tpflhlp;tpflhlp;c:\drivers\flash\79uj17us\tpflhlp.sys [2006-12-13 13616]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 XmsSocketService;XMS Socket Service;c:\ifs\race\servers\xms\XmsSocketService.exe [2007-1-11 115200]
S4 OracleJobSchedulerAPPS7;OracleJobSchedulerAPPS7;c:\oracle\product\10.2.0\db_1\bin\extjob.exe apps7 --> c:\oracle\product\10.2.0\db_1\bin\extjob.exe APPS7 [?]

=============== Created Last 30 ================

2009-07-12 15:35 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-12 12:30 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-12 12:30 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-12 12:29 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-12 12:29 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-12 12:27 <DIR> --d----- c:\program files\AVG
2009-07-12 12:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-11 11:07 212,994 a------- c:\windows\system32\CdT5n0L8.exe
2009-07-10 00:14 <DIR> --d----- c:\program files\DemoForge
2009-07-10 00:13 <DIR> --d----- c:\program files\EchoVNC
2009-07-09 00:28 <DIR> --d----- c:\program files\iPhoneBrowser
2009-07-01 19:08 <DIR> --d----- c:\docume~1\paarca\applic~1\Downloaded Installations
2009-06-26 23:28 72 a------- c:\windows\Macro.ini
2009-06-26 23:22 <DIR> --d----- c:\docume~1\paarca\applic~1\RealWorld
2009-06-26 23:21 <DIR> --d----- c:\program files\RealWorld Icon Editor
2009-06-26 14:22 <DIR> --d----- c:\program files\WinSCP

==================== Find3M ====================

2009-07-12 11:51 27,660 a------- c:\windows\system32\ctfmon.exe.tmp
2009-07-01 19:09 30,144 a------- c:\windows\system32\drivers\psadd.sys
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 11:26 583,168 a------- c:\windows\system32\rpcrt4.dll
2009-03-02 12:01 64,808 a------- c:\documents and settings\paarca\GoToAssistDownloadHelper.exe
2009-02-16 23:53 1,325 a------- c:\docume~1\paarca\applic~1\MT.dat
2009-01-30 13:44 214,344 a------- c:\documents and settings\paarca\atcliun.exe
2009-01-30 13:43 98,712 a------- c:\documents and settings\paarca\ieatgpc.dll
2009-01-30 13:43 126,360 a------- c:\documents and settings\paarca\atgpcext.dll
2009-01-30 13:43 27,976 a------- c:\documents and settings\paarca\atgpcdec.dll
2009-01-06 07:50 202,056 a------- c:\docume~1\paarca\applic~1\OI31Upd.exe
2009-01-06 05:58 49,152 a------- c:\docume~1\paarca\applic~1\olkupres.dll
2007-02-21 10:02 16 ---shr-- c:\windows\MSCIOTL.SYS

============= FINISH: 14:00:17.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:05:54 PM

Posted 23 July 2009 - 06:43 AM

Hello, PauloA.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.

We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • Log.txt
  • info.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 PauloA

PauloA
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 23 July 2009 - 11:35 AM

Hi, thank you very much for your response. I've been watching your forums daily, and have seen an overwhelming number of cases logged.

I'm just happy someone is able to give me a hand. I haven't been able to use the computer since July 12th, and was hoping to having it in working condition for when I return to work on the 26th. I guess we'll see.

I've run the program on the infected computer, and have included both files in the document.

Please let me know if there is something I should be doing further.

Cheers, and once again thankyou for your help.

Attached Files

  • Attached File  log.txt   36.84KB   10 downloads
  • Attached File  info.txt   51.52KB   5 downloads


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:05:54 PM

Posted 23 July 2009 - 12:31 PM

Hello, PauloA.
We'll try to get your computer fixed as soon as possible. Please note that since I'm in the process of my training, there may be a slight delay in my responses, since all of my fixes need to be approved by a coach first.

Looks like HJT didn't download on the RSIT scan, which leads me to think that there may be something blocking the download. We'll run DDS instead to generate that scan. Please ensure that you copy and paste the dds log into your reply.

We need to run a DDS scan
  • Please download DDS by sUBs from one of the following links. Save it to your desktop.
    Download 1
    Download 2
  • Double click on the DDS icon, allow it to run
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running
  • Notepad will open with the results, click no to the Optional Scan
  • Follow the instructions that pop up for posting the results
  • Close the program window
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

In your next reply, please include the following:
  • DDS Log

Edited by aommaster, 23 July 2009 - 12:46 PM.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 PauloA

PauloA
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 23 July 2009 - 01:38 PM

Hello aommaster, below are the results of running the dds.scr file on the infected computer. .

You asked that I include the DDS.Log, however I didn't see such a file. Ive pasted the DDS.txt file, and I've attached attach.txt.

hopefully I'll hear from you shortly :thumbup2:


-----------------------------------------------------------------------------------------


DDS (Ver_09-06-26.01) - NTFSx86
Run by PaArCA at 14:31:13.89 on Thu 07/23/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.1022.240 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\_integra\bin\shstart.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\grasssoft\macro expert\MacroService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\grasssoft\macro expert\MacroServiceWnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\_integra\bin\ccmagent.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\LoadRunner\LAUNCH_SERVICE\bin\magentproc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\paarca\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 72.55.191.6:3128
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\_integra\bin\shstart.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: BHOManager Class: {474264bc-9571-47c1-85b9-780f756dc9ce} - c:\windows\system32\BHOManager.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: solution Class: {7957fd21-c584-4476-b26b-4691a7ac4e5d} - c:\windows\system32\EfV2p6N5.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [CCM User Profile Manager] "c:\_integra\upm\bin\CCM_User.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [IBM Warranty Notification] "c:\program files\ibm\acp\erts0749\ERTS0749.exe /nointro"
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\loadru~1.lnk - c:\program files\hp\loadrunner\launch_service\bin\magentproc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\VRT188.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {020EA84E-76BD-4D97-8BF4-9C402E412137} - hxxp://o1.agendize.com/w1/inserter/AgendiZe.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0B895E9F-B0CD-450F-9268-BA4AD07EEDFF} - hxxp://lcs.corpnet.ifsworld.com/login/secured/docmaw/IFSDropArea.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {283E8568-F214-4FBA-862B-10BCE7767C3A} - hxxp://lcs.corpnet.ifsworld.com/login/secured/docmaw/IFSCliMgrOCX.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} - hxxps://download.infotriever.com/bin/ifhelper.cab
DPF: {3AC3D009-2E89-4F1E-9F51-04D4FBD50122} - hxxp://mkephone1/shorewaredirector/clientinstall/ShoretelClientInstall.ocx
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232121510750
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232121592031
DPF: {6ECC406C-20E6-4E52-9D2A-2CC6038AB6AA} - hxxp://lcs.corpnet.ifsworld.com/login/secured/docmaw/IFSCliMgrOCX.CAB
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
DPF: {86174DA1-DDAC-4885-9ABD-9913368954F9} - hxxp://naauxexsttc.corpnet.ifsworld.com/b2e/docmaw/IFSCliMgrOCX.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {ABAB9A52-40A5-11D5-9551-00105A477B3A} - hxxp://olympus.corpnet.ifsworld.com/login/docmaw/IFSCliMgrOCX.CAB
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D11EAD7A-174C-42AA-9DBE-7CD485BE4D6F} - file:///C:/ifs/IFSDoc/2004/Documentation/en/TMGeneral/PrinterControl2.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
DPF: {DBCF5694-9B18-4401-9566-EEC94A14250E} - hxxp://ifsbizna.corpnet.ifsworld.com/login/secured/docmaw/IFSCliMgrOCX.CAB
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://ifs.webex.com/client/T25L/webex/ieatgpc.cab
TCP: NameServer = 151.106.12.101
Handler: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} -
Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - c:\program files\microsoft\outlook web access smime client\mimectl.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
AppInit_DLLs: AMINIT32.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: ShHook Class: {a5949e07-8536-4625-a3d0-2dd83f559990} - c:\windows\system32\ShellHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ACGina psqlpwd

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-7-16 11520]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-12 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-12 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-12 108552]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-11-17 11165]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2007-11-22 132736]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-7-16 4224]
R1 IfsDrives;IfsDrives;c:\windows\system32\drivers\IfsDrives.sys [2007-11-22 4608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2008-7-16 4442]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-12 298776]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 Macro Expert;Macro Expert;c:\program files\grasssoft\macro expert\MacroService.exe [2009-6-17 212480]
R2 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2006-6-15 115952]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2007-11-22 14976]
R2 smefs;SMEFileSystem;c:\windows\system32\drivers\smefs.sys [2006-12-21 20476]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-8-14 10896]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-7-10 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090711.006\naveng.sys [2009-7-11 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090711.006\navex15.sys [2009-7-11 876144]
R3 smedrv;SMEDriver;c:\windows\system32\drivers\smedrv.sys [2006-12-21 9516]
S2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2006-3-24 202400]
S2 SQLAgent$QLM;SQLAgent$QLM;c:\program files\qlm\mssql$qlm\binn\sqlagent.exe -i qlm --> c:\program files\qlm\mssql$qlm\binn\sqlagent.EXE -i QLM [?]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2004-11-1 106496]
S3 BTUSBFLT;WIDCOMM Bluetooth USB Filter Driver;\??\c:\windows\system32\drivers\btusbflt.sys --> c:\windows\system32\drivers\btusbflt.sys [?]
S3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProbe.SYS [2006-12-21 8416]
S3 IFS S&M Web Service;IFS S&M Web Service;c:\program files\ifs applications\sales & marketing web access\vmoWebService.exe [2005-3-24 94208]
S3 IFSApache2-RACE;IFS Apache2 - RACE;c:\ifs\race\fndext\3.0.0\apache2\bin\Apache.exe [2007-1-11 13824]
S3 IfsBatchServer1RACE;IFS BatchServer1 - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSCBSBridgeRACE;IFS CBS Bridge - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSCBSServerRACE;IFS CBS Server - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IfsConnectServer1RACE;IFS ConnectServer1 - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IfsContentSearchServer;IFS Content Search Server;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSDemandServerRACE;IFS Demand Server - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSJBossServerRACE;IFS Extended Server - RACE (JBoss);c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IfsMobileServerRACE;IFS Mobile Server - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSPrintServerRACE;IFS Print Server - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSTimeReportingExecutorRACE;IFS Time Reporting Executor - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSTimeReportingFrontRACE;IFS Time Reporting Front - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSWaveLinkRACE;IFS WaveLink - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2007-1-26 68954]
S3 Mail-Gear;Mail-Gear;c:\ifs\common\mailgear\mailgear.exe [2007-1-11 918016]
S3 MSSQL$QLM;MSSQL$QLM;c:\program files\qlm\mssql$qlm\binn\sqlservr.exe -sqlm --> c:\program files\qlm\mssql$qlm\binn\sqlservr.exe -sQLM [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 OracleOra92Agent;OracleOra92Agent;c:\oracle\ora92\bin\agntsrvc.exe [2002-4-26 28944]
S3 OracleOra92ClientCache;OracleOra92ClientCache;c:\oracle\ora92\bin\ONRSD.EXE [2002-4-26 242328]
S3 OracleOra92HTTPServer;OracleOra92HTTPServer;c:\oracle\ora92\apache\apache\Apache.exe [2002-4-18 4096]
S3 OracleOra92PagingServer;OracleOra92PagingServer;c:\oracle\ora92\bin\pagntsrv.exe [2002-6-4 49152]
S3 OracleOra92SNMPPeerEncapsulator;OracleOra92SNMPPeerEncapsulator;c:\oracle\ora92\bin\encsvc.exe [2002-2-13 187392]
S3 OracleOra92SNMPPeerMasterAgent;OracleOra92SNMPPeerMasterAgent;c:\oracle\ora92\bin\agntsvc.exe [2002-2-13 254464]
S3 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.2.0\db_1\bin\tnslsnr --> c:\oracle\product\10.2.0\db_1\bin\TNSLSNR [?]
S3 OracleServiceAPPS7;OracleServiceAPPS7;c:\oracle\product\10.2.0\db_1\bin\oracle.exe apps7 --> c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE APPS7 [?]
S3 OracleServiceRACE;OracleServiceRACE;c:\oracle\ora92\bin\oracle.exe race --> c:\oracle\ora92\bin\ORACLE.EXE RACE [?]
S3 OracleServiceTTCCG1;OracleServiceTTCCG1;c:\oracle\ora92\bin\oracle.exe ttccg1 --> c:\oracle\ora92\bin\ORACLE.EXE TTCCG1 [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 tpflhlp;tpflhlp;c:\drivers\flash\79uj17us\tpflhlp.sys [2006-12-13 13616]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 XmsSocketService;XMS Socket Service;c:\ifs\race\servers\xms\XmsSocketService.exe [2007-1-11 115200]
S4 OracleJobSchedulerAPPS7;OracleJobSchedulerAPPS7;c:\oracle\product\10.2.0\db_1\bin\extjob.exe apps7 --> c:\oracle\product\10.2.0\db_1\bin\extjob.exe APPS7 [?]

=============== Created Last 30 ================

2009-07-23 12:23 <DIR> --d----- c:\program files\trend micro
2009-07-17 21:35 0 a------- c:\windows\system32\CdT5n0L8.exe.a_a
2009-07-17 21:22 169,472 a------- c:\windows\system32\EfV2p6N5.dll
2009-07-14 10:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-14 10:47 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-14 10:47 <DIR> --d----- c:\docume~1\paarca\applic~1\SUPERAntiSpyware.com
2009-07-14 10:39 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-12 15:35 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-12 12:30 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-12 12:30 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-12 12:29 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-12 12:29 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-12 12:27 <DIR> --d----- c:\program files\AVG
2009-07-12 12:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-10 00:14 <DIR> --d----- c:\program files\DemoForge
2009-07-10 00:13 <DIR> --d----- c:\program files\EchoVNC
2009-07-09 00:28 <DIR> --d----- c:\program files\iPhoneBrowser
2009-07-01 19:08 <DIR> --d----- c:\docume~1\paarca\applic~1\Downloaded Installations
2009-06-26 23:28 72 a------- c:\windows\Macro.ini
2009-06-26 23:22 <DIR> --d----- c:\docume~1\paarca\applic~1\RealWorld
2009-06-26 23:21 <DIR> --d----- c:\program files\RealWorld Icon Editor
2009-06-26 14:22 <DIR> --d----- c:\program files\WinSCP

==================== Find3M ====================

2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-01 19:09 30,144 a------- c:\windows\system32\drivers\psadd.sys
2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-03-02 12:01 64,808 a------- c:\documents and settings\paarca\GoToAssistDownloadHelper.exe
2009-02-16 23:53 1,325 a------- c:\docume~1\paarca\applic~1\MT.dat
2009-01-30 13:44 214,344 a------- c:\documents and settings\paarca\atcliun.exe
2009-01-30 13:43 98,712 a------- c:\documents and settings\paarca\ieatgpc.dll
2009-01-30 13:43 126,360 a------- c:\documents and settings\paarca\atgpcext.dll
2009-01-30 13:43 27,976 a------- c:\documents and settings\paarca\atgpcdec.dll
2009-01-06 07:50 202,056 a------- c:\docume~1\paarca\applic~1\OI31Upd.exe
2009-01-06 05:58 49,152 a------- c:\docume~1\paarca\applic~1\olkupres.dll
2007-02-21 10:02 16 ---shr-- c:\windows\MSCIOTL.SYS

============= FINISH: 14:33:31.64 ===============

Attached Files



#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:05:54 PM

Posted 24 July 2009 - 11:51 AM

Hi!

Yep! That was the log I was looking for. Please give me some time to look over your logs and I will post back soon :thumbup2:

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:05:54 PM

Posted 26 July 2009 - 10:06 AM

Hello, PauloA.
My apologies with the delay. Let's begin! :thumbup2:

Please answer the following questions

Do you recognize the following IP address (originating from the United States)?
151.106.12.101

NEXT:

We need to download and run ComboFix (by sUBs)
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  • Please download ComboFix from one of these locations:
    Link 1
    Link 2
    Link 3
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • Answers to my questions above
  • ComboFix.txt
  • Fresh HijackThis Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#8 PauloA

PauloA
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 27 July 2009 - 12:56 AM

Hello, thank you for your response :thumbup2:

Yes, that IP address belongs to the company for whom I work.

below are both the combofix.txt file, and the files generated by running DSS.SCR.

-------------------------------------------------------------------------------------------------------------------------

ComboFix 09-07-26.01 - Administrator 07/26/2009 23:57.1.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.1022.667 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\1177784.msi
c:\windows\Installer\12df61c.msp
c:\windows\Installer\12df632.msp
c:\windows\Installer\12df634.msp
c:\windows\Installer\12df636.msp
c:\windows\system32\Cache
c:\windows\system32\CdT5n0L8.exe.a_a
c:\windows\system32\zip32.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-27 to 2009-07-27 )))))))))))))))))))))))))))))))
.

2009-07-27 03:46 . 2009-07-27 03:46 -------- d-----w- C:\32788R22FWJFW
2009-07-23 16:23 . 2009-07-23 16:23 -------- d-----w- C:\rsit
2009-07-23 16:23 . 2009-07-23 16:23 -------- d-----w- c:\program files\trend micro
2009-07-18 02:05 . 2009-07-18 02:05 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-07-18 02:05 . 2009-07-18 02:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-07-18 01:22 . 2009-07-18 01:22 169472 ----a-w- c:\windows\system32\EfV2p6N5.dll
2009-07-14 21:40 . 2009-07-18 01:24 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-14 21:39 . 2009-07-14 21:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-14 14:51 . 2009-07-20 07:14 117760 ----a-w- c:\documents and settings\paarca\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-14 14:48 . 2009-07-14 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-14 14:47 . 2009-07-20 07:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-14 14:47 . 2009-07-14 14:47 -------- d-----w- c:\documents and settings\paarca\Application Data\SUPERAntiSpyware.com
2009-07-14 14:39 . 2009-07-14 14:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-14 02:26 . 2009-07-14 02:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-12 19:35 . 2009-07-20 23:31 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-12 16:30 . 2009-07-12 16:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-12 16:30 . 2009-07-12 16:30 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-12 16:29 . 2009-07-12 16:29 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-12 16:29 . 2009-07-12 16:29 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-12 16:29 . 2009-07-20 07:23 -------- d-----w- c:\windows\system32\drivers\Avg
2009-07-12 16:27 . 2009-07-12 16:27 -------- d-----w- c:\program files\AVG
2009-07-12 16:27 . 2009-07-21 05:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-10 04:14 . 2009-07-10 04:14 -------- d-----w- c:\program files\DemoForge
2009-07-10 04:13 . 2009-07-10 04:13 -------- d-----w- c:\program files\EchoVNC
2009-07-09 04:29 . 2009-07-09 04:29 -------- d-----w- c:\documents and settings\paarca\Local Settings\Application Data\Cranium_Consulting_and_Cu
2009-07-09 04:28 . 2009-07-09 04:28 -------- d-----w- c:\program files\iPhoneBrowser
2009-07-01 23:08 . 2009-07-01 23:08 -------- d-----w- c:\documents and settings\paarca\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
23375-09-13 12:27 . 2006-12-21 21:15 1028096 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Ghost\AutoInstall\Installed Applications\~0000.exe
2009-07-27 03:33 . 2006-12-21 21:23 40 ----a-w- c:\windows\system32\profile.dat
2009-07-27 03:33 . 2007-02-09 04:50 12 ----a-w- c:\windows\bthservsdp.dat
2009-07-20 07:07 . 2008-10-07 01:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-18 01:37 . 2008-06-21 01:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-18 01:29 . 2008-06-21 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-18 01:25 . 2008-11-24 03:33 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 17:36 . 2008-10-07 01:18 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2008-10-07 01:18 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-11 15:45 . 2009-01-31 05:58 -------- d-----w- c:\documents and settings\paarca\Application Data\BitTorrent
2009-07-11 14:54 . 2007-02-19 15:32 -------- d-----w- c:\program files\ExamDiff Pro
2009-07-10 21:45 . 2006-12-21 21:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-08 06:02 . 2007-02-09 05:20 -------- d-----w- c:\program files\CCleaner
2009-07-01 23:10 . 2007-01-10 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Lenovo
2009-07-01 23:09 . 2009-01-10 17:03 -------- d-----w- c:\program files\Common Files\Lenovo
2009-07-01 23:09 . 2006-12-21 21:38 -------- d-----w- c:\program files\Lenovo
2009-07-01 23:09 . 2007-09-17 15:07 30144 ----a-w- c:\windows\system32\drivers\psadd.sys
2009-06-29 03:55 . 2007-02-17 02:49 -------- d-----w- c:\program files\mIRC
2009-06-27 03:22 . 2009-06-27 03:22 -------- d-----w- c:\documents and settings\paarca\Application Data\RealWorld
2009-06-27 03:21 . 2009-06-27 03:21 9062 ----a-r- c:\documents and settings\paarca\Application Data\Microsoft\Installer\{3143DA02-D491-4C34-B7D2-0F9EA76486CB}\_6FEFF9B68218417F98F549.exe
2009-06-27 03:21 . 2009-06-27 03:21 23558 ----a-r- c:\documents and settings\paarca\Application Data\Microsoft\Installer\{3143DA02-D491-4C34-B7D2-0F9EA76486CB}\_357C06FAD2FC0DA52A6B45.exe
2009-06-27 03:21 . 2009-06-27 03:21 137115 ----a-r- c:\documents and settings\paarca\Application Data\Microsoft\Installer\{3143DA02-D491-4C34-B7D2-0F9EA76486CB}\_ADAB0E427A888143B08FAE.exe
2009-06-27 03:21 . 2009-06-27 03:21 137115 ----a-r- c:\documents and settings\paarca\Application Data\Microsoft\Installer\{3143DA02-D491-4C34-B7D2-0F9EA76486CB}\_5D50E12A3F942D5765FD03.exe
2009-06-27 03:21 . 2009-06-27 03:21 11310 ----a-r- c:\documents and settings\paarca\Application Data\Microsoft\Installer\{3143DA02-D491-4C34-B7D2-0F9EA76486CB}\_8C743AFA18BBC51C7F134B.exe
2009-06-27 03:21 . 2009-06-27 03:21 11310 ----a-r- c:\documents and settings\paarca\Application Data\Microsoft\Installer\{3143DA02-D491-4C34-B7D2-0F9EA76486CB}\_1A3359F6F38FB6AB48EC63.exe
2009-06-27 03:21 . 2009-06-27 03:21 11310 ----a-r- c:\documents and settings\paarca\Application Data\Microsoft\Installer\{3143DA02-D491-4C34-B7D2-0F9EA76486CB}\_081E09237481BE9AB76A14.exe
2009-06-27 03:21 . 2009-06-27 03:21 -------- d-----w- c:\program files\RealWorld Icon Editor
2009-06-26 18:22 . 2009-06-26 18:22 -------- d-----w- c:\program files\WinSCP
2009-06-21 03:56 . 2009-02-01 04:41 -------- d-----w- c:\documents and settings\paarca\Application Data\Skype
2009-06-20 20:32 . 2009-02-01 04:42 -------- d-----w- c:\documents and settings\paarca\Application Data\skypePM
2009-06-18 10:17 . 2007-01-12 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-17 17:37 . 2009-06-17 17:37 -------- d-----w- c:\documents and settings\paarca\Application Data\Hewlett-Packard
2009-06-17 00:03 . 2009-01-09 20:34 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-14 08:00 . 2009-06-15 15:31 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2d9c04.vdb\ecmsvr32.dll
2009-06-04 08:00 . 2009-06-05 14:53 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2d8802.vdb\ecmsvr32.dll
2009-06-04 04:19 . 2009-06-04 04:19 -------- d-----w- c:\documents and settings\paarca\Application Data\Grasssoft
2009-06-04 04:19 . 2009-06-04 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Grasssoft
2009-06-04 04:19 . 2009-06-04 04:19 -------- d-----w- c:\program files\GrassSoft
2009-06-03 00:56 . 2009-06-02 13:05 -------- d-----w- c:\program files\UltraVNC
2009-06-02 16:06 . 2009-06-02 16:06 -------- d-----w- c:\program files\Client
2009-06-02 13:10 . 2009-06-02 13:10 -------- d-----w- c:\documents and settings\paarca\Application Data\UltraVNC
2009-06-02 02:55 . 2009-06-02 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2009-06-02 02:02 . 2009-06-02 02:02 -------- d-----w- c:\program files\Common Files\Mercury Interactive
2009-06-02 02:01 . 2009-06-02 02:01 -------- d-----w- c:\program files\Common Files\Mercury
2009-06-02 01:45 . 2009-06-02 01:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-06-02 01:45 . 2007-11-02 17:22 -------- d-----w- c:\program files\HP
2009-06-02 01:36 . 2009-06-02 01:36 10134 ----a-r- c:\documents and settings\paarca\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-02 01:36 . 2009-06-02 01:36 -------- d-----w- c:\program files\Microsoft WSE
2009-06-02 01:36 . 2009-06-02 01:36 10134 ----a-r- c:\documents and settings\paarca\Application Data\Microsoft\Installer\{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}\ARPPRODUCTICON.exe
2009-06-02 00:51 . 2009-06-02 00:51 -------- d-----w- c:\documents and settings\paarca\Application Data\Sonic
2009-05-29 12:44 . 2009-05-08 00:47 -------- d-----w- c:\program files\Palringo
2009-05-25 04:24 . 2008-05-27 03:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-12 19:12 . 2006-12-21 21:46 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:44 . 1980-01-01 00:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 20:16 . 2009-05-01 20:16 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2008-11-29 04:28 . 2008-01-02 03:56 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-11-29 04:28 . 2008-01-02 03:56 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-29 04:28 . 2008-01-02 03:56 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-11-29 04:28 . 2008-01-02 03:56 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-11-29 04:28 . 2008-01-02 03:56 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2007-11-09 21:10 . 2007-11-09 21:10 30288 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-11-09 21:10 . 2007-11-09 21:10 79440 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-11-09 21:10 . 2007-11-09 21:10 75344 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-11-09 21:10 . 2007-11-09 21:10 140880 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-11-09 21:10 . 2007-11-09 21:10 42576 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-11-09 21:10 . 2007-11-09 21:10 50768 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-11-09 21:10 . 2007-11-09 21:10 34384 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-11-09 21:11 . 2007-11-09 21:11 685648 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-11-09 21:11 . 2007-11-09 21:11 30288 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2007-02-21 14:02 . 2006-12-21 21:18 16 --sh--r- c:\windows\MSCIOTL.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2005-06-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"CCM User Profile Manager"="c:\_integra\upm\bin\CCM_User.exe" [2005-05-18 479232]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"IBM Warranty Notification"="c:\program files\IBM\acp\ERTS0749\ERTS0749.exe" [2004-03-12 106496]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-03-26 59680]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-01-11 294912]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-01-11 208896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-17 144792]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2008-05-12 143360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-11-22 181536]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-01-31 160592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-8-18 561213]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-7-16 50688]
Load Runner Agent Process.lnk - c:\program files\HP\LoadRunner\LAUNCH_SERVICE\bin\magentproc.exe [2008-1-9 36934]
VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\VRT188.exe [2006-12-21 6144]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2008-01-16 46592]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-10-19 07:08 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 19:54 89600 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 20:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2007-12-14 20:36 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-03-14 22:54 32768 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-12 16:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2004-11-01 16:50 8704 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\AMInit32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina psqlpwd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=c:\windows\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=c:\windows\pss\officejet 6100.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Palm\\Hotsync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [10/16/2007 6:33 PM 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 6:32 PM 19504]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/12/2009 12:30 PM 108552]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [11/22/2007 4:30 PM 132736]
R3 smedrv;SMEDriver;c:\windows\system32\drivers\smedrv.sys [12/21/2006 4:51 PM 9516]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/12/2009 12:29 PM 327688]
S1 IfsDrives;IfsDrives;c:\windows\system32\drivers\IfsDrives.sys [11/22/2007 4:30 PM 4608]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [7/16/2008 1:37 AM 4442]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/12/2009 12:27 PM 298776]
S2 Macro Expert;Macro Expert;c:\program files\GrassSoft\Macro Expert\MacroService.exe [6/17/2009 10:54 AM 212480]
S2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [6/15/2006 2:40 AM 115952]
S2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [11/22/2007 5:32 PM 14976]
S2 smefs;SMEFileSystem;c:\windows\system32\drivers\smefs.sys [12/21/2006 4:51 PM 20476]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [8/14/2007 3:46 PM 10896]
S2 SQLAgent$QLM;SQLAgent$QLM;c:\program files\QLM\MSSQL$QLM\Binn\sqlagent.EXE -i QLM --> c:\program files\QLM\MSSQL$QLM\Binn\sqlagent.EXE -i QLM [?]
S3 BTUSBFLT;WIDCOMM Bluetooth USB Filter Driver;\??\c:\windows\system32\drivers\btusbflt.sys --> c:\windows\system32\drivers\btusbflt.sys [?]
S3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProbe.SYS [12/21/2006 5:17 PM 8416]
S3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [11/25/2005 5:43 PM 31896]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [7/10/2009 5:58 PM 101936]
S3 IFS S&M Web Service;IFS S&M Web Service;c:\program files\IFS Applications\Sales & Marketing Web Access\vmoWebService.exe [3/24/2005 5:41 PM 94208]
S3 IFSApache2-RACE;IFS Apache2 - RACE;c:\ifs\RACE\fndext\3.0.0\apache2\bin\Apache.exe [1/11/2007 11:58 AM 13824]
S3 IfsBatchServer1RACE;IFS BatchServer1 - RACE;c:\ifs\RACE\runtime\ifssrv.exe [1/11/2007 11:54 AM 69632]
S3 IFSCBSBridgeRACE;IFS CBS Bridge - RACE;c:\ifs\RACE\runtime\ifssrv.exe [1/11/2007 11:54 AM 69632]
S3 IFSCBSServerRACE;IFS CBS Server - RACE;c:\ifs\RACE\runtime\ifssrv.exe [1/11/2007 11:54 AM 69632]
S3 IfsConnectServer1RACE;IFS ConnectServer1 - RACE;c:\ifs\RACE\runtime\ifssrv.exe [1/11/2007 11:54 AM 69632]
S3 IfsContentSearchServer;IFS Content Search Server;c:\ifs\RACE\runtime\ifssrv.exe [1/11/2007 11:54 AM 69632]
S3 IFSDemandServerRACE;IFS Demand Server - RACE;c:\ifs\RACE\runtime\ifssrv.exe [1/11/2007 11:54 AM 69632]
S3 IFSJBossServerRACE;IFS Extended Server - RACE (JBoss);c:\ifs\RACE\runtime\ifssrv.exe [1/11/2007 11:54 AM 69632]
S3 IfsMobileServerRACE;IFS Mobile Server - RACE;c:\ifs\RACE\runtime\ifssrv.exe [1/11/2007 11:54 AM 69632]
S3 IFSPrintServerRACE;IFS Print Server - RACE;c:\ifs\RACE\runtime\ifssrv.exe [1/11/2007 11:54 AM 69632]
S3 IFSTimeReportingExecutorRACE;IFS Time Reporting Executor - RACE;c:\ifs\RACE\runtime\ifssrv.exe [1/11/2007 11:54 AM 69632]
S3 IFSTimeReportingFrontRACE;IFS Time Reporting Front - RACE;c:\ifs\RACE\runtime\ifssrv.exe [1/11/2007 11:54 AM 69632]
S3 IFSWaveLinkRACE;IFS WaveLink - RACE;c:\ifs\RACE\runtime\ifssrv.exe [1/11/2007 11:54 AM 69632]
S3 Mail-Gear;Mail-Gear;c:\ifs\common\MailGear\mailgear.exe [1/11/2007 12:00 PM 918016]
S3 MSSQL$QLM;MSSQL$QLM;c:\program files\QLM\MSSQL$QLM\Binn\sqlservr.exe -sQLM --> c:\program files\QLM\MSSQL$QLM\Binn\sqlservr.exe -sQLM [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]
S3 OracleOra92Agent;OracleOra92Agent;c:\oracle\Ora92\bin\agntsrvc.exe [4/26/2002 6:29 PM 28944]
S3 OracleOra92ClientCache;OracleOra92ClientCache;c:\oracle\Ora92\bin\ONRSD.EXE [4/26/2002 8:34 PM 242328]
S3 OracleOra92HTTPServer;OracleOra92HTTPServer;c:\oracle\Ora92\Apache\Apache\Apache.exe [4/18/2002 11:02 PM 4096]
S3 OracleOra92PagingServer;OracleOra92PagingServer;c:\oracle\Ora92\bin\pagntsrv.exe [6/4/2002 8:23 AM 49152]
S3 OracleOra92SNMPPeerEncapsulator;OracleOra92SNMPPeerEncapsulator;c:\oracle\Ora92\bin\encsvc.exe [2/13/2002 9:23 AM 187392]
S3 OracleOra92SNMPPeerMasterAgent;OracleOra92SNMPPeerMasterAgent;c:\oracle\Ora92\bin\agntsvc.exe [2/13/2002 9:23 AM 254464]
S3 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.2.0\db_1\BIN\TNSLSNR --> c:\oracle\product\10.2.0\db_1\BIN\TNSLSNR [?]
S3 OracleServiceAPPS7;OracleServiceAPPS7;c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE APPS7 --> c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE APPS7 [?]
S3 OracleServiceRACE;OracleServiceRACE;c:\oracle\ora92\bin\ORACLE.EXE RACE --> c:\oracle\ora92\bin\ORACLE.EXE RACE [?]
S3 OracleServiceTTCCG1;OracleServiceTTCCG1;c:\oracle\ora92\bin\ORACLE.EXE TTCCG1 --> c:\oracle\ora92\bin\ORACLE.EXE TTCCG1 [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 tpflhlp;tpflhlp;c:\drivers\FLASH\79uj17us\tpflhlp.sys [12/13/2006 4:06 PM 13616]
S3 XmsSocketService;XMS Socket Service;c:\ifs\RACE\Servers\XMS\XmsSocketService.exe [1/11/2007 11:55 AM 115200]
S4 OracleJobSchedulerAPPS7;OracleJobSchedulerAPPS7;c:\oracle\product\10.2.0\db_1\Bin\extjob.exe APPS7 --> c:\oracle\product\10.2.0\db_1\Bin\extjob.exe APPS7 [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder

2008-08-19 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p officejet 6100 series272A572217594EBCF1CEE215E352B92AD073FDE4209489346.job
- c:\program files\HP\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]

2009-07-27 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-07-16 05:30]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-TPHOTKEY - c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe
HKLM-Run-ACWLIcon - c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://wis.ifsworld.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {020EA84E-76BD-4D97-8BF4-9C402E412137} - hxxp://o1.agendize.com/w1/inserter/AgendiZe.CAB
DPF: {0B895E9F-B0CD-450F-9268-BA4AD07EEDFF} - hxxp://lcs.corpnet.ifsworld.com/login/secured/docmaw/IFSDropArea.CAB
DPF: {283E8568-F214-4FBA-862B-10BCE7767C3A} - hxxp://lcs.corpnet.ifsworld.com/login/secured/docmaw/IFSCliMgrOCX.CAB
DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} - hxxps://download.infotriever.com/bin/ifhelper.cab
DPF: {6ECC406C-20E6-4E52-9D2A-2CC6038AB6AA} - hxxp://lcs.corpnet.ifsworld.com/login/secured/docmaw/IFSCliMgrOCX.CAB
DPF: {86174DA1-DDAC-4885-9ABD-9913368954F9} - hxxp://naauxexsttc.corpnet.ifsworld.com/b2e/docmaw/IFSCliMgrOCX.CAB
DPF: {ABAB9A52-40A5-11D5-9551-00105A477B3A} - hxxp://olympus.corpnet.ifsworld.com/login/docmaw/IFSCliMgrOCX.CAB
DPF: {D11EAD7A-174C-42AA-9DBE-7CD485BE4D6F} - file:///C:/ifs/IFSDoc/2004/Documentation/en/TMGeneral/PrinterControl2.CAB
DPF: {DBCF5694-9B18-4401-9566-EEC94A14250E} - hxxp://ifsbizna.corpnet.ifsworld.com/login/secured/docmaw/IFSCliMgrOCX.CAB
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398.3 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-27 00:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOra92PagingServer]
"ImagePath"="c:\oracle\Ora92/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="c:\oracle\product\10.2.0\db_1\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\_integra\bin\smegina.dll
c:\_integra\bin\report.dll
c:\windows\system32\vrlogon.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(964)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
.
Completion time: 2009-07-27 0:08
ComboFix-quarantined-files.txt 2009-07-27 04:08

Pre-Run: 14,576,194,048 bytes free
Post-Run: 14,602,882,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

364 --- E O F --- 2009-06-18 10:18




---------------------------------------------------------------------------------------------------------------------------------------------------------


DDS (Ver_09-06-26.01) - NTFSx86
Run by PaArCA at 0:45:11.12 on Mon 07/27/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.1022.261 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\grasssoft\macro expert\MacroService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\_integra\bin\ccmagent.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
c:\_integra\bin\shstart.exe
C:\WINDOWS\Explorer.EXE
c:\program files\grasssoft\macro expert\MacroServiceWnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\LoadRunner\LAUNCH_SERVICE\bin\magentproc.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\paarca\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 72.55.191.6:3128
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\_integra\bin\shstart.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: BHOManager Class: {474264bc-9571-47c1-85b9-780f756dc9ce} - c:\windows\system32\BHOManager.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [CCM User Profile Manager] "c:\_integra\upm\bin\CCM_User.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [IBM Warranty Notification] "c:\program files\ibm\acp\erts0749\ERTS0749.exe /nointro"
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\loadru~1.lnk - c:\program files\hp\loadrunner\launch_service\bin\magentproc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\VRT188.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {020EA84E-76BD-4D97-8BF4-9C402E412137} - hxxp://o1.agendize.com/w1/inserter/AgendiZe.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0B895E9F-B0CD-450F-9268-BA4AD07EEDFF} - hxxp://lcs.corpnet.ifsworld.com/login/secured/docmaw/IFSDropArea.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {283E8568-F214-4FBA-862B-10BCE7767C3A} - hxxp://lcs.corpnet.ifsworld.com/login/secured/docmaw/IFSCliMgrOCX.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} - hxxps://download.infotriever.com/bin/ifhelper.cab
DPF: {3AC3D009-2E89-4F1E-9F51-04D4FBD50122} - hxxp://mkephone1/shorewaredirector/clientinstall/ShoretelClientInstall.ocx
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232121510750
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232121592031
DPF: {6ECC406C-20E6-4E52-9D2A-2CC6038AB6AA} - hxxp://lcs.corpnet.ifsworld.com/login/secured/docmaw/IFSCliMgrOCX.CAB
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
DPF: {86174DA1-DDAC-4885-9ABD-9913368954F9} - hxxp://naauxexsttc.corpnet.ifsworld.com/b2e/docmaw/IFSCliMgrOCX.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {ABAB9A52-40A5-11D5-9551-00105A477B3A} - hxxp://olympus.corpnet.ifsworld.com/login/docmaw/IFSCliMgrOCX.CAB
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D11EAD7A-174C-42AA-9DBE-7CD485BE4D6F} - file:///C:/ifs/IFSDoc/2004/Documentation/en/TMGeneral/PrinterControl2.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
DPF: {DBCF5694-9B18-4401-9566-EEC94A14250E} - hxxp://ifsbizna.corpnet.ifsworld.com/login/secured/docmaw/IFSCliMgrOCX.CAB
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://ifs.webex.com/client/T25L/webex/ieatgpc.cab
Handler: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} -
Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - c:\program files\microsoft\outlook web access smime client\mimectl.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
AppInit_DLLs: c:\windows\system32\AMInit32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: ShHook Class: {a5949e07-8536-4625-a3d0-2dd83f559990} - c:\windows\system32\ShellHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ACGina psqlpwd

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-7-16 11520]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-12 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-12 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-12 108552]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-11-17 11165]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2007-11-22 132736]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-7-16 4224]
R1 IfsDrives;IfsDrives;c:\windows\system32\drivers\IfsDrives.sys [2007-11-22 4608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2008-7-16 4442]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-12 298776]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2006-3-24 202400]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 Macro Expert;Macro Expert;c:\program files\grasssoft\macro expert\MacroService.exe [2009-6-17 212480]
R2 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2006-6-15 115952]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2007-11-22 14976]
R2 smefs;SMEFileSystem;c:\windows\system32\drivers\smefs.sys [2006-12-21 20476]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-8-14 10896]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-7-10 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090711.006\naveng.sys [2009-7-11 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090711.006\navex15.sys [2009-7-11 876144]
R3 smedrv;SMEDriver;c:\windows\system32\drivers\smedrv.sys [2006-12-21 9516]
S2 SQLAgent$QLM;SQLAgent$QLM;c:\program files\qlm\mssql$qlm\binn\sqlagent.exe -i qlm --> c:\program files\qlm\mssql$qlm\binn\sqlagent.EXE -i QLM [?]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2004-11-1 106496]
S3 BTUSBFLT;WIDCOMM Bluetooth USB Filter Driver;\??\c:\windows\system32\drivers\btusbflt.sys --> c:\windows\system32\drivers\btusbflt.sys [?]
S3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProbe.SYS [2006-12-21 8416]
S3 IFS S&M Web Service;IFS S&M Web Service;c:\program files\ifs applications\sales & marketing web access\vmoWebService.exe [2005-3-24 94208]
S3 IFSApache2-RACE;IFS Apache2 - RACE;c:\ifs\race\fndext\3.0.0\apache2\bin\Apache.exe [2007-1-11 13824]
S3 IfsBatchServer1RACE;IFS BatchServer1 - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSCBSBridgeRACE;IFS CBS Bridge - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSCBSServerRACE;IFS CBS Server - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IfsConnectServer1RACE;IFS ConnectServer1 - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IfsContentSearchServer;IFS Content Search Server;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSDemandServerRACE;IFS Demand Server - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSJBossServerRACE;IFS Extended Server - RACE (JBoss);c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IfsMobileServerRACE;IFS Mobile Server - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSPrintServerRACE;IFS Print Server - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSTimeReportingExecutorRACE;IFS Time Reporting Executor - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSTimeReportingFrontRACE;IFS Time Reporting Front - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 IFSWaveLinkRACE;IFS WaveLink - RACE;c:\ifs\race\runtime\ifssrv.exe [2007-1-11 69632]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2007-1-26 68954]
S3 Mail-Gear;Mail-Gear;c:\ifs\common\mailgear\mailgear.exe [2007-1-11 918016]
S3 MSSQL$QLM;MSSQL$QLM;c:\program files\qlm\mssql$qlm\binn\sqlservr.exe -sqlm --> c:\program files\qlm\mssql$qlm\binn\sqlservr.exe -sQLM [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 OracleOra92Agent;OracleOra92Agent;c:\oracle\ora92\bin\agntsrvc.exe [2002-4-26 28944]
S3 OracleOra92ClientCache;OracleOra92ClientCache;c:\oracle\ora92\bin\ONRSD.EXE [2002-4-26 242328]
S3 OracleOra92HTTPServer;OracleOra92HTTPServer;c:\oracle\ora92\apache\apache\Apache.exe [2002-4-18 4096]
S3 OracleOra92PagingServer;OracleOra92PagingServer;c:\oracle\ora92\bin\pagntsrv.exe [2002-6-4 49152]
S3 OracleOra92SNMPPeerEncapsulator;OracleOra92SNMPPeerEncapsulator;c:\oracle\ora92\bin\encsvc.exe [2002-2-13 187392]
S3 OracleOra92SNMPPeerMasterAgent;OracleOra92SNMPPeerMasterAgent;c:\oracle\ora92\bin\agntsvc.exe [2002-2-13 254464]
S3 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.2.0\db_1\bin\tnslsnr --> c:\oracle\product\10.2.0\db_1\bin\TNSLSNR [?]
S3 OracleServiceAPPS7;OracleServiceAPPS7;c:\oracle\product\10.2.0\db_1\bin\oracle.exe apps7 --> c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE APPS7 [?]
S3 OracleServiceRACE;OracleServiceRACE;c:\oracle\ora92\bin\oracle.exe race --> c:\oracle\ora92\bin\ORACLE.EXE RACE [?]
S3 OracleServiceTTCCG1;OracleServiceTTCCG1;c:\oracle\ora92\bin\oracle.exe ttccg1 --> c:\oracle\ora92\bin\ORACLE.EXE TTCCG1 [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 tpflhlp;tpflhlp;c:\drivers\flash\79uj17us\tpflhlp.sys [2006-12-13 13616]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 XmsSocketService;XMS Socket Service;c:\ifs\race\servers\xms\XmsSocketService.exe [2007-1-11 115200]
S4 OracleJobSchedulerAPPS7;OracleJobSchedulerAPPS7;c:\oracle\product\10.2.0\db_1\bin\extjob.exe apps7 --> c:\oracle\product\10.2.0\db_1\bin\extjob.exe APPS7 [?]

=============== Created Last 30 ================

2009-07-27 00:06 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-26 23:47 <DIR> a-dshr-- C:\cmdcons
2009-07-26 23:46 <DIR> --ds---- C:\ComboFix
2009-07-26 23:24 219,648 a------- c:\windows\PEV.exe
2009-07-26 23:24 161,792 a------- c:\windows\SWREG.exe
2009-07-26 23:24 98,816 a------- c:\windows\sed.exe
2009-07-23 12:23 <DIR> --d----- c:\program files\trend micro
2009-07-17 21:22 169,472 a------- c:\windows\system32\EfV2p6N5.dll
2009-07-14 10:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-14 10:47 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-14 10:47 <DIR> --d----- c:\docume~1\paarca\applic~1\SUPERAntiSpyware.com
2009-07-14 10:39 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-12 15:35 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-12 12:30 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-12 12:30 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-12 12:29 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-12 12:29 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-12 12:27 <DIR> --d----- c:\program files\AVG
2009-07-12 12:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-10 00:14 <DIR> --d----- c:\program files\DemoForge
2009-07-10 00:13 <DIR> --d----- c:\program files\EchoVNC
2009-07-09 00:28 <DIR> --d----- c:\program files\iPhoneBrowser
2009-07-01 19:08 <DIR> --d----- c:\docume~1\paarca\applic~1\Downloaded Installations

==================== Find3M ====================

2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-01 19:09 30,144 a------- c:\windows\system32\drivers\psadd.sys
2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-03-02 12:01 64,808 a------- c:\documents and settings\paarca\GoToAssistDownloadHelper.exe
2009-02-16 23:53 1,325 a------- c:\docume~1\paarca\applic~1\MT.dat
2009-01-30 13:44 214,344 a------- c:\documents and settings\paarca\atcliun.exe
2009-01-30 13:43 98,712 a------- c:\documents and settings\paarca\ieatgpc.dll
2009-01-30 13:43 126,360 a------- c:\documents and settings\paarca\atgpcext.dll
2009-01-30 13:43 27,976 a------- c:\documents and settings\paarca\atgpcdec.dll
2009-01-06 07:50 202,056 a------- c:\docume~1\paarca\applic~1\OI31Upd.exe
2009-01-06 05:58 49,152 a------- c:\docume~1\paarca\applic~1\olkupres.dll
2007-02-21 10:02 16 ---shr-- c:\windows\MSCIOTL.SYS

============= FINISH: 0:46:45.54 ===============

Attached Files



#9 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:05:54 PM

Posted 27 July 2009 - 07:39 AM

Hello, PauloA.
P2P Program Warning!

BitTorrent

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
Here

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.




We need to run a Jotti scan

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
  • Go to the Jotti website
  • When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

    c:\windows\system32\EfV2p6N5.dll

  • Please post back the results of the scan in your next post.
**Note:If Jotti is busy, try the same at Virustotal
**Note: No logs will be produced. You can either copy/paste the results into your reply, or you can state the infection found (if any) and the scanner that found it
[/url]


NEXT:

We need to run a Kaspersky Scan
  • Go to Kaspersky WebScanner
  • Click on Kaspersky Online Scanner
  • You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database --> Extended (if available otherwise Standard)
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
  • Click OK
  • Now under select a target to scan, Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • Jotti Log(s)
  • Kaspersky Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#10 PauloA

PauloA
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 28 July 2009 - 07:47 AM

Hello, below are the results of the Jotti and kaspersky scans;

----------------
JOTTI
----------------
Filename: kTKjD5M8.dll (although I scanned EfV2p6N5.dll)
Status: 1 of 21 scanners reported the file kTKjD5M8.dll

NOD32 reported the file as Win32/TrojanClicker.Agent.NEB
Others reported nothing found.


-----------------
kaspersky Log
-----------------
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, July 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, July 28, 2009 01:40:07
Records in database: 2556185
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 467447
Threat name: 7
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 11:53:11


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13A00000\5BF8A7DA.VBN Infected: Trojan-Dropper.Win32.Agent.axrx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13A00001\5BF8A84F.VBN Infected: Packed.Win32.PolyCrypt.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13A00002\5BF8A8DC.VBN Infected: Packed.Win32.PolyCrypt.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13A00003\5BF8AA7B.VBN Infected: Trojan-Proxy.Win32.DiskMaster.gfa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13A00004\5BF8ABA2.VBN Infected: Trojan-Downloader.Win32.Agent.nze 1
C:\Documents and Settings\paarca\My Documents\Material\personal Stuff\Paulo\Misc Files\Misc\Norton.AntiVirus.2007.RETAIL.OEM.tar Infected: Backdoor.Win32.Agent.aly 1
C:\Program Files\EchoVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1

The selected area was scanned.

#11 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:05:54 PM

Posted 29 July 2009 - 07:51 AM

Hello, PauloA.
Please navigate through and delete these files:
c:\windows\system32\EfV2p6N5.dll
C:\Documents and Settings\paarca\My Documents\Material\personal Stuff\Paulo\Misc Files\Misc\Norton.AntiVirus.2007.RETAIL.OEM.tar

(May I like to add that downloading full versions is not only illegal, but usually comes bundled with malware. This is the same for cracks, keygens, etc.)

Once done, please clear your Norton Antivirus quarantine folder.

NEXT:

We need to update your version of Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

NEXT:

We need to uninstall Combofix
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".



Your Log looks Clean please take the time to read below to secure your machine and take the necessary steps to keep it Clean :thumbup2:

Hiding Hidden Files
Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
One of the most common questions found when cleaning Spyware or other Malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are going to sites that you are not practicing Safe Internet, you are not running the proper security software, and that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer so that you will not be infected again in the future.


Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.
    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
Visit Microsoft's Windows Update Site Frequently
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Make Internet Explorer 6 and below more secure
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt

      When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#12 PauloA

PauloA
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 29 July 2009 - 12:54 PM

Hi, thankyou for your help. I've followed the latest instructions, however I think I still may have some sort of problem.

One of the problems that I'd been seeing through this whole situation is that I'm unable to use internet explorer when logged into windows through a normal accont. I found that when I open internet explorer, I will see the message in the lower left appear, indicating that it's contacts the website (i.e. Google.com) , message then changes to waiting, and doesn't progress any further. It will get stuck in for example "waiting for http://google.com/...

I'm able to use Internet explorer without any problems when connected in safe mode with networking.

Is there something I should be doing that will resort internet connectivity when logged in as normal user ? I tested the internet connection using other computers, and I don't have a problem with those. I also verified that I'm able to ping

#13 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:05:54 PM

Posted 30 July 2009 - 06:27 AM

Hi!

I see that you have a firewall enabled. Try disabling the firewall, and then try connecting to the internet. Let me know if that allows you to connect to the internet.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:05:54 PM

Posted 02 August 2009 - 05:26 AM

Hello PauloA
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:54 AM

Posted 04 August 2009 - 06:55 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users