Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit.tdss


  • This topic is locked This topic is locked
90 replies to this topic

#1 es99cobra

es99cobra

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 18 September 2009 - 04:42 PM

Symptoms:

1. Windows XP Machine takes around an hour or more to boot up under normal startup. I see the desktop icons, but items on bottom right corner take forever to load. I have utilized msconfig to disable all items listed in startup tab. This allows me to have a semi-normal bootup. And so far, i have been running this way for approx 4 hours and it seems to be performing normally.

2. Stopzilla scan comes back clean (though it didn't yesterday).

3. Malwarebytes log comes back with rootkit.tdss twice. One it successfully deletes and one it says it will on reboot but never does.


FYI, I don't see an option to attach so please forgive me if i shouldn't have just pasted the log in to this message:

Malwarebytes' Anti-Malware 1.41
Database version: 2819
Windows 5.1.2600 Service Pack 2

09/18/2009 11:31:05 AM
mbam-log-2009-09-18 (11-31-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 221927
Time elapsed: 2 hour(s), 7 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\Device\Ide\iaStor0\buwipufg\buwipufg\tdlwsp.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\Device\Ide\iaStor0\buwipufg\buwipufg\tdlwsp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.


DDS.txt File:


DDS (Ver_09-07-30.01) - NTFSx86
Run by eliotte at 16:08:42.26 on 09/18/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.126 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Drivers\trcboot.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\IBM\tivoli\dcd\client\ISSI\cds\CDSWinSrv.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\C4ebreg\c4ebreg.exe
c:\sdwork\issimsvc.exe
C:\Program Files\AT&T Network Client\NetCfgSv.EXE
C:\WINDOWS\system32\PGPserv.exe
C:\Program Files\IBM\tivoli\dcd\client\ISSI\_jvm\jre\bin\java.exe
c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\Drivers\ldlcserv.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Windows\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\C4ebreg\isamtray.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\notes\NLNOTES.EXE
C:\notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.1.2.200808010926\win32\x86\eclipse.exe
C:\notes\framework\rcp\eclipse\plugins\com.ibm.rcp.j2se.win32.x86_1.6.0.20090219c-200907141302\jre\bin\notes2w.exe
C:\notes\ntaskldr.EXE
C:\Program Files\AT&T Network Client\NetClient.exe
C:\Program Files\wst\wsect.exe
C:\Program Files\wst\wsect.exe
C:\Program Files\wst\wsect.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\wst\wsect.exe
C:\Program Files\wst\wsect.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\wst\wsect.exe
c:\Program Files\IBM\My Help\MyHelp.exe
c:\Program Files\IBM\My Help\jre\bin\myhelpw.exe
C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://w3.ibm.com/w3odw/spg/index_default.html
mDefault_Page_URL = hxxp://w3.ibm.com
uInternet Connection Wizard,ShellNext = hxxp://w3.ibm.com/
uInternet Settings,ProxyOverride = <local>;<local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\ibm\java60\jre\bin\ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: {003762F1-BB5A-48EB-A59D-01625443229F} - No File
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [C4EBReg] "c:\program files\c4ebreg\c4ebreg.exe" /q
mRun: [Isamtray] "c:\program files\c4ebreg\isamtray.exe"
mRun: [ISSI Service] "c:\sdwork\issimsvc.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [MyHelpService] c:\program files\ibm\my help\workspace\service\delayStart.exe
mRun: [pmonmh] c:\program files\ibm\my help\plugins\\com.ibm.myhelp.common_1.4.19/pmonmh.exe
uPolicies-explorer: NoDevMgrUpdate = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\ibm\java60\jre\bin\ssv.dll
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
Trusted Zone: ibm.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxp://quickr13.edc.ibm.com/qp2.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1ACECAFE-0016-0000-0000-ABCDEFFEDCBA} - hxxp://
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
DPF: {8C28EFD7-767B-11D1-844B-0060972DC2AC} - hxxps://w3-03.ibm.com/Hyperion/zeroadmin/component/Brio.Insight.en.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9519B2A2-6592-4E41-8290-D0298459270C} - hxxp://w3.ibm.com/bluepages/scripts/lnwebassist.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {99FCE25D-08B2-4A60-9238-39AD650FD5D2} = 9.0.8.1,9.0.9.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: ACNotify - ACNotify.dll
Notify: atmgrtok - atmgrtok.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: pcsinst - pcsinst.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
LSA: Notification Packages = scecli ACGina PGPpwflt

============= SERVICES / DRIVERS ===============

R0 PGPwded;PGPwded Storage Filter Service;c:\windows\system32\drivers\PGPwded.sys [2008-9-18 210488]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2006-12-12 88576]
R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2009-5-12 61328]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2006-12-12 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2006-12-12 4224]
R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2006-12-12 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2006-12-12 4442]
R2 AppnApi;AppnApi;c:\windows\system32\drivers\appnapi.sys [2005-9-6 120192]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2006-7-19 202400]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 DCDClient-ISSI;IBM DCD Standard Client (DCDClient-ISSI);c:\program files\ibm\tivoli\dcd\client\issi\cds\CDSWinSrv.exe [2008-8-11 53248]
R2 IBM_LLC2;IBM Personal Communications LLC2 Driver;c:\windows\system32\drivers\llc2.sys [2005-9-6 101408]
R2 ISAMSvc;IBM Standard Asset Manager Service;c:\program files\c4ebreg\c4ebreg.exe [2009-7-23 433392]
R2 NsTrcNT;NsTrcNT;c:\windows\system32\drivers\nstrcnt.sys [2005-9-6 12028]
R2 pdlnctdl;Twinax CUT Adapter;c:\windows\system32\drivers\pdlnctdl.sys [2005-9-6 12288]
R2 pdlndldl;IBM Enterprise Extender (HPR/IP);c:\windows\system32\drivers\pdlndldl.sys [2005-9-6 59392]
R2 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdisk.sys [2008-9-18 245816]
R2 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\drivers\PGPsdk.sys [2008-9-18 40504]
R2 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2006-9-27 116464]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 agnfilt;AGN Filter Interface;c:\windows\system32\drivers\agnfilt.sys [2006-5-19 180864]
R3 Anydlc;Anydlc;c:\windows\system32\drivers\anydlc.sys [2005-9-6 38236]
R3 Appn;Appn;c:\windows\system32\drivers\appn.sys [2005-9-6 1286560]
R3 AppnBase;AppnBase;c:\windows\system32\drivers\appnbase.sys [2005-9-6 195872]
R3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\drivers\avpnnic.sys [2006-12-12 13952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-16 102448]
R3 KLOGNT;KLOGNT;c:\windows\system32\drivers\klognt.sys [2005-9-6 24588]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090918.003\naveng.sys [2009-9-18 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090918.003\navex15.sys [2009-9-18 1323568]
R3 pdlnacom;PDLC Adapter -- COM;c:\windows\system32\drivers\pdlnacom.sys [2005-9-6 75200]
R3 pdlnafac;PDLC Adapter Factory;c:\windows\system32\drivers\pdlnafac.sys [2005-9-6 36048]
R3 pdlnatcm;Twinax Adapter Common;c:\windows\system32\drivers\pdlnatcm.sys [2005-9-6 20480]
R3 pdlnatdl;Twinax Adapter;c:\windows\system32\drivers\pdlnatdl.sys [2005-9-6 18432]
R3 pdlncbas;PDLC CxM Classes;c:\windows\system32\drivers\pdlncbas.sys [2005-9-6 6784]
R3 pdlncfwk;PDLC Connection Manager;c:\windows\system32\drivers\pdlncfwk.sys [2005-9-6 160288]
R3 pdlndint;PDLC DLC Classes;c:\windows\system32\drivers\pdlndint.sys [2005-9-6 12800]
R3 pdlndlpb;PDLC LAPB;c:\windows\system32\drivers\pdlndlpb.sys [2005-9-6 70144]
R3 pdlndoem;PDLC OEM Interface;c:\windows\system32\drivers\pdlndoem.sys [2005-9-6 18944]
R3 pdlndqll;PDLC QLLC;c:\windows\system32\drivers\pdlndqll.sys [2005-9-6 53248]
R3 pdlndsdl;PDLC SDLC;c:\windows\system32\drivers\pdlndsdl.sys [2005-9-6 67072]
R3 pdlndtdl;Twinax DLC;c:\windows\system32\drivers\pdlndtdl.sys [2005-9-6 51712]
R3 pdlnebas;PDLC Environment;c:\windows\system32\drivers\pdlnebas.sys [2005-9-6 8608]
R3 pdlnecfg;PDLC Configuration;c:\windows\system32\drivers\pdlnecfg.sys [2005-9-6 50336]
R3 pdlnemap;PDLC Mapper;c:\windows\system32\drivers\pdlnemap.sys [2005-9-6 67184]
R3 pdlnemsg;PDLC Message Driver;c:\windows\system32\drivers\pdlnemsg.sys [2005-9-6 12768]
R3 pdlnepkt;PDLC Buffer Manager;c:\windows\system32\drivers\pdlnepkt.sys [2005-9-6 19984]
R3 pdlnshay;PDLC Hayes At signalling;c:\windows\system32\drivers\pdlnshay.sys [2005-9-6 59504]
R3 pdlnslea;PDLC SDLC Leased;c:\windows\system32\drivers\pdlnslea.sys [2005-9-6 22384]
R3 pdlnsv25;PDLC V25bis signalling;c:\windows\system32\drivers\pdlnsv25.sys [2005-9-6 54416]
R3 pdlnsx25;PDLC X.25;c:\windows\system32\drivers\pdlnsx25.sys [2005-9-6 58432]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2008-10-7 57216]
S3 ABVPN2K;Net Firewall Miniport Interface;c:\windows\system32\drivers\abvpn2k.sys [2006-12-12 164224]
S4 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\drivers\agnwifi.sys [2004-4-29 19328]

=============== Created Last 30 ================

2009-09-18 15:15 291,714 a------- c:\windows\system32\WBDCC34I.DLL
2009-09-18 13:37 288,768 a------- c:\temp\lete5ywf.exe
2009-09-18 08:48 <DIR> --d----- c:\docume~1\admini~1\applic~1\smkits
2009-09-18 08:46 440 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-09-17 22:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-09-17 22:51 <DIR> --d----- c:\program files\STOPzilla!
2009-09-17 22:51 <DIR> --d----- c:\program files\common files\iS3
2009-09-17 22:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-09-17 11:21 <DIR> --d----- c:\documents and settings\administrator\Bluetooth Software
2009-09-17 08:19 <DIR> --d----- c:\windows\pss
2009-09-17 00:06 552 a------- c:\windows\system32\d3d8caps.dat
2009-09-16 22:36 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-09-16 22:35 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-16 22:35 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-16 22:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 09:14 <DIR> --dsh--- C:\found.001
2009-09-11 17:20 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-21 10:10 110,592 a------- c:\windows\system32\tsccvid.dll

==================== Find3M ====================

2009-08-12 11:22 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-09 17:38 1,148 a------- C:\t.bat
2009-08-05 04:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 17:49 364 a------- C:\drmHeader.bin
2009-07-23 15:47 64,752 a------- c:\windows\isamunin.exe
2009-07-20 14:57 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-07-20 14:56 311,296 a----r-- c:\windows\system32\SZBase5.dll
2009-07-20 14:56 540,672 a----r-- c:\windows\system32\SZComp5.dll
2009-07-17 13:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-09 15:52 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2009-07-09 15:52 393,216 a----r-- c:\windows\system32\IS3DBA5.dll
2009-07-09 15:51 385,024 a----r-- c:\windows\system32\IS3UI5.dll
2009-07-09 15:51 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2009-07-09 15:51 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2009-07-09 15:50 225,280 a----r-- c:\windows\system32\IS3Win325.dll
2009-07-09 15:50 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2009-07-09 15:50 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2009-07-09 15:47 724,992 a----r-- c:\windows\system32\IS3Base5.dll
2009-06-26 11:18 659,456 a------- c:\windows\system32\wininet.dll
2009-06-26 11:18 81,920 a------- c:\windows\system32\ieencode.dll
2009-03-05 11:55 57,392 a------- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
2007-06-05 13:19 389,120 a------- c:\documents and settings\administrator\stas75_20060810.0001.dll

============= FINISH: 16:12:42.15 ===============

Attached Files


Eric

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 AM

Posted 24 September 2009 - 07:14 PM

This is a very new infection, and so far, we've been unable to determine exactly how it loads or works. You should understand that any cures we try are likely to be experimental, and may well cause problems that would require a reformat of your system. As such, you should backup any important data before we begin. Also, it might be that a complete reformat of your system is the only viable way to get rid of this infection.
  • Download IceSword from here
  • Extract/unzip it to a folder on your desktop
  • In that folder, double-click on IceSword.exe to start IceSword
  • Click on Registry in the bottom left hand corner
  • Locate this registry key
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • Left click on it to select it
  • In the right hand pane, look for the value with name appinit_dlls
  • Post the data for this value
  • Download GMER by GMER from here
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerrk.txt
  • Click on the >>> tab
  • This will open up the rest of the tabs for you
  • Click on the Autostart tab
  • Click on Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerautos.txt
  • Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic
  • Download Autoruns from here
  • Unzip/extract it to a folder on your desktop
  • Double click on autoruns.exe to start Autoruns
  • Wait for it to finish scanning
  • Under Options make sure the following options are slected
    • Verify Code Signatures
    • Hide Signed Microsoft Entries
  • Click File > Refresh
  • Click File > Save As
  • Save it to the desktop as autoruns.txt
  • Post the contents of autoruns.txt as a reply to this topic


#3 es99cobra

es99cobra
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 24 September 2009 - 10:36 PM

Thanks for trying!!!

This is the second time I've tried to post this. In the first attempt, the IE window locked up posting the autoruns file. It had a ton of strange characters so i ran it again and this time, its readable. Strange! Anyway, here goes.

1. The appinit_dlls key did not exist in the registry entry for Windows

2. The first run of GMER ended in a bluescreen. Second was successful. Here is the log:

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-24 22:14:16
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awkoypod.sys


---- System - GMER 1.0.15 ----

SSDT 85489838 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAACDC350]
SSDT 862B92D8 ZwQueryValueKey
SSDT 858B3420 ZwResumeThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAACDC580]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA9240B0]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2912] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 013F55C0 C:\Program Files\Common Files\iS3\Anti-Spyware\SGPRXY.DLL (STOPzilla Support Library/iS3, Inc.)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2912] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 013F52D0 C:\Program Files\Common Files\iS3\Anti-Spyware\SGPRXY.DLL (STOPzilla Support Library/iS3, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\Ide\iaStor0\fnmdibit\fnmdibit\tdlwsp.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [812] 0x10000000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 29: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 30: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 31: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 34: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 35: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 36: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 37: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 38: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 39: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 40: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 41: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 42: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 43: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 44: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 45: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 46: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 47: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 48: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 49: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 50: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 51: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 52: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 54: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 55: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 56: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 58: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 59: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----


3. Here is the gmerautos log:

GMER 1.0.15.15087 - http://www.gmer.net
Autostart scan 2009-09-24 22:15:45
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
!SASWinLogon@DLLName = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
ACNotify@DLLName = ACNotify.dll
atmgrtok@DLLName = atmgrtok.dll
igfxcui@DLLName = igfxdev.dll
NavLogon@DLLName = C:\WINDOWS\system32\NavLogon.dll
pcsinst@DLLName = pcsinst.dll
tpfnf2@DLLName = C:\Program Files\Lenovo\HOTKEY\notifyf2.dll
tphotkey@DLLName = C:\Program Files\Lenovo\HOTKEY\tphklock.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AcPrfMgrSvc@ = C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
acs@ = C:\WINDOWS\system32\acs.exe
AcSvc@ = C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
btwdins@ = C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
ccEvtMgr@ = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ccProxy@ = "C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"
ccSetMgr@ = "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
DB2JDS@ = "C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe"
DB2NTSECSERVER@ = "C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe"
DCDClient-ISSI@ = C:\Program Files\IBM\tivoli\dcd\client\ISSI\cds\CDSWinSrv.exe
DefWatch@ = "C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe"
IBMPMSVC@ = %SystemRoot%\system32\ibmpmsvc.exe
ISAMSvc@ = "C:\Program Files\C4ebreg\c4ebreg.exe"
ISSIMon@ = "c:\sdwork\issimsvc.exe"
ISSVC@ = "C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe"
ldlcserv@ = C:\WINDOWS\system32\Drivers\ldlcserv.exe
NetCfgSvr@ = C:\Program Files\AT&T Network Client\NetCfgSv.EXE
PGPserv@ = C:\WINDOWS\system32\PGPserv.exe
SavRoam@ = "c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe"
SNDSrvc@ = "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"
SPBBCSvc@ = "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"
Symantec AntiVirus@ = "C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe"
SymSecurePort@ = "C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe"
szserver@ = "C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe"
TPHDEXLGSVC@ = System32\TPHDEXLG.EXE
TpKmpSVC@ = C:\WINDOWS\system32\TpKmpSVC.exe
TrcBoot@ = C:\WINDOWS\system32\Drivers\trcboot.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MSConfigC:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto = C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
@C4EBReg"C:\Program Files\C4ebreg\c4ebreg.exe" /q = "C:\Program Files\C4ebreg\c4ebreg.exe" /q
@Isamtray"C:\Program Files\C4ebreg\isamtray.exe" = "C:\Program Files\C4ebreg\isamtray.exe"
@ISSI Service"c:\sdwork\issimsvc.exe" = "c:\sdwork\issimsvc.exe"
@WST TrayIcon ToolC:\Downloads\WST TrayIcon Tool /*file not found*/ = C:\Downloads\WST TrayIcon Tool /*file not found*/
@vptrayC:\PROGRA~1\SYMANT~2\SYMANT~2\\vptray.exe = C:\PROGRA~1\SYMANT~2\SYMANT~2\\vptray.exe
@TpShocksTpShocks.exe = TpShocks.exe
@TPKMAPHELPERC:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper /*file not found*/ = C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper /*file not found*/
@TPHOTKEYC:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe = C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
@Tpam.exe"C:\Program Files\IBM\Personal Communications\tpam.exe" = "C:\Program Files\IBM\Personal Communications\tpam.exe"
@TP4EXtp4ex.exe = tp4ex.exe
@stgcleanc:\sdwork\w32maing.exe /cleanup = c:\sdwork\w32maing.exe /cleanup
@PWRMGRTRrundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor = rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
@pmonmhC:\Program Files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19/pmonmh.exe = C:\Program Files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19/pmonmh.exe
@Malwarebytes Anti-Malware (reboot)"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript = "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
@ccApp"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
@BLOGrundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog = rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
@ACWLIconC:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe = C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
@ACTrayC:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe = C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SUPERAntiSpywareC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
@NetSP - restore settings on power failure"C:\Program Files\AT&T Network Client\NetSP.exe" -show = "C:\Program Files\AT&T Network Client\NetSP.exe" -show

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} = C:\Program Files\SUPERAntiSpyware\SASSEH.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@(null) =
@{6af09ec9-b429-11d4-a1fb-0090960218cb} /*My Bluetooth Places*/C:\WINDOWS\system32\btneighborhood.dll = C:\WINDOWS\system32\btneighborhood.dll
@{DEE12703-6333-4D4E-8F34-738C4DCC2E04} /*RecordNow! SendToExt*/C:\Program Files\IBM RecordNow!\shlext.dll = C:\Program Files\IBM RecordNow!\shlext.dll
@{5CA3D70E-1895-11CF-8E15-001234567890} /*DriveLetterAccess*/C:\WINDOWS\system32\dla\tfswshx.dll = C:\WINDOWS\system32\dla\tfswshx.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/c:\Program Files\Microsoft Office\Office10\msohev.dll = c:\Program Files\Microsoft Office\Office10\msohev.dll
@{5E2121EE-0300-11D4-8D3B-444553540000} /*LazaShlExt extension*/C:\Program Files\Laza\lazaext.dll = C:\Program Files\Laza\lazaext.dll
@{6E2121EE-0300-11D4-8D3B-444553540001} /*LazaFldrShlExt extension*/(null) =
@{0140D981-D707-11D2-9D18-00104B952FEE} /*Domino.Doc Neighborhood*/c:\notes\DDocNmsp.dll = c:\notes\DDocNmsp.dll
@{BDA77241-42F6-11d0-85E2-00AA001FE28C} /*LDVP Shell Extensions*/C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{8BE13461-936F-11D1-A87D-444553540000} /*Eraser Shell Extension*/C:\WINDOWS\system32\erasext.dll = C:\WINDOWS\system32\erasext.dll
@{EBD410E6-AC4A-4162-ABFA-33A6D37EC0DF} /*My CopyHookHandler*/C:\WINDOWS\system32\PGPfsshl.dll = C:\WINDOWS\system32\PGPfsshl.dll
@{969223c0-26aa-11d0-90ee-444553540000} /*PGP Shell Extension*/PGPmn.dll = PGPmn.dll
@{72923739-5A47-40A3-9895-25AF0DFBB9E4} /*Glary Utilities Context Menu Shell Extension*/(null) =
@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/(null) =

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Erasext@{8BE13461-936F-11D1-A87D-444553540000} = C:\WINDOWS\system32\erasext.dll
LazaShlExt@{5E2121EE-0300-11D4-8D3B-444553540000} = C:\Program Files\Laza\lazaext.dll
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers >>>
@{969223c0-26aa-11d0-90ee-444553540000}PGPmn.dll = PGPmn.dll
@{CA8ACAFA-5FBB-467B-B348-90DD488DE003}C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers@{CA8ACAFA-5FBB-467B-B348-90DD488DE003} = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Erasext@{8BE13461-936F-11D1-A87D-444553540000} = C:\WINDOWS\system32\erasext.dll
FoundInFolder@{6E2121EE-0300-11D4-8D3B-444553540000} = C:\Program Files\Laza\lazafldrext.dll
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{969223c0-26aa-11d0-90ee-444553540000} = PGPmn.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
@{1827766B-9F49-4854-8034-F6EE26FCB1EC}C:\Program Files\STOPzilla!\SZSG.dll = C:\Program Files\STOPzilla!\SZSG.dll
@{5CA3D70E-1895-11CF-8E15-001234567890}C:\WINDOWS\system32\dla\tfswshx.dll = C:\WINDOWS\system32\dla\tfswshx.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\IBM\Java60\jre\bin\ssv.dll = C:\Program Files\IBM\Java60\jre\bin\ssv.dll
@{E3215F20-3212-11D6-9F8B-00D0B743919D}C:\Program Files\STOPzilla!\SZIEBHO.dll = C:\Program Files\STOPzilla!\SZIEBHO.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://w3.ibm.com/w3odw/spg/index_default.html = http://w3.ibm.com/w3odw/spg/index_default.html
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = C:\Program Files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
000000000002@PackedCatalogItem = C:\Program Files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
000000000003@PackedCatalogItem = C:\Program Files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
000000000004@PackedCatalogItem = C:\Program Files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
000000000005@PackedCatalogItem = C:\Program Files\Common Files\iS3\Anti-Spyware\iS3lsp.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022@PackedCatalogItem = C:\Program Files\Common Files\iS3\Anti-Spyware\iS3lsp.dll

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
AutorunsDisabled = AutorunsDisabled
Lotus QuickStart.lnk = Lotus QuickStart.lnk

---- EOF - GMER 1.0.15 ----


4. Here is the autoruns log:

"HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup" "" "" ""
"HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup" "" "" ""
"HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon" "" "" ""
"HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" "" "" ""
"HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown" "" "" ""
"HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff" "" "" ""
"HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logoff" "" "" ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell" "" "" ""
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" "" "" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "" "" ""
+ "ACTray" "Access Connections Tray Application" "(Not verified) Lenovo " "c:\program files\thinkpad\connectutilities\actray.exe"
+ "ACWLIcon" "Access Connections Tray Status Application" "(Not verified) Lenovo " "c:\program files\thinkpad\connectutilities\acwlicon.exe"
+ "C4EBReg" "IBM Standard Asset Manager Service" "(Not verified) IBM Corp." "c:\program files\c4ebreg\c4ebreg.exe"
+ "ccApp" "Symantec User Session" "(Verified) Symantec Corporation" "c:\program files\common files\symantec shared\ccapp.exe"
+ "Isamtray" "IBM Standard Asset Manager GUI" "(Not verified) IBM Corp." "c:\program files\c4ebreg\isamtray.exe"
+ "ISSI Service" "ISSI Service" "(Not verified) IBM Corp." "c:\sdwork\issimsvc.exe"
+ "Malwarebytes Anti-Malware (reboot)" "Malwarebytes' Anti-Malware" "(Verified) Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbam.exe"
+ "pmonmh" "" "" "c:\program files\ibm\my help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exe"
+ "stgclean" "OSP Windows 32-bit ESD API" "(Not verified) IBM Global Services" "c:\sdwork\w32maing.exe"
+ "TP4EX" "TrackPoint Accessibility Features" "(Not verified) Lenovo Group Limited" "c:\windows\system32\tp4ex.exe"
+ "Tpam.exe" "" "" "c:\program files\ibm\personal communications\tpam.exe"
+ "TPHOTKEY" "On screen display message generator for ThinkPad" "(Verified) Lenovo(Japan)Ltd." "c:\program files\lenovo\hotkey\tposdsvc.exe"
+ "TPKMAPHELPER" "Keyboard Customizer" "(Not verified) Lenovo" "c:\program files\thinkpad\utilities\tpkmapap.exe"
+ "TpShocks" "ThinkVantage Active Protection System" "(Not verified) Lenovo, Ltd. and IBM Corporation." "c:\windows\system32\tpshocks.exe"
+ "vptray" "Symantec AntiVirus" "(Verified) Symantec Corporation" "c:\program files\symantec client security\symantec antivirus\vptray.exe"
+ "WST TrayIcon Tool" "WST Tray Icon Tool (Non .NET Version)" "(Not verified) IBM" "c:\downloads\wst trayicon tool.exe"
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" "" "" ""
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup" "" "" ""
+ "Lotus QuickStart.lnk" "Lotus QuickStart Executable" "(Not verified) Lotus Development Corporation" "c:\lotus\wordpro\ltsstart.exe"
X "PGPtray.exe.lnk" "" "" "c:\windows\installer\{01d0b438-ce21-4fad-8845-a0f00db65f4f}\icon6560581611.exe"
"C:\Documents and Settings\Administrator\Start Menu\Programs\Startup" "" "" ""
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load" "" "" ""
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" "" "" ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" "" "" ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "" "" ""
+ "NetSP - restore settings on power failure" "Network access setup program" "(Not verified) AT&T" "c:\program files\at&t network client\netsp.exe"
+ "SUPERAntiSpyware" "SUPERAntiSpyware Application" "(Verified) SuperAdBlocker.com" "c:\program files\superantispyware\superantispyware.exe"
"HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" "" "" ""
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce" "" "" ""
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx" "" "" ""
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run" "" "" ""
"HKCU\SOFTWARE\Classes\Protocols\Filter" "" "" ""
"HKLM\SOFTWARE\Classes\Protocols\Filter" "" "" ""
+ "application/octet-stream" "Microsoft .NET Runtime Execution Engine" "(Not verified) Microsoft Corporation" "c:\windows\system32\mscoree.dll"
+ "application/x-complus" "Microsoft .NET Runtime Execution Engine" "(Not verified) Microsoft Corporation" "c:\windows\system32\mscoree.dll"
+ "application/x-msdownload" "Microsoft .NET Runtime Execution Engine" "(Not verified) Microsoft Corporation" "c:\windows\system32\mscoree.dll"
"HKCU\SOFTWARE\Classes\Protocols\Handler" "" "" ""
"HKLM\SOFTWARE\Classes\Protocols\Handler" "" "" ""
+ "cdo" "Microsoft SharePoint Portal Server Object Model" "(Not verified) Microsoft Corporation" "c:\program files\common files\microsoft shared\web folders\pkmcdo.dll"
"HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components" "" "" ""
+ "0" "" "" "File not found: About:Home"
"HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" "" "" ""
"HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" "" "" ""
"HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" "" "" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks" "" "" ""
+ "SABShellExecuteHook Class" "ShellExecuteHook" "(Not verified) SuperAdBlocker.com" "c:\program files\superantispyware\sasseh.dll"
"HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers" "" "" ""
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers" "" "" ""
+ "Erasext" "Eraser Shell Extension." "(Verified) Heidi Computers Ltd" "c:\windows\system32\erasext.dll"
+ "LazaShlExt" "Laza Shell extension Module" "(Not verified) IBM" "c:\program files\laza\lazaext.dll"
+ "LDVPMenu" "Symantec AntiVirus" "(Verified) Symantec Corporation" "c:\program files\common files\symantec shared\ssc\vpshell2.dll"
+ "PGP Shell Extension" "PGP Shell Menu Extensions" "(Verified) PGP Corporation" "c:\windows\system32\pgpmn.dll"
+ "SASContextMenu Class" "SUPERAntiSpyware Context Menu Extension" "(Not verified) SUPERAntiSpyware.com" "c:\program files\superantispyware\sasctxmn.dll"
"HKCU\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers" "" "" ""
"HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers" "" "" ""
+ "MBAMShlExt" "Malwarebytes' Anti-Malware" "(Verified) Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll"
"HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers" "" "" ""
"HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers" "" "" ""
+ "SASContextMenu Class" "SUPERAntiSpyware Context Menu Extension" "(Not verified) SUPERAntiSpyware.com" "c:\program files\superantispyware\sasctxmn.dll"
"HKCU\Software\Classes\Directory\Shellex\DragDropHandlers" "" "" ""
"HKLM\Software\Classes\Directory\Shellex\DragDropHandlers" "" "" ""
"HKCU\Software\Classes\Directory\Shellex\PropertySheetHandlers" "" "" ""
"HKLM\Software\Classes\Directory\Shellex\PropertySheetHandlers" "" "" ""
"HKCU\Software\Classes\Directory\Shellex\CopyHookHandlers" "" "" ""
"HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers" "" "" ""
+ "Monitor" "BTNCopy Module" "(Not verified) Broadcom Corporation." "c:\windows\system32\btncopy.dll"
+ "MyCopyHookHandler" "PGP Filesharing Shell Extension" "(Verified) PGP Corporation" "c:\windows\system32\pgpfsshl.dll"
"HKCU\Software\Classes\Folder\Shellex\ColumnHandlers" "" "" ""
"HKLM\Software\Classes\Folder\Shellex\ColumnHandlers" "" "" ""
+ "PDF Shell Extension" "PDF Shell Extension" "(Not verified) Adobe Systems, Inc." "c:\program files\common files\adobe\acrobat\activex\pdfshell.dll"
"HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers" "" "" ""
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers" "" "" ""
+ "Erasext" "Eraser Shell Extension." "(Verified) Heidi Computers Ltd" "c:\windows\system32\erasext.dll"
+ "FoundInFolder" "Laza Folder Shell extension Module" "(Not verified) IBM" "c:\program files\laza\lazafldrext.dll"
+ "LDVPMenu" "Symantec AntiVirus" "(Verified) Symantec Corporation" "c:\program files\common files\symantec shared\ssc\vpshell2.dll"
+ "MBAMShlExt" "Malwarebytes' Anti-Malware" "(Verified) Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll"
+ "PGP Shell Extension" "PGP Shell Menu Extensions" "(Verified) PGP Corporation" "c:\windows\system32\pgpmn.dll"
"HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers" "" "" ""
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers" "" "" ""
+ "igfxcui" "igfxpph Module" "(Not verified) Intel Corporation" "c:\windows\system32\igfxpph.dll"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers" "" "" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers" "" "" ""
+ "IconOverlayHandlerAccessible" "PGP Filesharing Shell Extension" "(Verified) PGP Corporation" "c:\windows\system32\pgpfsshl.dll"
"HKCU\Software\Microsoft\Ctf\LangBarAddin" "" "" ""
"HKLM\Software\Microsoft\Ctf\LangBarAddin" "" "" ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" "" "" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" "" "" ""
+ "Display Panning CPL Extension" "" "" "File not found: deskpan.dll"
+ "Domino.Doc Neighborhood" "Doc Manager Windows namespace extension" "(Not verified) IBM Corporation" "c:\notes\ddocnmsp.dll"
+ "DriveLetterAccess" "Drive Letter Access Component" "(Not verified) Sonic Solutions" "c:\windows\system32\dla\tfswshx.dll"
+ "Eraser Shell Extension" "Eraser Shell Extension." "(Verified) Heidi Computers Ltd" "c:\windows\system32\erasext.dll"
+ "Fusion Cache" "Microsoft .NET Runtime Execution Engine" "(Not verified) Microsoft Corporation" "c:\windows\system32\mscoree.dll"
+ "LazaShlExt extension" "Laza Shell extension Module" "(Not verified) IBM" "c:\program files\laza\lazaext.dll"
+ "LDVP Shell Extensions" "Symantec AntiVirus" "(Verified) Symantec Corporation" "c:\program files\common files\symantec shared\ssc\vpshell2.dll"
+ "My Bluetooth Places" "BTNeighborhood DLL" "(Not verified) Broadcom Corporation." "c:\windows\system32\btneighborhood.dll"
+ "My CopyHookHandler" "PGP Filesharing Shell Extension" "(Verified) PGP Corporation" "c:\windows\system32\pgpfsshl.dll"
+ "PGP Shell Extension" "PGP Shell Menu Extensions" "(Verified) PGP Corporation" "c:\windows\system32\pgpmn.dll"
+ "RecordNow! SendToExt" "Shell Extensions" "" "c:\program files\ibm recordnow!\shlext.dll"
+ "Shell Icon Handler for Application References" "Application Deployment Support Library" "(Not verified) Microsoft Corporation" "c:\windows\system32\dfshim.dll"
+ "ShellLink for Application References" "Application Deployment Support Library" "(Not verified) Microsoft Corporation" "c:\windows\system32\dfshim.dll"
+ "Web Folders" "Microsoft Web Folders" "(Not verified) Microsoft Corporation" "c:\program files\common files\microsoft shared\web folders\msonsext.dll"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" "" "" ""
+ "Adobe PDF Reader Link Helper" "Adobe PDF Helper for Internet Explorer" "(Verified) Adobe Systems, Incorporated" "c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll"
+ "DriveLetterAccess" "Drive Letter Access Component" "(Not verified) Sonic Solutions" "c:\windows\system32\dla\tfswshx.dll"
+ "SSVHelper Class" "Java™ Platform SE binary" "(Not verified) IBM" "c:\program files\ibm\java60\jre\bin\ssv.dll"
+ "STOPzilla Browser Helper Object" "STOPzilla Support Library" "(Verified) STOPzilla" "c:\program files\stopzilla!\sziebho.dll"
+ "ZILLAbar Browser Helper Object" "ZILLAbar Module" "(Verified) STOPzilla" "c:\program files\stopzilla!\szsg.dll"
"HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks" "" "" ""
"HKLM\Software\Microsoft\Internet Explorer\Toolbar" "" "" ""
+ "STOPzilla" "ZILLAbar Module" "(Verified) STOPzilla" "c:\program files\stopzilla!\szsg.dll"
"HKCU\Software\Microsoft\Internet Explorer\Explorer Bars" "" "" ""
"HKLM\Software\Microsoft\Internet Explorer\Explorer Bars" "" "" ""
"HKCU\Software\Microsoft\Internet Explorer\Extensions" "" "" ""
"HKLM\Software\Microsoft\Internet Explorer\Extensions" "" "" ""
+ "Send to &Bluetooth Device..." "" "" "c:\program files\thinkpad\bluetooth software\btsendto_ie.htm"
"Task Scheduler" "" "" ""
+ "PMTask.job" "" "" "c:\program files\thinkpad\utilities\pwmidtsk.exe"
"HKLM\System\CurrentControlSet\Services" "" "" ""
+ "AcPrfMgrSvc" "Access Connections Profile Manager Service" "(Not verified) Lenovo " "c:\program files\thinkpad\connectutilities\acprfmgrsvc.exe"
+ "acs" "Gives access to single sign on and a mechanism to communicate with the supplicant for security negotiation." "(Not verified) Atheros" "c:\windows\system32\acs.exe"
+ "AcSvc" "Access Connections Main Service" "(Not verified) Lenovo " "c:\program files\thinkpad\connectutilities\acsvc.exe"
+ "AppnNode" "Manages SNA Transaction Programs for IBM Personal Communications" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\appnnode.exe"
+ "btwdins" "Handles installation and removal of Bluetooth devices." "(Not verified) Broadcom Corporation." "c:\program files\thinkpad\bluetooth software\bin\btwdins.exe"
+ "ccEvtMgr" "Event propagation and logging service" "(Verified) Symantec Corporation" "c:\program files\common files\symantec shared\ccevtmgr.exe"
+ "ccProxy" "Symantec Proxy Service" "(Verified) Symantec Corporation" "c:\program files\common files\symantec shared\ccproxy.exe"
+ "ccSetMgr" "Settings storage and management service" "(Verified) Symantec Corporation" "c:\program files\common files\symantec shared\ccsetmgr.exe"
+ "DB2JDS" "Provides JDBC server support for DB2 applications." "(Verified) IBM Canada Limited" "c:\program files\ibm\sqllib\bin\db2jds.exe"
+ "DB2NTSECSERVER" "Authenticates DB2 database users when the authentication is performed at the client computer." "(Verified) IBM Canada Limited" "c:\program files\ibm\sqllib\bin\db2sec.exe"
+ "DCDClient-ISSI" "Enables windows service for IBM Tivoli Provisioning Manager for Dynamic Content Delivery Standard Client" "" "c:\program files\ibm\tivoli\dcd\client\issi\cds\cdswinsrv.exe"
+ "DefWatch" "Monitors and maintains virus definitions." "(Verified) Symantec Corporation" "c:\program files\symantec client security\symantec antivirus\defwatch.exe"
+ "IDriverT" "Provides support for the Running Object Table for InstallShield Drivers" "(Not verified) Macrovision Corporation" "c:\program files\common files\installshield\driver\1150\intel 32\idrivert.exe"
+ "ISAMSvc" "IBM Standard Asset Manager Service" "(Not verified) IBM Corp." "c:\program files\c4ebreg\c4ebreg.exe"
+ "ISSIMon" "ISSI Service" "(Not verified) IBM Corp." "c:\sdwork\issimsvc.exe"
+ "ISSVC" "Internet Security Service" "(Verified) Symantec Corporation" "c:\program files\symantec client security\symantec client firewall\issvc.exe"
+ "ldlcserv" "Enables SNA connectivity over a TCP/IP network for IBM Personal Communications" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\ldlcserv.exe"
+ "LiveUpdate" "LiveUpdate Core Engine" "(Verified) Symantec Corporation" "c:\program files\symantec\liveupdate\lucomserver_3_0.exe"
+ "NetCfgSvr" "Network configuration service" "(Not verified) AT&T" "c:\program files\at&t network client\netcfgsv.exe"
+ "PGPserv" "PGP SDK Service" "(Verified) PGP Corporation" "c:\windows\system32\pgpserv.exe"
+ "SavRoam" "Symantec AntiVirus Roaming Service" "(Verified) Symantec Corporation" "c:\program files\symantec client security\symantec antivirus\savroam.exe"
+ "SNDSrvc" "Symantec Network Drivers Service" "(Verified) Symantec Corporation" "c:\program files\common files\symantec shared\sndsrvc.exe"
+ "SPBBCSvc" "Symantec SPBBC" "(Verified) Symantec Corporation" "c:\program files\common files\symantec shared\spbbc\spbbcsvc.exe"
+ "Symantec AntiVirus" "Provides real-time virus scanning, reporting, and management functionality for Symantec AntiVirus." "(Verified) Symantec Corporation" "c:\program files\symantec client security\symantec antivirus\rtvscan.exe"
+ "SymSecurePort" "Symantec SecurePort Service" "(Verified) Symantec Corporation" "c:\program files\symantec client security\symantec client firewall\symsport.exe"
+ "szserver" "STOPzilla Service" "(Not verified) iS3, Inc." "c:\program files\common files\is3\anti-spyware\szserver.exe"
+ "TPHDEXLGSVC" "ThinkVantage Active Protection System - HDD Logger Module" "(Not verified) Lenovo." "c:\windows\system32\tphdexlg.exe"
+ "TpKmpSVC" "" "" "c:\windows\system32\tpkmpsvc.exe"
+ "TrcBoot" "Enables tracing for IBM Personal Communications" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\trcboot.exe"
"HKLM\System\CurrentControlSet\Services" "" "" ""
+ "ABVPN2K" "Net Firewall" "(Not verified) AT&T" "c:\windows\system32\drivers\abvpn2k.sys"
+ "ADIHdAudAddService" "High Definition Audio Function Driver(Release Candidate 1)" "(Not verified) Analog Devices, Inc." "c:\windows\system32\drivers\adihdaud.sys"
+ "AEAudioService" "Audio Noise Filtering Driver" "(Not verified) Andrea Electronics Corporation" "c:\windows\system32\drivers\aeaudio.sys"
+ "ANC" "IBM Access Connections - ANC" "(Not verified) IBM Corp." "c:\windows\system32\drivers\anc.sys"
+ "Anydlc" "ANYDLC.DLL(9X)/ANYDLC.SYS(NT)" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\anydlc.sys"
+ "Appn" "APPN library" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\appn.sys"
+ "AppnApi" "APPNAPI library" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\appnapi.sys"
+ "AppnBase" "APPNBASE library" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\appnbase.sys"
+ "atmeltpm" "Atmel TPM Driver" "(Not verified) Atmel, Inc." "c:\windows\system32\drivers\atmeltpm.sys"
+ "awkoypod" "" "" "File not found: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awkoypod.sys"
+ "BTKRNL" "Bluetooth Bus Enumerator" "(Not verified) Broadcom Corporation." "c:\windows\system32\drivers\btkrnl.sys"
+ "BTWUSB" "Driver for Bluetooth USB Devices" "(Not verified) Broadcom Corporation." "c:\windows\system32\drivers\btwusb.sys"
+ "Changer" "" "" "File not found: C:\WINDOWS\System32\Drivers\Changer.sys"
+ "drvmcdb" "Device Driver" "(Not verified) Sonic Solutions" "c:\windows\system32\drivers\drvmcdb.sys"
+ "drvnddm" "Device Driver Manager" "(Not verified) Sonic Solutions" "c:\windows\system32\drivers\drvnddm.sys"
+ "eeCtrl" "Symantec Eraser Control Driver" "(Verified) Symantec Corporation" "c:\program files\common files\symantec shared\eengine\eectrl.sys"
+ "EGATHDRV" "IBM eGatherer Kernel Module" "(Not verified) IBM Corporation" "c:\windows\system32\egathdrv.sys"
+ "EraserUtilRebootDrv" "Symantec Eraser Utility Driver" "(Verified) Symantec Corporation" "c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys"
+ "HSF_DPV" "HSF_DP driver" "(Not verified) Conexant Systems, Inc." "c:\windows\system32\drivers\hsx_dpv.sys"
+ "HSXHWAZL" "HSF_HWAZL WDM driver" "(Not verified) Conexant Systems, Inc." "c:\windows\system32\drivers\hsxhwazl.sys"
+ "ialm" "Intel Graphics Miniport Driver" "(Not verified) Intel Corporation" "c:\windows\system32\drivers\ialmnt5.sys"
+ "iastor" "" "" "c:\windows\system32\drivers\iastor.sys"
+ "IBM_LLC2" "LLC2 library" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\llc2.sys"
+ "IBMTPCHK" "" "" "c:\windows\system32\drivers\ibmbldid.sys"
+ "KLOGNT" "KLOGNT DLL" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\klognt.sys"
+ "lbrtfdc" "" "" "File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys"
+ "mdmxsdk" "Diagnostic Interface DRIVER" "(Not verified) Conexant" "c:\windows\system32\drivers\mdmxsdk.sys"
+ "NAVENG" "AV Engine" "(Verified) Symantec Corporation" "c:\program files\common files\symantec shared\virusdefs\20090924.002\naveng.sys"
+ "NAVEX15" "AV Engine" "(Verified) Symantec Corporation" "c:\program files\common files\symantec shared\virusdefs\20090924.002\navex15.sys"
+ "NsTrcNT" "NSTRCNT.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\nstrcnt.sys"
+ "PCIDump" "" "" "File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys"
+ "PDCOMP" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys"
+ "PDFRAME" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys"
+ "pdlnacom" "PDLNACOM.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlnacom.sys"
+ "pdlnafac" "PDLNAFAC.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlnafac.sys"
+ "pdlnatcm" "PDLNATCM.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlnatcm.sys"
+ "pdlnatdl" "PDLNATDL.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlnatdl.sys"
+ "pdlncbas" "PDLNCBAS.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlncbas.sys"
+ "pdlncfwk" "PDLNCFWK.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlncfwk.sys"
+ "pdlnctdl" "PDLNCTDL.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlnctdl.sys"
+ "pdlndint" "PDLNDINT.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlndint.sys"
+ "pdlndldl" "PDLNDLDL.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlndldl.sys"
+ "pdlndlpb" "PDLNDLPB.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlndlpb.sys"
+ "pdlndoem" "PDLNDOEM.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlndoem.sys"
+ "pdlndqll" "PDLNDQLL.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlndqll.sys"
+ "pdlndsdl" "PDLNDSDL.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlndsdl.sys"
+ "pdlndtdl" "PDLNDTDL.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlndtdl.sys"
+ "pdlnebas" "PDLNEBAS.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlnebas.sys"
+ "pdlnecfg" "PDLNECFG.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlnecfg.sys"
+ "pdlnemap" "PDLNEMAP.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlnemap.sys"
+ "pdlnemsg" "PDLNEMSG.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlnemsg.sys"
+ "pdlnepkt" "PDLNEPKT.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlnepkt.sys"
+ "pdlnshay" "PDLNSHAY.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlnshay.sys"
+ "pdlnslea" "PDLNSLEA.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlnslea.sys"
+ "pdlnsv25" "PDLNSV25.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlnsv25.sys"
+ "pdlnsx25" "PDLNSX25.SYS" "(Not verified) IBM Corporation" "c:\windows\system32\drivers\pdlnsx25.sys"
+ "PDRELI" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys"
+ "PDRFRAME" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys"
+ "PGPdisk" "PGPdisk NT/Win2k driver" "(Verified) PGP Corporation" "c:\windows\system32\drivers\pgpdisk.sys"
+ "PGPsdkDriver" "PGP Software Development Kit NT Driver" "(Verified) PGP Corporation" "c:\windows\system32\drivers\pgpsdk.sys"
+ "PGPwded" "PGPwde NT/Win2k driver" "(Verified) PGP Corporation" "c:\windows\system32\drivers\pgpwded.sys"
+ "PMEM" "Physical Memory Driver" "(Not verified) Microsoft Corporation" "c:\windows\system32\drivers\pmemnt.sys"
+ "PxHelp20" "Px Engine Device Driver for Windows 2000/XP" "(Not verified) Sonic Solutions" "c:\windows\system32\drivers\pxhelp20.sys"
+ "SASDIFSV" "SASDIFSV.SYS" "(Verified) SuperAdBlocker.com" "c:\program files\superantispyware\sasdifsv.sys"
+ "SASENUM" "SASENUM.SYS" "(Verified) SuperAdBlocker.com" "c:\program files\superantispyware\sasenum.sys"
+ "SASKUTIL" "SASKUTIL.SYS" "(Verified) SuperAdBlocker.com" "c:\program files\superantispyware\saskutil.sys"
+ "SAVRT" "AutoProtect" "(Verified) Symantec Corporation" "c:\program files\symantec client security\symantec antivirus\savrt.sys"
+ "SAVRTPEL" "SAVRTPEL" "(Verified) Symantec Corporation" "c:\program files\symantec client security\symantec antivirus\savrtpel.sys"
+ "ShockMgr" "ShockMgr Device Driver" "(Not verified) Lenovo." "c:\windows\system32\drivers\shockmgr.sys"
+ "Shockprf" "Shockproof Disk Driver" "(Not verified) Lenovo" "c:\windows\system32\drivers\shockprf.sys"
+ "Smapint" "SMAPI I/O" "(Not verified) Microsoft Corporation" "c:\windows\system32\drivers\smapint.sys"
+ "SPBBCDrv" "SPBBC Driver" "(Verified) Symantec Corporation" "c:\program files\common files\symantec shared\spbbc\spbbcdrv.sys"
+ "sscdbhk5" "Shared Driver Component" "(Not verified) Sonic Solutions" "c:\windows\system32\drivers\sscdbhk5.sys"
+ "ssrtln" "Shared Driver Component" "(Not verified) Sonic Solutions" "c:\windows\system32\drivers\ssrtln.sys"
+ "SYMDNS" "DNS Filter Driver" "(Verified) Symantec Corporation" "c:\windows\system32\drivers\symdns.sys"
+ "SymEvent" "Symantec Event Library" "(Verified) Symantec Corporation" "c:\program files\symantec\symevent.sys"
+ "SYMFW" "Firewall Filter Driver" "(Verified) Symantec Corporation" "c:\windows\system32\drivers\symfw.sys"
+ "SYMIDS" "IDS Filter Driver" "(Verified) Symantec Corporation" "c:\windows\system32\drivers\symids.sys"
+ "SYMIDSCO" "IDS Core Driver" "(Verified) Symantec Corporation" "c:\program files\common files\symantec shared\symcdata\scfidsdefs\20090914.001\symidsco.sys"
+ "SYMNDIS" "NDIS Filter Driver" "(Verified) Symantec Corporation" "c:\windows\system32\drivers\symndis.sys"
+ "SYMREDRV" "Redirector Filter Driver" "(Verified) Symantec Corporation" "c:\windows\system32\drivers\symredrv.sys"
+ "SYMTDI" "Network Dispatch Driver" "(Verified) Symantec Corporation" "c:\windows\system32\drivers\symtdi.sys"
+ "SynTP" "Synaptics Touchpad Driver" "(Not verified) Synaptics, Inc." "c:\windows\system32\drivers\syntp.sys"
+ "szkg5" "szkg Device Driver" "(Verified) iS3, Inc." "c:\windows\system32\drivers\szkg.sys"
+ "TDSMAPI" "" "" "c:\windows\system32\drivers\tdsmapi.sys"
+ "tfsnboio" "Drive Letter Access Component" "(Not verified) Sonic Solutions" "c:\windows\system32\dla\tfsnboio.sys"
+ "tfsncofs" "Drive Letter Access Component" "(Not verified) Sonic Solutions" "c:\windows\system32\dla\tfsncofs.sys"
+ "tfsndrct" "Drive Letter Access Component" "(Not verified) Sonic Solutions" "c:\windows\system32\dla\tfsndrct.sys"
+ "tfsndres" "Drive Letter Access Component" "(Not verified) Sonic Solutions" "c:\windows\system32\dla\tfsndres.sys"
+ "tfsnifs" "Drive Letter Access Component" "(Not verified) Sonic Solutions" "c:\windows\system32\dla\tfsnifs.sys"
+ "tfsnopio" "Drive Letter Access Component" "(Not verified) Sonic Solutions" "c:\windows\system32\dla\tfsnopio.sys"
+ "tfsnpool" "Drive Letter Access Component" "(Not verified) Sonic Solutions" "c:\windows\system32\dla\tfsnpool.sys"
+ "tfsnudf" "Drive Letter Access Component" "(Not verified) Sonic Solutions" "c:\windows\system32\dla\tfsnudf.sys"
+ "tfsnudfa" "Drive Letter Access Component" "(Not verified) Sonic Solutions" "c:\windows\system32\dla\tfsnudfa.sys"
+ "TPPWRIF" "" "" "c:\windows\system32\drivers\tppwrif.sys"
+ "TSMAPIP" "" "" "c:\windows\system32\drivers\tsmapip.sys"
+ "WDICA" "" "" "File not found: C:\WINDOWS\System32\Drivers\WDICA.sys"
+ "winachsf" "HSF_CNXT driver" "(Not verified) Conexant Systems, Inc." "c:\windows\system32\drivers\hsx_cnxt.sys"
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" ""
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" ""
+ "msacm.ac3filter" "" "" "c:\windows\system32\ac3filter.acm"
+ "MSACM.CTRXAUD" "" "" "File not found: ctrxaud.acm"
+ "VIDC.CTRX" "" "" "File not found: ctrxvid.drv"
+ "vidc.tscc" "TechSmith Screen Capture Codec" "(Not verified) TechSmith Corporation" "c:\windows\system32\tsccvid.dll"
"HKCU\Software\Classes\Filter" "" "" ""
"HKLM\Software\Classes\Filter" "" "" ""
+ "VFrame Movie" "VFrame Source Filter" "(Not verified) Citrix Systems Inc." "c:\program files\citrix\ica client\vfmamx.ax"
"HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance" "" "" ""
+ "InterVideo Audio Decoder" "IVIAUDIO" "(Not verified) InterVideo Inc." "c:\program files\intervideo\common\bin\iviaudio.ax"
+ "InterVideo Audio Processor" "" "" "c:\program files\intervideo\common\bin\iviaudioprocess.ax"
+ "InterVideo Navigator" "IVINAV LOGID.35321" "(Not verified) InterVideo Inc." "c:\windows\system32\ivinav.ax"
+ "InterVideo Video Decoder" "IVIVIDEO LOGID.36709" "(Not verified) InterVideo Inc." "c:\windows\system32\ivivideo.ax"
+ "VFrame Movie" "VFrame Source Filter" "(Not verified) Citrix Systems Inc." "c:\program files\citrix\ica client\vfmamx.ax"
"HKLM\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance" "" "" ""
"HKLM\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance" "" "" ""
"HKLM\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\Execute" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand" "" "" ""
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "" "" ""
"HKLM\Software\Microsoft\Command Processor\Autorun" "" "" ""
"HKCU\Software\Microsoft\Command Processor\Autorun" "" "" ""
"HKCU\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)" "" "" ""
"HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ServiceControllerStart" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LsaStart" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "" "" ""
+ "!SASWinLogon" "SUPERAntiSpyware WinLogon Processor" "(Not verified) SUPERAntiSpyware.com" "c:\program files\superantispyware\saswinlo.dll"
+ "ACNotify" "Access Connections Notify Support Module" "(Not verified) Lenovo " "c:\program files\thinkpad\connectutilities\acnotify.dll"
+ "atmgrtok" "Personal Communications Attach Manager User Token Library" "(Not verified) IBM Corporation" "c:\program files\ibm\personal communications\atmgrtok.dll"
+ "igfxcui" "igfxdev Module" "(Not verified) Intel Corporation" "c:\windows\system32\igfxdev.dll"
+ "NavLogon" "Symantec AntiVirus Logon Notification" "(Verified) Symantec Corporation" "c:\windows\system32\navlogon.dll"
+ "pcsinst" "PCSINST.DLL" "(Not verified) IBM Corporation" "c:\windows\system32\pcsinst.dll"
+ "tpfnf2" "" "(Verified) Lenovo (Japan) Ltd" "c:\program files\lenovo\hotkey\notifyf2.dll"
+ "tphotkey" "On screen display winlogon client" "(Verified) Lenovo(Japan)Ltd." "c:\program files\lenovo\hotkey\tphklock.dll"
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman" "" "" ""
"HKCU\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe" "" "" ""
"HKCU\Control Panel\Desktop\Scrnsave.exe" "" "" ""
"HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SaveDumpStart" "" "" ""
"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries" "" "" ""
+ "000000000001" "OEM iS3 LSP" "(Verified) AVG Exploit Prevention Labs, Inc." "c:\program files\common files\is3\anti-spyware\is3lsp.dll"
+ "000000000002" "OEM iS3 LSP" "(Verified) AVG Exploit Prevention Labs, Inc." "c:\program files\common files\is3\anti-spyware\is3lsp.dll"
+ "000000000003" "OEM iS3 LSP" "(Verified) AVG Exploit Prevention Labs, Inc." "c:\program files\common files\is3\anti-spyware\is3lsp.dll"
+ "000000000004" "OEM iS3 LSP" "(Verified) AVG Exploit Prevention Labs, Inc." "c:\program files\common files\is3\anti-spyware\is3lsp.dll"
+ "000000000005" "OEM iS3 LSP" "(Verified) AVG Exploit Prevention Labs, Inc." "c:\program files\common files\is3\anti-spyware\is3lsp.dll"
+ "000000000022" "OEM iS3 LSP" "(Verified) AVG Exploit Prevention Labs, Inc." "c:\program files\common files\is3\anti-spyware\is3lsp.dll"
"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors" "" "" ""
+ "Bluetooth Printer Port" "bthcrp DLL" "(Not verified) Broadcom Corporation." "c:\windows\system32\bthcrp.dll"
+ "Infoprint Select" "" "" "c:\windows\system32\selnt.dll"
"HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" "" "" ""
+ "PGPpwflt" "PGPpwflt" "(Verified) PGP Corporation" "c:\windows\system32\pgppwflt.dll"


Thanks for looking into this. Good luck! I have a vested interest. Hahaha

Eric
Eric

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 AM

Posted 25 September 2009 - 12:00 PM

We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the combofix log and a new HijackThis log as a reply to this topic.

Please download MBR.EXE by GMER. Save the file in your Root directory, C:\, then bring your computer to a Command prompt.

Go to Start -> Run, type CMD and click OK. At the prompt type the following and press Enter after each command:

cd C:\
MBR.EXE -t


The program will check the Master Boot Record and will produce a report. Post the contents of that report in your next reply.

Type Exit at the Command prompt and press Enter to return back to Windows.

Edited by random/random, 25 September 2009 - 12:00 PM.


#5 es99cobra

es99cobra
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 25 September 2009 - 11:36 PM

OK, here are the latest logs....

BTW, I have been running these reports while in Selective Startup mode. I have several of my Startup files disabled due to the unbearable boot up and general usages time. Let me know if I need to reenable them at any point. I just don't want to do so until I have to. Thanks!!


Combofix Log:

ComboFix 09-09-25.01 - eliotte 09/25/2009 22:45.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.463 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))
.

2009-09-25 07:13 . 2009-09-25 17:28 -------- d-----w- c:\windows\system32\C2MP
2009-09-24 00:15 . 2009-09-24 00:15 358780 ----a-w- c:\windows\system32\launchmyhelp.exe
2009-09-22 00:09 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-20 03:33 . 2009-09-20 03:33 -------- d-----w- C:\Autoruns
2009-09-19 04:11 . 2009-09-19 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-19 04:11 . 2009-09-19 04:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-19 04:11 . 2009-09-19 04:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-09-19 04:11 . 2009-09-19 04:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-18 20:15 . 2001-04-02 19:11 291714 ----a-w- c:\windows\system32\WBDCC34I.DLL
2009-09-18 18:37 . 2009-09-18 18:37 288768 ----a-w- c:\temp\lete5ywf.exe
2009-09-18 03:53 . 2009-09-18 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-18 03:51 . 2009-09-18 03:52 -------- d-----w- c:\program files\STOPzilla!
2009-09-18 03:51 . 2009-09-18 03:51 -------- d-----w- c:\program files\Common Files\iS3
2009-09-18 03:51 . 2009-09-25 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-17 16:21 . 2009-09-17 16:21 -------- d-----w- c:\documents and settings\Administrator\Bluetooth Software
2009-09-17 05:06 . 2009-09-17 05:06 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-09-17 03:36 . 2009-09-17 03:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-17 03:35 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-17 03:35 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-17 03:35 . 2009-09-17 03:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 03:04 . 2009-09-19 17:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-12 14:14 . 2009-09-12 14:14 -------- d-----w- C:\found.001
2009-09-11 22:20 . 2009-09-11 22:20 -------- d-----w- c:\windows\ServicePackFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-25 23:26 . 2007-03-31 11:42 40 ----a-w- c:\windows\system32\profile.dat
2009-09-25 19:43 . 2006-01-24 00:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-25 03:04 . 2009-09-25 03:04 440 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-09-25 02:50 . 2005-04-05 17:21 -------- d-----w- c:\program files\C4ebreg
2009-09-24 17:50 . 2006-12-13 01:36 -------- d-----w- c:\program files\AT&T Network Client
2009-09-22 17:44 . 2006-03-27 21:50 -------- d-----w- c:\program files\WST
2009-09-17 16:21 . 2007-03-31 15:07 -------- d-----w- c:\program files\Lavasoft
2009-09-08 13:40 . 2005-04-05 19:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-17 18:18 . 2009-08-17 18:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\Voice Suite
2009-08-14 13:39 . 2009-08-14 13:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\ICAClient
2009-08-12 12:49 . 2009-08-12 12:49 134 ----a-w- c:\windows\issiunin.bat
2009-08-12 02:31 . 2009-08-12 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-11 01:00 . 2007-03-30 17:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-09 22:38 . 2009-07-02 13:55 1148 ----a-w- C:\t.bat
2009-08-07 04:32 . 2009-08-07 04:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2009-08-06 15:18 . 2005-04-04 20:08 -------- d-----w- c:\program files\IBM
2009-08-06 15:18 . 2006-07-17 20:56 -------- d-----w- c:\program files\IBM Ayudame
2009-08-05 09:11 . 2004-08-04 05:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 22:49 . 2009-08-04 22:49 364 ----a-w- C:\drmHeader.bin
2009-07-20 19:57 . 2009-07-20 19:57 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-07-20 19:56 . 2009-07-20 19:56 311296 ----a-r- c:\windows\system32\SZBase5.dll
2009-07-20 19:56 . 2009-07-20 19:56 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-07-17 18:55 . 2004-08-04 05:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-09 20:52 . 2009-07-09 20:52 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-07-09 20:52 . 2009-07-09 20:52 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-07-09 20:51 . 2009-07-09 20:51 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-07-09 20:51 . 2009-07-09 20:51 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-07-09 20:51 . 2009-07-09 20:51 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-07-09 20:50 . 2009-07-09 20:50 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-07-09 20:50 . 2009-07-09 20:50 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-07-09 20:50 . 2009-07-09 20:50 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-07-09 20:47 . 2009-07-09 20:47 724992 ----a-r- c:\windows\system32\IS3Base5.dll
2004-02-04 19:33 . 2009-05-15 14:59 9060352 ----a-w- c:\program files\internet explorer\plugins\axbqs32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-20_13.19.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-09-25 02:51 . 2009-09-25 02:51 16384 c:\windows\temp\Perflib_Perfdata_56c.dat
+ 2007-03-30 15:53 . 2005-12-13 19:50 90112 c:\windows\system32\WindowsAccessBridge.DLL
- 2007-03-30 15:53 . 2005-12-13 18:50 90112 c:\windows\system32\WindowsAccessBridge.DLL
+ 2009-01-10 22:14 . 2009-01-10 22:14 23552 c:\windows\system32\mkunicode.dll
+ 2007-03-30 15:53 . 2005-12-13 19:50 32768 c:\windows\system32\JAWTAccessBridge.DLL
- 2007-03-30 15:53 . 2005-12-13 18:50 32768 c:\windows\system32\JAWTAccessBridge.DLL
- 2005-04-04 17:46 . 2009-09-20 13:17 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-04-04 17:46 . 2009-09-25 18:06 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-04-04 17:46 . 2009-09-25 18:06 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-04-04 17:46 . 2009-09-20 13:17 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-04-04 17:46 . 2009-09-25 18:06 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-04-04 17:46 . 2009-09-20 13:17 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-07-29 18:05 . 2009-06-11 15:06 64752 c:\windows\isamunin.exe
- 2005-07-29 18:05 . 2009-07-23 20:47 64752 c:\windows\isamunin.exe
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-01-10 22:15 . 2009-01-10 22:15 159744 c:\windows\system32\mmfinfo.dll
+ 2007-03-30 15:53 . 2005-12-13 19:50 167936 c:\windows\system32\JavaAccessBridge.DLL
- 2007-03-30 15:53 . 2005-12-13 18:50 167936 c:\windows\system32\JavaAccessBridge.DLL
+ 2009-05-01 21:03 . 2009-05-01 21:03 528384 c:\windows\system32\DivXsm.exe
+ 2009-08-30 22:30 . 2009-08-30 22:30 241288 c:\windows\system32\C2MP\Uninst.exe
+ 2009-09-22 00:06 . 2009-09-22 00:06 228352 c:\windows\Installer\50786f3.msi
+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2008-09-18 18:07 310328 ----a-w- c:\windows\system32\PGPfsshl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]
"NetSP - restore settings on power failure"="c:\program files\AT&T Network Client\NetSP.exe" [2007-01-13 24576]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WST TrayIcon Tool"="c:\downloads\WST TrayIcon Tool" [X]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"C4EBReg"="c:\program files\C4ebreg\c4ebreg.exe" [2009-07-23 433392]
"Isamtray"="c:\program files\C4ebreg\isamtray.exe" [2009-06-11 281840]
"ISSI Service"="c:\sdwork\issimsvc.exe" [2009-07-06 242928]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-02 856064]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"Tpam.exe"="c:\program files\IBM\Personal Communications\tpam.exe" [2005-09-06 28672]
"stgclean"="c:\sdwork\w32maing.exe" [2009-08-20 274432]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-12-13 151552]
"pmonmh"="c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19/pmonmh.exe" [2009-03-13 184371]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-12-13 208896]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2006-03-15 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Lotus QuickStart.lnk - c:\lotus\wordpro\ltsstart.exe [2003-4-7 32768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
PGPtray.exe.lnk - c:\windows\Installer\{01D0B438-CE21-4FAD-8845-A0F00DB65F4F}\Icon6560581611.exe [2009-5-15 55296]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 21:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 21:02 34080 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 19:52 32768 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atmgrtok]
2005-09-06 09:07 53248 ----a-w- c:\program files\IBM\Personal Communications\atmgrtok.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]
2005-09-06 18:43 49152 ----a-w- c:\windows\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"IBMconfig"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AT&T Network Client\\NetClient.exe"=
"c:\\notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.j2se.win32.x86_1.6.0.20090219c-200907141302\\jre\\bin\\notes2w.exe"=
"c:\\sdwork\\w32maing.exe"=
"c:\\Program Files\\IBM\\My Help\\jre\\bin\\myhelpw.exe"=

R0 PGPwded;PGPwded Storage Filter Service;c:\windows\system32\drivers\PGPwded.sys [09/18/2008 1:06 PM 210488]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [12/12/2006 8:34 PM 88576]
R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [05/12/2009 2:13 PM 61328]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [09/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [09/15/2009 11:42 AM 74480]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [12/12/2006 8:34 PM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [12/12/2006 8:32 PM 4442]
R2 AppnApi;AppnApi;c:\windows\system32\drivers\appnapi.sys [09/06/2005 4:07 AM 120192]
R2 IBM_LLC2;IBM Personal Communications LLC2 Driver;c:\windows\system32\drivers\llc2.sys [09/06/2005 4:07 AM 101408]
R2 ISAMSvc;IBM Standard Asset Manager Service;c:\program files\C4ebreg\c4ebreg.exe [07/23/2009 3:47 PM 433392]
R2 NsTrcNT;NsTrcNT;c:\windows\system32\drivers\nstrcnt.sys [09/06/2005 4:07 AM 12028]
R2 pdlnctdl;Twinax CUT Adapter;c:\windows\system32\drivers\pdlnctdl.sys [09/06/2005 4:07 AM 12288]
R2 pdlndldl;IBM Enterprise Extender (HPR/IP);c:\windows\system32\drivers\pdlndldl.sys [09/06/2005 4:07 AM 59392]
R2 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdisk.sys [09/18/2008 1:07 PM 245816]
R2 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\drivers\PGPsdk.sys [09/18/2008 1:07 PM 40504]
R3 agnfilt;AGN Filter Interface;c:\windows\system32\drivers\agnfilt.sys [05/19/2006 10:46 AM 180864]
R3 Anydlc;Anydlc;c:\windows\system32\drivers\anydlc.sys [09/06/2005 4:07 AM 38236]
R3 Appn;Appn;c:\windows\system32\drivers\appn.sys [09/06/2005 4:07 AM 1286560]
R3 AppnBase;AppnBase;c:\windows\system32\drivers\appnbase.sys [09/06/2005 4:07 AM 195872]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [09/16/2009 9:50 PM 102448]
R3 KLOGNT;KLOGNT;c:\windows\system32\drivers\klognt.sys [09/06/2005 4:07 AM 24588]
R3 pdlnacom;PDLC Adapter -- COM;c:\windows\system32\drivers\pdlnacom.sys [09/06/2005 4:07 AM 75200]
R3 pdlnafac;PDLC Adapter Factory;c:\windows\system32\drivers\pdlnafac.sys [09/06/2005 4:07 AM 36048]
R3 pdlnatcm;Twinax Adapter Common;c:\windows\system32\drivers\pdlnatcm.sys [09/06/2005 4:07 AM 20480]
R3 pdlnatdl;Twinax Adapter;c:\windows\system32\drivers\pdlnatdl.sys [09/06/2005 4:07 AM 18432]
R3 pdlncbas;PDLC CxM Classes;c:\windows\system32\drivers\pdlncbas.sys [09/06/2005 4:07 AM 6784]
R3 pdlncfwk;PDLC Connection Manager;c:\windows\system32\drivers\pdlncfwk.sys [09/06/2005 4:07 AM 160288]
R3 pdlndint;PDLC DLC Classes;c:\windows\system32\drivers\pdlndint.sys [09/06/2005 4:07 AM 12800]
R3 pdlndlpb;PDLC LAPB;c:\windows\system32\drivers\pdlndlpb.sys [09/06/2005 4:07 AM 70144]
R3 pdlndoem;PDLC OEM Interface;c:\windows\system32\drivers\pdlndoem.sys [09/06/2005 4:07 AM 18944]
R3 pdlndqll;PDLC QLLC;c:\windows\system32\drivers\pdlndqll.sys [09/06/2005 4:07 AM 53248]
R3 pdlndsdl;PDLC SDLC;c:\windows\system32\drivers\pdlndsdl.sys [09/06/2005 4:07 AM 67072]
R3 pdlndtdl;Twinax DLC;c:\windows\system32\drivers\pdlndtdl.sys [09/06/2005 4:07 AM 51712]
R3 pdlnebas;PDLC Environment;c:\windows\system32\drivers\pdlnebas.sys [09/06/2005 4:07 AM 8608]
R3 pdlnecfg;PDLC Configuration;c:\windows\system32\drivers\pdlnecfg.sys [09/06/2005 4:07 AM 50336]
R3 pdlnemap;PDLC Mapper;c:\windows\system32\drivers\pdlnemap.sys [09/06/2005 4:07 AM 67184]
R3 pdlnemsg;PDLC Message Driver;c:\windows\system32\drivers\pdlnemsg.sys [09/06/2005 4:07 AM 12768]
R3 pdlnepkt;PDLC Buffer Manager;c:\windows\system32\drivers\pdlnepkt.sys [09/06/2005 4:07 AM 19984]
R3 pdlnshay;PDLC Hayes At signalling;c:\windows\system32\drivers\pdlnshay.sys [09/06/2005 4:07 AM 59504]
R3 pdlnslea;PDLC SDLC Leased;c:\windows\system32\drivers\pdlnslea.sys [09/06/2005 4:07 AM 22384]
R3 pdlnsv25;PDLC V25bis signalling;c:\windows\system32\drivers\pdlnsv25.sys [09/06/2005 4:07 AM 54416]
R3 pdlnsx25;PDLC X.25;c:\windows\system32\drivers\pdlnsx25.sys [09/06/2005 4:07 AM 58432]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [09/15/2009 11:42 AM 7408]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [10/07/2008 2:42 PM 57216]
S2 DCDClient-ISSI;IBM DCD Standard Client (DCDClient-ISSI);c:\program files\IBM\tivoli\dcd\client\ISSI\cds\CDSWinSrv.exe [08/11/2008 10:01 AM 53248]
S3 ABVPN2K;Net Firewall Miniport Interface;c:\windows\system32\drivers\abvpn2k.sys [12/12/2006 8:36 PM 164224]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\drivers\avpnnic.sys [12/12/2006 8:36 PM 13952]
S4 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\drivers\agnwifi.sys [04/29/2004 6:19 PM 19328]

--- Other Services/Drivers In Memory ---

*Deregistered* - awkoypod
*Deregistered* - IsDrv120
.
Contents of the 'Scheduled Tasks' folder

2009-09-26 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-12-13 01:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://w3.ibm.com/w3odw/spg/index_default.html
uInternet Connection Wizard,ShellNext = hxxp://w3.ibm.com/
uInternet Settings,ProxyOverride = <local>;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
Trusted Zone: ibm.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {1ACECAFE-0016-0000-0000-ABCDEFFEDCBA} - hxxp://
DPF: {8C28EFD7-767B-11D1-844B-0060972DC2AC} - hxxps://w3-03.ibm.com/Hyperion/zeroadmin/component/Brio.Insight.en.cab
DPF: {9519B2A2-6592-4E41-8290-D0298459270C} - hxxp://w3.ibm.com/bluepages/scripts/lnwebassist.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-25 23:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1100)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\IBM\Personal Communications\atmgrtok.dll
c:\program files\IBM\Personal Communications\MILLUTIL.DLL
c:\windows\system32\pcsinst.dll

- - - - - - - > 'lsass.exe'(1156)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll

- - - - - - - > 'explorer.exe'(1068)
tdlwsp.dll 10000000 36864 \\?\globalroot\Device\Ide\iaStor0\fnmdibit\fnmdibit\tdlwsp.dll
c:\windows\system32\PGPfsshl.dll
.
Completion time: 2009-09-26 23:17
ComboFix-quarantined-files.txt 2009-09-26 04:17
ComboFix2.txt 2009-09-20 14:09
ComboFix3.txt 2009-09-20 02:05
ComboFix4.txt 2009-09-19 22:28

Pre-Run: 62,422,573,056 bytes free
Post-Run: 62,387,769,344 bytes free

310

____________________________________________________________________________________________


HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:32 PM, on 09/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\C4ebreg\c4ebreg.exe
c:\sdwork\issimsvc.exe
C:\Program Files\AT&T Network Client\NetCfgSv.EXE
C:\WINDOWS\system32\PGPserv.exe
C:\Program Files\IBM\tivoli\dcd\client\ISSI\_jvm\jre\bin\java.exe
c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\Drivers\ldlcserv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\C4ebreg\isamtray.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\wst\wsect.exe
C:\Program Files\wst\wsect.exe
C:\Program Files\wst\wsect.exe
C:\Program Files\wst\wsect.exe
C:\Program Files\wst\wsect.exe
C:\Program Files\wst\wsect.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com/w3odw/spg/index_default.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://w3.ibm.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\IBM\Java60\jre\bin\ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [C4EBReg] "C:\Program Files\C4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [Isamtray] "C:\Program Files\C4ebreg\isamtray.exe"
O4 - HKLM\..\Run: [ISSI Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [WST TrayIcon Tool] C:\Downloads\WST TrayIcon Tool
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe"
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32maing.exe /cleanup
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [pmonmh] C:\Program Files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19/pmonmh.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Lotus QuickStart.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java60\jre\bin\ssv.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java60\jre\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com
O15 - Trusted Zone: http://*.ibm.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (Lotus Quickr Class) - http://quickr13.edc.ibm.com/qp2.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1ACECAFE-0016-0000-0000-ABCDEFFEDCBA} (Java2 Runtime Environment 1.6.0) - http://
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java2 Runtime Environment 1.6.0) - http://
O16 - DPF: {8C28EFD7-767B-11D1-844B-0060972DC2AC} - https://w3-03.ibm.com/Hyperion/zeroadmin/co....Insight.en.cab
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bluepages/scripts/lnwebassist.cab
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} (Java2 Runtime Environment 1.6.0) - http://
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java2 Runtime Environment 1.6.0) - http://
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{448BBA51-BAD1-4E8C-82E9-90B96C80A5C4}: SearchList = ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{448BBA51-BAD1-4E8C-82E9-90B96C80A5C4}: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{448BBA51-BAD1-4E8C-82E9-90B96C80A5C4}: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\system32\Drivers\appnnode.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: IBM DCD Standard Client (DCDClient-ISSI) (DCDClient-ISSI) - Unknown owner - C:\Program Files\IBM\tivoli\dcd\client\ISSI\cds\CDSWinSrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Corp. - C:\Program Files\C4ebreg\c4ebreg.exe
O23 - Service: ISSI (ISSIMon) - IBM Corp. - c:\sdwork\issimsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Network Client\NetCfgSv.EXE
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe

--
End of file - 12101 bytes

__________________________________________________________________________________________

MBR contents:

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\>MBR.exe -t
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll
iaStor.sys >>UNKNOWN [0x8596AC2A]<<
kernel: MBR read successfully
user & kernel MBR OK

C:\>
Eric

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 AM

Posted 26 September 2009 - 02:23 PM

There is some risk involved in the followin procedure, so please make sure you have all your data backed up before proceeding.

ComboFix has installed the Recovery Console. We're going to use that now.

Restart your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup - you may just need to keep tapping the up or down arrow key while your computer boots)

Posted Image

Posted Image

When you get to the above screen, take note of the number that references your operating system.
If it's '1' like the picture above, type 1 and press Enter

Posted Image

Next type FIXMBR

Posted Image

If it asks if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.

Once the machine has rebooted, run mbr.exe again and post the log.

#7 es99cobra

es99cobra
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 26 September 2009 - 07:11 PM

I'm able to select Microsoft Windows Recovery console and it looks like it is working, but then it blue screens with an error indicating 'UNMOUNTABLE_BOOT_VOLUME'.

I tried twice with the same results. Please advise how you would like me to continue. Thank you.
Eric

#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 AM

Posted 26 September 2009 - 07:29 PM

Have you got a windows XP install disc?

#9 es99cobra

es99cobra
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 26 September 2009 - 10:42 PM

Have you got a windows XP install disc?

No, unfortunately. Is there another option?
Eric

#10 es99cobra

es99cobra
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 26 September 2009 - 10:58 PM

Let me rephrase that, I HAVE an XP Home install disk. I do not have an XP Professional Disk, which is what is installed on the infected computer.
Eric

#11 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 AM

Posted 27 September 2009 - 03:35 PM

~

Edited by random/random, 27 September 2009 - 03:38 PM.
removed outdated instructions


#12 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 AM

Posted 27 September 2009 - 03:39 PM

If you saw the instructions in the post above, don't follow them yet. I am looking at some other options.

#13 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 AM

Posted 27 September 2009 - 03:47 PM

We're going to use icesword to check for the existence of a folder
  • Download IceSword from here
  • Extract/unzip it to a folder on your desktop
  • In that folder, double-click on IceSword.exe to start IceSword
  • Click on File in the bottom left hand corner
  • Locate this file
    • C:\windows\system32\fnmdibit or C:\windows\system32\.fnmdibit
  • If neither of them exist, post back here and tell me.
  • If either of them do exist, left click on them to select them, note down the files present in the right hand pane and post them here


#14 es99cobra

es99cobra
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 27 September 2009 - 05:31 PM

Neither file exists. Thanks.
Eric

#15 es99cobra

es99cobra
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 29 September 2009 - 01:25 PM

Are you still able to help me?
Eric




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users