Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

[Help] Possible rootkit


  • This topic is locked This topic is locked
24 replies to this topic

#1 Calisael

Calisael

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 12 December 2009 - 09:45 AM

edit: i'm so sorry i didn't mean to bump my request..i just though it would be confusing to post all the logs into 1 message.
i thought there was prompt for action for combofix so i ran it. it deleted a couple of files and MBAM now works...
attaching the log i received from combofix.. would appreciate it a lot if you guys could check if i'm in the clear..thanks so much!!! will attach hijackthis log and others in the following post

I suspected something was wrong when firefox.exe just disappeared. tried reinstalling but installer wouldnt work as well. (edit: got the installer to work by renaming the installer. got firefox again but still cannot run anti-malware apps)
Ran MBAM but closes after a few seconds.
Ran Radix but closes like MBAM, tried renaming to xidar but no effect. deleted radix

Scanned (Full) using:
Symantec Antivirus (found a couple of trojans, rescanning so will upload log as soon as it finishes)
Trend Micro HouseCall (TSPY_KATES.SMOD in tij.dat -but after another scan it is still there, tried deleting)

Ran RootRepeal but after a few hours i received "MBR ReadFile Error! Error Code = 0x1f so i'm not quite sure if this is a complete scan, will try again but will attach the generated file here.
Also ran hijackthis, attached as well (edit: reran the log because i just found out i had an outdated version.. please see 3rd post for log)

Will still try to run using the following, will post logs as soon as they have finished:
Ad-Aware Free
SUPERAntiSpyware Free
McAfee Labs Stinger

Please advise what actions i should take..thanks so much!

Inserting RootRepeal report below, for some reason its not uploading for meROOTREPEAL  AD, 2007-2009==================================================Scan Start Time:		2009/12/12 20:11Program Version:		Version 1.3.5.0Windows Version:		Windows XP SP2==================================================Drivers-------------------Name: dump_iastor.sysImage Path: C:\WINDOWS\System32\Drivers\dump_iastor.sysAddress: 0xA852D000	Size: 897024	File Visible: No	Signed: -Status: -Name: PCI_PNP8230Image Path: \Driver\PCI_PNP8230Address: 0x00000000	Size: 0	File Visible: No	Signed: -Status: -Name: rootrepeal.sysImage Path: C:\WINDOWS\system32\drivers\rootrepeal.sysAddress: 0xA2E9F000	Size: 49152	File Visible: No	Signed: -Status: -Name: spso.sysImage Path: spso.sysAddress: 0xF74D5000	Size: 1052672	File Visible: No	Signed: -Status: -Name: sptdImage Path: \Driver\sptdAddress: 0x00000000	Size: 0	File Visible: No	Signed: -Status: -Hidden/Locked Files-------------------Path: Volume C:\, Sector 4Status: Sector mismatchPath: Volume C:\, Sector 5Status: Sector mismatchPath: Volume C:\, Sector 6Status: Sector mismatchPath: Volume C:\, Sector 7Status: Sector mismatchPath: Volume C:\, Sector 8Status: Sector mismatchPath: Volume C:\, Sector 25Status: Sector mismatchPath: Volume C:\, Sector 26Status: Sector mismatchPath: Volume C:\, Sector 27Status: Sector mismatchPath: Volume C:\, Sector 28Status: Sector mismatchPath: Volume C:\, Sector 29Status: Sector mismatchPath: Volume C:\, Sector 30Status: Sector mismatchPath: Volume C:\, Sector 31Status: Sector mismatchPath: Volume C:\, Sector 32Status: Sector mismatchPath: Volume C:\, Sector 33Status: Sector mismatchPath: Volume C:\, Sector 34Status: Sector mismatchPath: Volume C:\, Sector 35Status: Sector mismatchPath: Volume C:\, Sector 36Status: Sector mismatchPath: Volume C:\, Sector 37Status: Sector mismatchPath: Volume C:\, Sector 38Status: Sector mismatchPath: Volume C:\, Sector 39Status: Sector mismatchPath: Volume C:\, Sector 40Status: Sector mismatchPath: Volume C:\, Sector 41Status: Sector mismatchPath: Volume C:\, Sector 42Status: Sector mismatchPath: Volume C:\, Sector 43Status: Sector mismatchPath: Volume C:\, Sector 44Status: Sector mismatchPath: Volume C:\, Sector 45Status: Sector mismatchPath: Volume C:\, Sector 46Status: Sector mismatchPath: Volume C:\, Sector 47Status: Sector mismatchPath: Volume C:\, Sector 48Status: Sector mismatchPath: Volume C:\, Sector 49Status: Sector mismatchPath: Volume C:\, Sector 50Status: Sector mismatchPath: Volume C:\, Sector 51Status: Sector mismatchPath: Volume C:\, Sector 52Status: Sector mismatchPath: Volume C:\, Sector 53Status: Sector mismatchPath: Volume C:\, Sector 54Status: Sector mismatchPath: Volume C:\, Sector 55Status: Sector mismatchPath: Volume C:\, Sector 56Status: Sector mismatchPath: Volume C:\, Sector 57Status: Sector mismatchPath: Volume C:\, Sector 58Status: Sector mismatchPath: Volume C:\, Sector 59Status: Sector mismatchPath: Volume C:\, Sector 60Status: Sector mismatchPath: Volume C:\, Sector 61Status: Sector mismatchPath: Volume C:\, Sector 62Status: Sector mismatchPath: C:\hiberfil.sysStatus: Locked to the Windows API!Path: c:\windows\temp\perflib_perfdata_f1c.datStatus: Allocation size mismatch (API: 16384, Raw: 0)Path: c:\windows\temp\perflib_perfdata_540.datStatus: Allocation size mismatch (API: 16384, Raw: 0)Path: c:\windows\temp\perflib_perfdata_1460.datStatus: Allocation size mismatch (API: 16384, Raw: 0)Path: \\?\C:\Documents and Settings\joj\Desktop\xidar\*Status: Could not enumerate files with the Windows API (0x00000003)!Path: C:\Documents and Settings\joj\Desktop\xidar\license.txtStatus: Invisible to the Windows API!Path: C:\Documents and Settings\joj\Desktop\xidar\log.txtStatus: Invisible to the Windows API!Path: C:\Documents and Settings\joj\Desktop\xidar\SDTHLPR.sysStatus: Invisible to the Windows API!Path: C:\Documents and Settings\joj\Desktop\xidar\win2kxp.mbrStatus: Invisible to the Windows API!Path: C:\Documents and Settings\joj\Desktop\xidar\winvista.mbrStatus: Invisible to the Windows API!Path: C:\Documents and Settings\joj\Desktop\xidar\xidar.exeStatus: Invisible to the Windows API!Path: C:\Documents and Settings\joj\Desktop\xidar\xidar.sigStatus: Invisible to the Windows API!Path: C:\Documents and Settings\joj\Local Settings\Apps\2.0\DHLKD6JR.1HX\E5CPAA10.4KY\manifests\Interop.IWshRuntimeLibrary.cdf-msStatus: Locked to the Windows API!Path: C:\Documents and Settings\joj\Local Settings\Apps\2.0\DHLKD6JR.1HX\E5CPAA10.4KY\manifests\IBMTVC.exe.cdf-msStatus: Locked to the Windows API!Path: C:\Documents and Settings\joj\Local Settings\Apps\2.0\DHLKD6JR.1HX\E5CPAA10.4KY\manifests\IBMTVC.exe.manifestStatus: Locked to the Windows API!Path: C:\Documents and Settings\joj\Local Settings\Apps\2.0\DHLKD6JR.1HX\E5CPAA10.4KY\manifests\IBMTVC.cdf-msStatus: Locked to the Windows API!Path: C:\Documents and Settings\joj\Local Settings\Apps\2.0\DHLKD6JR.1HX\E5CPAA10.4KY\manifests\IBMTVC.manifestStatus: Locked to the Windows API!Path: C:\Documents and Settings\joj\Local Settings\Apps\2.0\DHLKD6JR.1HX\E5CPAA10.4KY\manifests\Interop.IWshRuntimeLibrary.manifestStatus: Locked to the Windows API!Path: C:\Documents and Settings\joj\Local Settings\Apps\2.0\DHLKD6JR.1HX\E5CPAA10.4KY\manifests\Interop.Excel.cdf-msStatus: Locked to the Windows API!Path: C:\Documents and Settings\joj\Local Settings\Apps\2.0\DHLKD6JR.1HX\E5CPAA10.4KY\manifests\Interop.Excel.manifestStatus: Locked to the Windows API!Path: C:\Documents and Settings\joj\Local Settings\Apps\2.0\DHLKD6JR.1HX\E5CPAA10.4KY\manifests\NExcel.cdf-msStatus: Locked to the Windows API!Path: C:\Documents and Settings\joj\Local Settings\Apps\2.0\DHLKD6JR.1HX\E5CPAA10.4KY\manifests\NExcel.manifestStatus: Locked to the Windows API!Path: C:\Documents and Settings\joj\Local Settings\Apps\2.0\DHLKD6JR.1HX\E5CPAA10.4KY\manifests\XMLCore.cdf-msStatus: Locked to the Windows API!Path: C:\Documents and Settings\joj\Local Settings\Apps\2.0\DHLKD6JR.1HX\E5CPAA10.4KY\manifests\XMLCore.manifestStatus: Locked to the Windows API!SSDT-------------------#: 031	Function Name: NtConnectPortStatus: Hooked by "<unknown>" at address 0x8760b658#: 041	Function Name: NtCreateKeyStatus: Hooked by "C:\WINDOWS\system32\DRIVERS\Lbd.sys" at address 0xa533987e#: 065	Function Name: NtDeleteValueKeyStatus: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa8b2b350#: 071	Function Name: NtEnumerateKeyStatus: Hooked by "spso.sys" at address 0xf74f4ca4#: 073	Function Name: NtEnumerateValueKeyStatus: Hooked by "spso.sys" at address 0xf74f5032#: 119	Function Name: NtOpenKeyStatus: Hooked by "spso.sys" at address 0xf74d60c0#: 160	Function Name: NtQueryKeyStatus: Hooked by "spso.sys" at address 0xf74f510a#: 177	Function Name: NtQueryValueKeyStatus: Hooked by "spso.sys" at address 0xf74f4f8a#: 247	Function Name: NtSetValueKeyStatus: Hooked by "C:\WINDOWS\system32\DRIVERS\Lbd.sys" at address 0xa5339bfe#: 257	Function Name: NtTerminateProcessStatus: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa121a0b0Stealth Objects-------------------Object: Hidden Code [ETHREAD: 0x8624f020]Process: System	Address: 0xa4d7330c	Size: 3316Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]Process: System	Address: 0x8a2a31f8	Size: 121Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_CREATE]Process: System	Address: 0x8a32c1f8	Size: 121Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_CLOSE]Process: System	Address: 0x8a32c1f8	Size: 121Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a32c1f8	Size: 121Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a32c1f8	Size: 121Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_POWER]Process: System	Address: 0x8a32c1f8	Size: 121Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a32c1f8	Size: 121Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_PNP]Process: System	Address: 0x8a32c1f8	Size: 121Object: Hidden Code [Driver: perc2, IRP_MJ_CREATE]Process: System	Address: 0x8a2a91f8	Size: 121Object: Hidden Code [Driver: perc2, IRP_MJ_CLOSE]Process: System	Address: 0x8a2a91f8	Size: 121Object: Hidden Code [Driver: perc2, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2a91f8	Size: 121Object: Hidden Code [Driver: perc2, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2a91f8	Size: 121Object: Hidden Code [Driver: perc2, IRP_MJ_POWER]Process: System	Address: 0x8a2a91f8	Size: 121Object: Hidden Code [Driver: perc2, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2a91f8	Size: 121Object: Hidden Code [Driver: perc2, IRP_MJ_PNP]Process: System	Address: 0x8a2a91f8	Size: 121Object: Hidden Code [Driver: cbidf, IRP_MJ_CREATE]Process: System	Address: 0x8a2a61f8	Size: 121Object: Hidden Code [Driver: cbidf, IRP_MJ_CLOSE]Process: System	Address: 0x8a2a61f8	Size: 121Object: Hidden Code [Driver: cbidf, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2a61f8	Size: 121Object: Hidden Code [Driver: cbidf, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2a61f8	Size: 121Object: Hidden Code [Driver: cbidf, IRP_MJ_POWER]Process: System	Address: 0x8a2a61f8	Size: 121Object: Hidden Code [Driver: cbidf, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2a61f8	Size: 121Object: Hidden Code [Driver: cbidf, IRP_MJ_PNP]Process: System	Address: 0x8a2a61f8	Size: 121Object: Hidden Code [Driver: ini910u, IRP_MJ_CREATE]Process: System	Address: 0x8a3281f8	Size: 121Object: Hidden Code [Driver: ini910u, IRP_MJ_CLOSE]Process: System	Address: 0x8a3281f8	Size: 121Object: Hidden Code [Driver: ini910u, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a3281f8	Size: 121Object: Hidden Code [Driver: ini910u, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a3281f8	Size: 121Object: Hidden Code [Driver: ini910u, IRP_MJ_POWER]Process: System	Address: 0x8a3281f8	Size: 121Object: Hidden Code [Driver: ini910u, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a3281f8	Size: 121Object: Hidden Code [Driver: ini910u, IRP_MJ_PNP]Process: System	Address: 0x8a3281f8	Size: 121Object: Hidden Code [Driver: asc, IRP_MJ_CREATE]Process: System	Address: 0x8a32b1f8	Size: 121Object: Hidden Code [Driver: asc, IRP_MJ_CLOSE]Process: System	Address: 0x8a32b1f8	Size: 121Object: Hidden Code [Driver: asc, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a32b1f8	Size: 121Object: Hidden Code [Driver: asc, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a32b1f8	Size: 121Object: Hidden Code [Driver: asc, IRP_MJ_POWER]Process: System	Address: 0x8a32b1f8	Size: 121Object: Hidden Code [Driver: asc, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a32b1f8	Size: 121Object: Hidden Code [Driver: asc, IRP_MJ_PNP]Process: System	Address: 0x8a32b1f8	Size: 121Object: Hidden Code [Driver: ql1280, IRP_MJ_CREATE]Process: System	Address: 0x8a2ab1f8	Size: 121Object: Hidden Code [Driver: ql1280, IRP_MJ_CLOSE]Process: System	Address: 0x8a2ab1f8	Size: 121Object: Hidden Code [Driver: ql1280, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2ab1f8	Size: 121Object: Hidden Code [Driver: ql1280, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2ab1f8	Size: 121Object: Hidden Code [Driver: ql1280, IRP_MJ_POWER]Process: System	Address: 0x8a2ab1f8	Size: 121Object: Hidden Code [Driver: ql1280, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2ab1f8	Size: 121Object: Hidden Code [Driver: ql1280, IRP_MJ_PNP]Process: System	Address: 0x8a2ab1f8	Size: 121Object: Hidden Code [Driver: asc3350p, IRP_MJ_CREATE]Process: System	Address: 0x8a2b11f8	Size: 121Object: Hidden Code [Driver: asc3350p, IRP_MJ_CLOSE]Process: System	Address: 0x8a2b11f8	Size: 121Object: Hidden Code [Driver: asc3350p, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2b11f8	Size: 121Object: Hidden Code [Driver: asc3350p, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2b11f8	Size: 121Object: Hidden Code [Driver: asc3350p, IRP_MJ_POWER]Process: System	Address: 0x8a2b11f8	Size: 121Object: Hidden Code [Driver: asc3350p, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2b11f8	Size: 121Object: Hidden Code [Driver: asc3350p, IRP_MJ_PNP]Process: System	Address: 0x8a2b11f8	Size: 121Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]Process: System	Address: 0x8a32f1f8	Size: 121Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]Process: System	Address: 0x8a32f1f8	Size: 121Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a32f1f8	Size: 121Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a32f1f8	Size: 121Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]Process: System	Address: 0x8a32f1f8	Size: 121Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a32f1f8	Size: 121Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]Process: System	Address: 0x8a32f1f8	Size: 121Object: Hidden Code [Driver: mraid35x, IRP_MJ_CREATE]Process: System	Address: 0x8a32a1f8	Size: 121Object: Hidden Code [Driver: mraid35x, IRP_MJ_CLOSE]Process: System	Address: 0x8a32a1f8	Size: 121Object: Hidden Code [Driver: mraid35x, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a32a1f8	Size: 121Object: Hidden Code [Driver: mraid35x, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a32a1f8	Size: 121Object: Hidden Code [Driver: mraid35x, IRP_MJ_POWER]Process: System	Address: 0x8a32a1f8	Size: 121Object: Hidden Code [Driver: mraid35x, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a32a1f8	Size: 121Object: Hidden Code [Driver: mraid35x, IRP_MJ_PNP]Process: System	Address: 0x8a32a1f8	Size: 121Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_CREATE]Process: System	Address: 0x8a2b01f8	Size: 121Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_CLOSE]Process: System	Address: 0x8a2b01f8	Size: 121Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2b01f8	Size: 121Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2b01f8	Size: 121Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_POWER]Process: System	Address: 0x8a2b01f8	Size: 121Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2b01f8	Size: 121Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_PNP]Process: System	Address: 0x8a2b01f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]Process: System	Address: 0x897221f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]Process: System	Address: 0x897221f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]Process: System	Address: 0x897221f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]Process: System	Address: 0x897221f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]Process: System	Address: 0x897221f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x897221f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x897221f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]Process: System	Address: 0x897221f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]Process: System	Address: 0x897221f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x897221f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]Process: System	Address: 0x897221f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]Process: System	Address: 0x8a2bd1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]Process: System	Address: 0x8a2bd1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_READ]Process: System	Address: 0x8a2bd1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]Process: System	Address: 0x8a2bd1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]Process: System	Address: 0x8a2bd1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2bd1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2bd1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]Process: System	Address: 0x8a2bd1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]Process: System	Address: 0x8a2bd1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2bd1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]Process: System	Address: 0x8a2bd1f8	Size: 121Object: Hidden Code [Driver: symc8xx, IRP_MJ_CREATE]Process: System	Address: 0x8a2b51f8	Size: 121Object: Hidden Code [Driver: symc8xx, IRP_MJ_CLOSE]Process: System	Address: 0x8a2b51f8	Size: 121Object: Hidden Code [Driver: symc8xx, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2b51f8	Size: 121Object: Hidden Code [Driver: symc8xx, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2b51f8	Size: 121Object: Hidden Code [Driver: symc8xx, IRP_MJ_POWER]Process: System	Address: 0x8a2b51f8	Size: 121Object: Hidden Code [Driver: symc8xx, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2b51f8	Size: 121Object: Hidden Code [Driver: symc8xx, IRP_MJ_PNP]Process: System	Address: 0x8a2b51f8	Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]Process: System	Address: 0x897c71f8	Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]Process: System	Address: 0x897c71f8	Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x897c71f8	Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x897c71f8	Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]Process: System	Address: 0x897c71f8	Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x897c71f8	Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]Process: System	Address: 0x897c71f8	Size: 121Object: Hidden Code [Driver: ultra, IRP_MJ_CREATE]Process: System	Address: 0x8a2af1f8	Size: 121Object: Hidden Code [Driver: ultra, IRP_MJ_CLOSE]Process: System	Address: 0x8a2af1f8	Size: 121Object: Hidden Code [Driver: ultra, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2af1f8	Size: 121Object: Hidden Code [Driver: ultra, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2af1f8	Size: 121Object: Hidden Code [Driver: ultra, IRP_MJ_POWER]Process: System	Address: 0x8a2af1f8	Size: 121Object: Hidden Code [Driver: ultra, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2af1f8	Size: 121Object: Hidden Code [Driver: ultra, IRP_MJ_PNP]Process: System	Address: 0x8a2af1f8	Size: 121Object: Hidden Code [Driver: dac960nt, IRP_MJ_CREATE]Process: System	Address: 0x8a2b91f8	Size: 121Object: Hidden Code [Driver: dac960nt, IRP_MJ_CLOSE]Process: System	Address: 0x8a2b91f8	Size: 121Object: Hidden Code [Driver: dac960nt, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2b91f8	Size: 121Object: Hidden Code [Driver: dac960nt, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2b91f8	Size: 121Object: Hidden Code [Driver: dac960nt, IRP_MJ_POWER]Process: System	Address: 0x8a2b91f8	Size: 121Object: Hidden Code [Driver: dac960nt, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2b91f8	Size: 121Object: Hidden Code [Driver: dac960nt, IRP_MJ_PNP]Process: System	Address: 0x8a2b91f8	Size: 121Object: Hidden Code [Driver: aic78u2, IRP_MJ_CREATE]Process: System	Address: 0x8a2b61f8	Size: 121Object: Hidden Code [Driver: aic78u2, IRP_MJ_CLOSE]Process: System	Address: 0x8a2b61f8	Size: 121Object: Hidden Code [Driver: aic78u2, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2b61f8	Size: 121Object: Hidden Code [Driver: aic78u2, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2b61f8	Size: 121Object: Hidden Code [Driver: aic78u2, IRP_MJ_POWER]Process: System	Address: 0x8a2b61f8	Size: 121Object: Hidden Code [Driver: aic78u2, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2b61f8	Size: 121Object: Hidden Code [Driver: aic78u2, IRP_MJ_PNP]Process: System	Address: 0x8a2b61f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]Process: System	Address: 0x8a3311f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]Process: System	Address: 0x8a3311f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]Process: System	Address: 0x8a3311f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]Process: System	Address: 0x8a3311f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a3311f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a3311f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]Process: System	Address: 0x8a3311f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]Process: System	Address: 0x8a3311f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]Process: System	Address: 0x8a3311f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a3311f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]Process: System	Address: 0x8a3311f8	Size: 121Object: Hidden Code [Driver: adpu160m, IRP_MJ_CREATE]Process: System	Address: 0x8a2ae1f8	Size: 121Object: Hidden Code [Driver: adpu160m, IRP_MJ_CLOSE]Process: System	Address: 0x8a2ae1f8	Size: 121Object: Hidden Code [Driver: adpu160m, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2ae1f8	Size: 121Object: Hidden Code [Driver: adpu160m, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2ae1f8	Size: 121Object: Hidden Code [Driver: adpu160m, IRP_MJ_POWER]Process: System	Address: 0x8a2ae1f8	Size: 121Object: Hidden Code [Driver: adpu160m, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2ae1f8	Size: 121Object: Hidden Code [Driver: adpu160m, IRP_MJ_PNP]Process: System	Address: 0x8a2ae1f8	Size: 121Object: Hidden Code [Driver: sym_u3, IRP_MJ_CREATE]Process: System	Address: 0x8a2b31f8	Size: 121Object: Hidden Code [Driver: sym_u3, IRP_MJ_CLOSE]Process: System	Address: 0x8a2b31f8	Size: 121Object: Hidden Code [Driver: sym_u3, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2b31f8	Size: 121Object: Hidden Code [Driver: sym_u3, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2b31f8	Size: 121Object: Hidden Code [Driver: sym_u3, IRP_MJ_POWER]Process: System	Address: 0x8a2b31f8	Size: 121Object: Hidden Code [Driver: sym_u3, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2b31f8	Size: 121Object: Hidden Code [Driver: sym_u3, IRP_MJ_PNP]Process: System	Address: 0x8a2b31f8	Size: 121Object: Hidden Code [Driver: abp480n5, IRP_MJ_CREATE]Process: System	Address: 0x8a2b21f8	Size: 121Object: Hidden Code [Driver: abp480n5, IRP_MJ_CLOSE]Process: System	Address: 0x8a2b21f8	Size: 121Object: Hidden Code [Driver: abp480n5, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2b21f8	Size: 121Object: Hidden Code [Driver: abp480n5, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2b21f8	Size: 121Object: Hidden Code [Driver: abp480n5, IRP_MJ_POWER]Process: System	Address: 0x8a2b21f8	Size: 121Object: Hidden Code [Driver: abp480n5, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2b21f8	Size: 121Object: Hidden Code [Driver: abp480n5, IRP_MJ_PNP]Process: System	Address: 0x8a2b21f8	Size: 121Object: Hidden Code [Driver: ql1080, IRP_MJ_CREATE]Process: System	Address: 0x8a2ac1f8	Size: 121Object: Hidden Code [Driver: ql1080, IRP_MJ_CLOSE]Process: System	Address: 0x8a2ac1f8	Size: 121Object: Hidden Code [Driver: ql1080, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2ac1f8	Size: 121Object: Hidden Code [Driver: ql1080, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2ac1f8	Size: 121Object: Hidden Code [Driver: ql1080, IRP_MJ_POWER]Process: System	Address: 0x8a2ac1f8	Size: 121Object: Hidden Code [Driver: ql1080, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2ac1f8	Size: 121Object: Hidden Code [Driver: ql1080, IRP_MJ_PNP]Process: System	Address: 0x8a2ac1f8	Size: 121Object: Hidden Code [Driver: symc810, IRP_MJ_CREATE]Process: System	Address: 0x8a2ba1f8	Size: 121Object: Hidden Code [Driver: symc810, IRP_MJ_CLOSE]Process: System	Address: 0x8a2ba1f8	Size: 121Object: Hidden Code [Driver: symc810, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2ba1f8	Size: 121Object: Hidden Code [Driver: symc810, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2ba1f8	Size: 121Object: Hidden Code [Driver: symc810, IRP_MJ_POWER]Process: System	Address: 0x8a2ba1f8	Size: 121Object: Hidden Code [Driver: symc810, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2ba1f8	Size: 121Object: Hidden Code [Driver: symc810, IRP_MJ_PNP]Process: System	Address: 0x8a2ba1f8	Size: 121Object: Hidden Code [Driver: hpn, IRP_MJ_CREATE]Process: System	Address: 0x8a2a71f8	Size: 121Object: Hidden Code [Driver: hpn, IRP_MJ_CLOSE]Process: System	Address: 0x8a2a71f8	Size: 121Object: Hidden Code [Driver: hpn, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2a71f8	Size: 121Object: Hidden Code [Driver: hpn, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2a71f8	Size: 121Object: Hidden Code [Driver: hpn, IRP_MJ_POWER]Process: System	Address: 0x8a2a71f8	Size: 121Object: Hidden Code [Driver: hpn, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2a71f8	Size: 121Object: Hidden Code [Driver: hpn, IRP_MJ_PNP]Process: System	Address: 0x8a2a71f8	Size: 121Object: Hidden Code [Driver: ql12160, IRP_MJ_CREATE]Process: System	Address: 0x8a2aa1f8	Size: 121Object: Hidden Code [Driver: ql12160, IRP_MJ_CLOSE]Process: System	Address: 0x8a2aa1f8	Size: 121Object: Hidden Code [Driver: ql12160, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2aa1f8	Size: 121Object: Hidden Code [Driver: ql12160, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2aa1f8	Size: 121Object: Hidden Code [Driver: ql12160, IRP_MJ_POWER]Process: System	Address: 0x8a2aa1f8	Size: 121Object: Hidden Code [Driver: ql12160, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2aa1f8	Size: 121Object: Hidden Code [Driver: ql12160, IRP_MJ_PNP]Process: System	Address: 0x8a2aa1f8	Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]Process: System	Address: 0x875191f8	Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]Process: System	Address: 0x875191f8	Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x875191f8	Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x875191f8	Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]Process: System	Address: 0x875191f8	Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]Process: System	Address: 0x875191f8	Size: 121Object: Hidden Code [Driver: aic78xx, IRP_MJ_CREATE]Process: System	Address: 0x8a32d1f8	Size: 121Object: Hidden Code [Driver: aic78xx, IRP_MJ_CLOSE]Process: System	Address: 0x8a32d1f8	Size: 121Object: Hidden Code [Driver: aic78xx, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a32d1f8	Size: 121Object: Hidden Code [Driver: aic78xx, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a32d1f8	Size: 121Object: Hidden Code [Driver: aic78xx, IRP_MJ_POWER]Process: System	Address: 0x8a32d1f8	Size: 121Object: Hidden Code [Driver: aic78xx, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a32d1f8	Size: 121Object: Hidden Code [Driver: aic78xx, IRP_MJ_PNP]Process: System	Address: 0x8a32d1f8	Size: 121Object: Hidden Code [Driver: amsint, IRP_MJ_CREATE]Process: System	Address: 0x8a2b81f8	Size: 121Object: Hidden Code [Driver: amsint, IRP_MJ_CLOSE]Process: System	Address: 0x8a2b81f8	Size: 121Object: Hidden Code [Driver: amsint, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2b81f8	Size: 121Object: Hidden Code [Driver: amsint, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2b81f8	Size: 121Object: Hidden Code [Driver: amsint, IRP_MJ_POWER]Process: System	Address: 0x8a2b81f8	Size: 121Object: Hidden Code [Driver: amsint, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2b81f8	Size: 121Object: Hidden Code [Driver: amsint, IRP_MJ_PNP]Process: System	Address: 0x8a2b81f8	Size: 121Object: Hidden Code [Driver: dac2w2k, IRP_MJ_CREATE]Process: System	Address: 0x8a2a51f8	Size: 121Object: Hidden Code [Driver: dac2w2k, IRP_MJ_CLOSE]Process: System	Address: 0x8a2a51f8	Size: 121Object: Hidden Code [Driver: dac2w2k, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2a51f8	Size: 121Object: Hidden Code [Driver: dac2w2k, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2a51f8	Size: 121Object: Hidden Code [Driver: dac2w2k, IRP_MJ_POWER]Process: System	Address: 0x8a2a51f8	Size: 121Object: Hidden Code [Driver: dac2w2k, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2a51f8	Size: 121Object: Hidden Code [Driver: dac2w2k, IRP_MJ_PNP]Process: System	Address: 0x8a2a51f8	Size: 121Object: Hidden Code [Driver: Sparrow, IRP_MJ_CREATE]Process: System	Address: 0x8a32e1f8	Size: 121Object: Hidden Code [Driver: Sparrow, IRP_MJ_CLOSE]Process: System	Address: 0x8a32e1f8	Size: 121Object: Hidden Code [Driver: Sparrow, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a32e1f8	Size: 121Object: Hidden Code [Driver: Sparrow, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a32e1f8	Size: 121Object: Hidden Code [Driver: Sparrow, IRP_MJ_POWER]Process: System	Address: 0x8a32e1f8	Size: 121Object: Hidden Code [Driver: Sparrow, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a32e1f8	Size: 121Object: Hidden Code [Driver: Sparrow, IRP_MJ_PNP]Process: System	Address: 0x8a32e1f8	Size: 121Object: Hidden Code [Driver: ql1240, IRP_MJ_CREATE]Process: System	Address: 0x8a3271f8	Size: 121Object: Hidden Code [Driver: ql1240, IRP_MJ_CLOSE]Process: System	Address: 0x8a3271f8	Size: 121Object: Hidden Code [Driver: ql1240, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a3271f8	Size: 121Object: Hidden Code [Driver: ql1240, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a3271f8	Size: 121Object: Hidden Code [Driver: ql1240, IRP_MJ_POWER]Process: System	Address: 0x8a3271f8	Size: 121Object: Hidden Code [Driver: ql1240, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a3271f8	Size: 121Object: Hidden Code [Driver: ql1240, IRP_MJ_PNP]Process: System	Address: 0x8a3271f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]Process: System	Address: 0x897c21f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]Process: System	Address: 0x897c21f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x897c21f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x897c21f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]Process: System	Address: 0x897c21f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x897c21f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]Process: System	Address: 0x897c21f8	Size: 121Object: Hidden Code [Driver: sym_hi, IRP_MJ_CREATE]Process: System	Address: 0x8a2b41f8	Size: 121Object: Hidden Code [Driver: sym_hi, IRP_MJ_CLOSE]Process: System	Address: 0x8a2b41f8	Size: 121Object: Hidden Code [Driver: sym_hi, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2b41f8	Size: 121Object: Hidden Code [Driver: sym_hi, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2b41f8	Size: 121Object: Hidden Code [Driver: sym_hi, IRP_MJ_POWER]Process: System	Address: 0x8a2b41f8	Size: 121Object: Hidden Code [Driver: sym_hi, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2b41f8	Size: 121Object: Hidden Code [Driver: sym_hi, IRP_MJ_PNP]Process: System	Address: 0x8a2b41f8	Size: 121Object: Hidden Code [Driver: Aha154x, IRP_MJ_CREATE]Process: System	Address: 0x8a2bb1f8	Size: 121Object: Hidden Code [Driver: Aha154x, IRP_MJ_CLOSE]Process: System	Address: 0x8a2bb1f8	Size: 121Object: Hidden Code [Driver: Aha154x, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2bb1f8	Size: 121Object: Hidden Code [Driver: Aha154x, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2bb1f8	Size: 121Object: Hidden Code [Driver: Aha154x, IRP_MJ_POWER]Process: System	Address: 0x8a2bb1f8	Size: 121Object: Hidden Code [Driver: Aha154x, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2bb1f8	Size: 121Object: Hidden Code [Driver: Aha154x, IRP_MJ_PNP]Process: System	Address: 0x8a2bb1f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_CREATE]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_CREATE_NAMED_PIPE]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_CLOSE]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_READ]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_WRITE]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_QUERY_INFORMATION]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_SET_INFORMATION]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_QUERY_EA]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_SET_EA]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_FLUSH_BUFFERS]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_QUERY_VOLUME_INFORMATION]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_SET_VOLUME_INFORMATION]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_DIRECTORY_CONTROL]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_FILE_SYSTEM_CONTROL]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_SHUTDOWN]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_LOCK_CONTROL]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_CLEANUP]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_CREATE_MAILSLOT]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_QUERY_SECURITY]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_SET_SECURITY]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_POWER]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_DEVICE_CHANGE]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_QUERY_QUOTA]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_SET_QUOTA]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: perc2hib, IRP_MJ_PNP]Process: System	Address: 0x8a2a81f8	Size: 121Object: Hidden Code [Driver: i2omp, IRP_MJ_CREATE]Process: System	Address: 0x8a3291f8	Size: 121Object: Hidden Code [Driver: i2omp, IRP_MJ_CLOSE]Process: System	Address: 0x8a3291f8	Size: 121Object: Hidden Code [Driver: i2omp, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a3291f8	Size: 121Object: Hidden Code [Driver: i2omp, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a3291f8	Size: 121Object: Hidden Code [Driver: i2omp, IRP_MJ_POWER]Process: System	Address: 0x8a3291f8	Size: 121Object: Hidden Code [Driver: i2omp, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a3291f8	Size: 121Object: Hidden Code [Driver: i2omp, IRP_MJ_PNP]Process: System	Address: 0x8a3291f8	Size: 121Object: Hidden Code [Driver: dpti2o, IRP_MJ_CREATE]Process: System	Address: 0x8a2ad1f8	Size: 121Object: Hidden Code [Driver: dpti2o, IRP_MJ_CLOSE]Process: System	Address: 0x8a2ad1f8	Size: 121Object: Hidden Code [Driver: dpti2o, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2ad1f8	Size: 121Object: Hidden Code [Driver: dpti2o, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2ad1f8	Size: 121Object: Hidden Code [Driver: dpti2o, IRP_MJ_POWER]Process: System	Address: 0x8a2ad1f8	Size: 121Object: Hidden Code [Driver: dpti2o, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2ad1f8	Size: 121Object: Hidden Code [Driver: dpti2o, IRP_MJ_PNP]Process: System	Address: 0x8a2ad1f8	Size: 121Object: Hidden Code [Driver: asc3550, IRP_MJ_CREATE]Process: System	Address: 0x8a2b71f8	Size: 121Object: Hidden Code [Driver: asc3550, IRP_MJ_CLOSE]Process: System	Address: 0x8a2b71f8	Size: 121Object: Hidden Code [Driver: asc3550, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2b71f8	Size: 121Object: Hidden Code [Driver: asc3550, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a2b71f8	Size: 121Object: Hidden Code [Driver: asc3550, IRP_MJ_POWER]Process: System	Address: 0x8a2b71f8	Size: 121Object: Hidden Code [Driver: asc3550, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a2b71f8	Size: 121Object: Hidden Code [Driver: asc3550, IRP_MJ_PNP]Process: System	Address: 0x8a2b71f8	Size: 121Object: Hidden Code [Driver: Cpqarray, IRP_MJ_CREATE]Process: System	Address: 0x8a3301f8	Size: 121Object: Hidden Code [Driver: Cpqarray, IRP_MJ_CLOSE]Process: System	Address: 0x8a3301f8	Size: 121Object: Hidden Code [Driver: Cpqarray, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a3301f8	Size: 121Object: Hidden Code [Driver: Cpqarray, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a3301f8	Size: 121Object: Hidden Code [Driver: Cpqarray, IRP_MJ_POWER]Process: System	Address: 0x8a3301f8	Size: 121Object: Hidden Code [Driver: Cpqarray, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8a3301f8	Size: 121Object: Hidden Code [Driver: Cpqarray, IRP_MJ_PNP]Process: System	Address: 0x8a3301f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]Process: System	Address: 0x86a261f8	Size: 121Object: Hidden Code [Driver: Cdfs…ఐ‡䁡™А, IRP_MJ_CREATE]Process: System	Address: 0x869ba500	Size: 121Object: Hidden Code [Driver: Cdfs…ఐ‡䁡™А, IRP_MJ_CLOSE]Process: System	Address: 0x869ba500	Size: 121Object: Hidden Code [Driver: Cdfs…ఐ‡䁡™А, IRP_MJ_READ]Process: System	Address: 0x869ba500	Size: 121Object: Hidden Code [Driver: Cdfs…ఐ‡䁡™А, IRP_MJ_QUERY_INFORMATION]Process: System	Address: 0x869ba500	Size: 121Object: Hidden Code [Driver: Cdfs…ఐ‡䁡™А, IRP_MJ_SET_INFORMATION]Process: System	Address: 0x869ba500	Size: 121Object: Hidden Code [Driver: Cdfs…ఐ‡䁡™А, IRP_MJ_QUERY_VOLUME_INFORMATION]Process: System	Address: 0x869ba500	Size%3ss: System	Address: 0x897c21f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x897c21f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x897c21f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]Process: System	Address: 0x897c21f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x897c21f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]Process: System	Address: 0x897c21f8	Size: 121Object: Hidden Code [Driver: sym_hi, IRP_MJ_CREATE]Process: System	Address: 0x8a2b41f8	Size: 121Object: Hidden Code [Driver: sym_hi, IRP_MJ_CLOSE]Process: System	Address: 0x8a2b41f8	Size: 121Object: Hidden Code [Driver: sym_hi, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a2b41f8	Size: 121Object: Hidden Code [Driver: sym_hi, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Addres

Attached Files


Edited by Calisael, 13 December 2009 - 01:32 AM.


BC AdBot (Login to Remove)

 


#2 Calisael

Calisael
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 12 December 2009 - 10:38 AM

SUPERAntiSpyware results:
Adware.Tracking Cookie [5 items] - removed

edit:
McAfee Stinger - none found

Edited by Calisael, 12 December 2009 - 11:35 AM.


#3 Calisael

Calisael
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 12 December 2009 - 11:17 AM

attached DDS logs below, thanks

DDS (Ver_09-12-01.01) - NTFSx86
Run by joj at 0:12:49.03 on Sun 12/13/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1944.577 [GMT 8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\WINDOWS\system32\Drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\tpam.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exe
svchost.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\C4ebreg\isamtray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\Program Files\C4ebreg\c4ebreg.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
c:\sdwork\issimsvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\soffice.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\KanaReminder\Reminder.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\notes\ntmulti.exe
C:\Program Files\AT&T Network Client\NetCfgSv.EXE
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\Stickies\stickies.exe
C:\WINDOWS\system32\PGPserv.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\WINDOWS\system32\Drivers\ldlcserv.exe
C:\WINDOWS\system32\Drivers\ldlcserv6.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\IBM\My Help\MyHelp.exe
C:\Program Files\IBM\My Help\jre\bin\myhelpw.exe
C:\Documents and Settings\joj\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\joj\Desktop\stinger1001688.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\vpc32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Documents and Settings\joj\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\joj\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
C:\Documents and Settings\joj\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = ;<local>;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: Lenovo ThinkVantage Toolbox: {86b9b5dd-fb75-4035-bd52-3c94f7849caf} - c:\program files\pc-doctor\ATLPcdToolbar544928.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [Kana Reminder] "c:\program files\kanareminder\Reminder.exe"
uRun: [TPKMAPMN] c:\program files\thinkpad\utilities\TpKmapMn.exe
uRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
uRun: [Google Update] "c:\documents and settings\joj\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [stgclean] c:\sdwork\w32main2.exe /cleanup
mRun: [Tpam.exe] "c:\program files\ibm\personal communications\tpam.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [TpShocks] TpShocks.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [MyHelpService] c:\program files\ibm\my help\workspace\service\delayStart.exe
mRun: [pmonmh] c:\program files\ibm\my help\plugins\\com.ibm.myhelp.common_1.4.19/pmonmh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~2\symant~2\VPTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Isamtray] "c:\program files\c4ebreg\isamtray.exe"
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [ISSI Service] "c:\sdwork\issimsvc.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [C4EBReg] "c:\program files\c4ebreg\c4ebreg.exe" /q
mRun: [SODCPreLoad] c:\program files\ibm\lotus\symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\preload.exe c:\progra~1\ibm\lotus\symphony\data\.sodc\
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\joj\startm~1\programs\startup\fastst~1.lnk - c:\fscapture\FSCapture.exe
StartupFolder: c:\documents and settings\joj\start menu\programs\startup\IBM-TVC.appref-ms
StartupFolder: c:\docume~1\joj\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{01d0b438-ce21-4fad-8845-a0f00db65f4f}\Icon6560581611.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tweetd~1.lnk - c:\program files\tweetdeck\TweetDeck.exe
uPolicies-explorer: NoDevMgrUpdate = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: ibm.com\w3-950.chs
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: {997CA173-8700-43D9-9918-682C889E2651} = 208.67.222.222,208.67.220.220
TCP: {AECC8EBE-6AF2-4269-AA17-6E6F84A2459C} = 208.67.222.222,208.67.220.220
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ACNotify - ACNotify.dll
Notify: atmgrtok - atmgrtok.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: pcsinst - pcsinst.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ACGina PGPpwflt ACGina

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-12 64288]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-6-29 20520]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-12 13480]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\virtualcd\VCdRom.sys [2001-12-19 8576]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2006-11-21 202344]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1184912]
R2 ldlcserv6;IBM Enterprise Extender (IPv6);c:\windows\system32\drivers\ldlcserv6.exe [2007-11-2 40960]
R2 pdlndldl6;IBM Enterprise Extender (HPR/IPv6);c:\windows\system32\drivers\pdlndldl6.sys [2007-11-2 70656]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2008-10-13 53248]
R2 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2007-3-14 116416]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-10-13 62320]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-10-16 2058776]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-6-13 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-2 102448]
R3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [2009-10-7 6016]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091211.002\naveng.sys [2009-12-12 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091211.002\navex15.sys [2009-12-12 1323568]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
R3 SDTHelper;Helper driver for SDT-Tool;\??\c:\documents and settings\joj\desktop\xidar\sdthlpr.sys --> c:\documents and settings\joj\desktop\xidar\sdthlpr.sys [?]
S0 0261B;0261B;c:\windows\system32\drivers\0261b.sys --> c:\windows\system32\drivers\0261B.SYS [?]
S0 0269;0269;c:\windows\system32\drivers\0269.SYS [2009-12-12 33120]
S1 30bA;30bA;c:\windows\system32\drivers\30bA.SYS [2009-12-12 33120]
S1 69e1C;69e1C;\??\c:\windows\system32\drivers\69e1c.sys --> c:\windows\system32\drivers\69e1C.SYS [?]
S2 6c1B;6c1B;c:\windows\system32\drivers\6c1B.SYS [2009-12-12 33120]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2009-5-21 45424]
S3 4267;4267;\??\c:\windows\system32\4267.sys --> c:\windows\system32\4267.sys [?]
S3 6fd3;6fd3;\??\c:\windows\system32\6fd3.sys --> c:\windows\system32\6fd3.sys [?]
S3 7ba2;7ba2;\??\c:\windows\system32\7ba2.sys --> c:\windows\system32\7ba2.sys [?]
S3 8b06;8b06;\??\c:\windows\system32\8b06.sys --> c:\windows\system32\8b06.sys [?]
S3 9af262;9af262;c:\windows\system32\9af262.sys [2009-12-12 54624]
S3 b158;b158;\??\c:\windows\system32\b158.sys --> c:\windows\system32\b158.sys [?]
S3 b844;b844;\??\c:\windows\system32\b844.sys --> c:\windows\system32\b844.sys [?]
S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [2009-5-4 15872]
S3 chkproc1;chkproc1;\??\c:\documents and settings\joj\desktop\helios\chkproc.sys --> c:\documents and settings\joj\desktop\helios\chkproc.sys [?]
S3 csrcmds;csrcmds;c:\program files\ibm\personal communications\csrcmds.exe [2007-11-2 49152]
S3 cstrcser;IBM Command Line Trace;c:\windows\system32\drivers\cstrcser.exe [2007-11-2 36864]
S3 gnab_device;gnab_device;c:\windows\system32\gnabcoms.exe -service --> c:\windows\system32\GNabcoms.exe -service [?]
UnknownUnknown eab1D;eab1D; [x]

=============== Created Last 30 ================

2009-12-12 12:41:23 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-12 12:41:03 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-12 12:41:03 0 d-----w- c:\docume~1\joj\applic~1\SUPERAntiSpyware.com
2009-12-12 12:39:52 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-12 12:22:25 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-12 11:52:59 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-12 11:49:30 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-12 11:48:58 0 d-----w- c:\program files\Lavasoft
2009-12-12 10:56:13 0 d-----w- c:\program files\TrendMicro
2009-12-12 10:25:30 6262 --sha-w- c:\windows\system32\drivers\6c1B.DAT
2009-12-12 10:25:30 6262 --sha-w- c:\windows\system32\drivers\30bA.DAT
2009-12-12 10:25:30 6262 --sha-w- c:\windows\system32\drivers\0269.DAT
2009-12-12 10:25:30 33120 ----a-w- c:\windows\system32\drivers\6c1B.SYS
2009-12-12 10:25:30 33120 ----a-w- c:\windows\system32\drivers\30bA.SYS
2009-12-12 10:25:30 33120 ----a-w- c:\windows\system32\drivers\0269.SYS
2009-12-12 08:43:59 7680 ----a-w- c:\windows\system32\drivers\RKL8A.tmp.sys
2009-12-12 07:31:53 128352 ----a-w- c:\windows\system32\9af262.dll
2009-12-12 07:31:52 715264 ----a-w- c:\windows\system32\be4263.tmp
2009-12-12 07:31:51 54624 ----a-w- c:\windows\system32\9af262.sys
2009-12-12 07:31:49 2335270 ----a-w- c:\windows\system32\01a261.mht
2009-12-11 07:27:05 0 d-----w- c:\docume~1\alluse~1\applic~1\PCDr
2009-12-11 07:25:38 0 d-----w- c:\program files\PC-Doctor
2009-12-11 07:17:40 512752 ----a-w- c:\windows\qfeC2.tmp
2009-12-05 12:42:37 0 d-----w- c:\program files\Gravity
2009-12-04 18:10:04 0 d-----w- c:\program files\Stanza
2009-12-04 00:33:25 0 d-----w- c:\program files\TweetDeck
2009-12-01 15:31:57 0 d-----w- c:\docume~1\joj\applic~1\ViiKiiDesktopPlugin.5E22EA0FF243470AB5EDDF282C0A5B52E9909C36.1
2009-12-01 01:11:51 0 d-----w- c:\docume~1\joj\applic~1\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2009-11-28 04:49:49 0 d-----w- c:\docume~1\joj\applic~1\runic games
2009-11-28 04:43:55 0 d-----w- c:\program files\Runic Games
2009-11-28 04:38:35 47 ----a-w- c:\windows\WinBIN2ISO.INI
2009-11-28 04:30:35 0 d-----w- C:\virtualcd
2009-11-28 01:50:50 0 d-----w- c:\windows\Westward IV
2009-11-28 01:50:50 0 d-----w- c:\program files\Westward IV
2009-11-27 05:36:56 0 ----a-w- C:\rmaps
2009-11-27 03:21:03 0 d-----w- c:\docume~1\joj\applic~1\GlarySoft
2009-11-27 00:48:33 0 d-----w- c:\program files\VS Revo Group
2009-11-26 13:11:32 0 d-----w- c:\program files\Glary Utilities
2009-11-25 14:26:41 0 d-----w- C:\Gyromancer
2009-11-20 14:58:10 0 d-----w- c:\docume~1\alluse~1\applic~1\EscapeTheMuseum2
2009-11-19 10:14:08 66960 ----a-w- C:\free_twitter_designer.jpg
2009-11-18 14:15:11 0 d-----w- c:\docume~1\joj\applic~1\Oberon Games
2009-11-18 14:15:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Oberon Games
2009-11-18 14:04:16 0 d-----w- c:\program files\NT Registry Optimizer
2009-11-18 07:15:56 1288 ----a-w- C:\bar.emf
2009-11-15 13:19:57 0 d-----w- c:\docume~1\joj\applic~1\EleFun Games

==================== Find3M ====================

2009-12-02 01:10:44 6016 ----a-w- c:\windows\system32\drivers\isamfilter.sys
2009-11-17 18:57:03 64792 ----a-w- c:\windows\isamunin.exe
2009-11-14 06:00:00 68664 ----a-w- c:\windows\fonts\HappyPhantom-ITALIC.ttf
2009-11-14 05:58:00 68288 ----a-w- c:\windows\fonts\HappyPhantom Bold-ITALIC.ttf
2009-11-14 05:47:00 58448 ----a-w- c:\windows\fonts\HappyPhantom-Regular.ttf
2009-11-14 05:32:00 57836 ----a-w- c:\windows\fonts\HappyPhantom-Bold.ttf
2009-11-03 14:14:36 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-11-03 04:58:03 62648 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58:48 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-06 01:11:17 50400 ----a-w- c:\windows\fonts\Helvetica 75 Bold.ttf
2009-10-06 01:07:24 51624 ----a-w- c:\windows\fonts\Helvetica
2009-09-21 07:23:28 16896 ----a-w- c:\windows\system32\S24NCfg.dll
2009-09-15 04:19:34 2756608 ----a-w- c:\windows\system32\NETw5r32.dll
2009-09-15 04:18:04 675840 ----a-w- c:\windows\system32\NETw5c32.dll
2009-07-10 14:20:18 25 ----a-w- c:\program files\popcinfot.dat

============= FINISH: 0:15:00.26 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/13/2008 9:24:52 PM
System Uptime: 12/12/2009 6:13:22 PM (6 hours ago)

Motherboard: LENOVO | | 6474B87
Processor: Intel Pentium III Xeon processor | None | 1580/266mhz
Processor: Intel Pentium III Xeon processor | None | 1580/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 14.875 GiB free.
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: AGN Virtual Network Adapter
Device ID: ROOT\NET\0000
Manufacturer: AT&T
Name: AGN Virtual Network Adapter
PNP Device ID: ROOT\NET\0000
Service: avpnnic

==== System Restore Points ===================

RP172: 10/22/2009 12:44:47 AM - Software Distribution Service 3.0
RP173: 10/26/2009 12:50:48 AM - Software Distribution Service 3.0
RP174: 10/28/2009 1:10:33 AM - Software Distribution Service 3.0
RP175: 10/30/2009 8:17:23 PM - Installed ThinkPad Power Management Driver
RP176: 10/30/2009 8:21:06 PM - Installed Power Manager
RP177: 11/1/2009 4:04:09 AM - System Checkpoint
RP178: 11/4/2009 11:37:01 PM - Software Distribution Service 3.0
RP179: 11/8/2009 9:59:04 PM - Installed Chinese Homework
RP180: 11/10/2009 10:55:25 PM - System Checkpoint
RP181: 11/11/2009 11:56:05 PM - Software Distribution Service 3.0
RP182: 11/13/2009 11:52:44 PM - System Checkpoint
RP183: 11/15/2009 11:57:56 AM - Installed Windows XP KB909667.
RP184: 11/15/2009 11:58:54 AM - Installed Productivity Center
RP185: 11/15/2009 11:59:09 AM - Installed Productivity Center Supplement
RP186: 11/16/2009 12:17:43 PM - System Checkpoint
RP187: 11/17/2009 3:13:44 PM - System Checkpoint
RP188: 11/18/2009 9:45:55 PM - Removed Data Lifeguard Diagnostic for Windows
RP189: 11/19/2009 11:57:13 PM - System Checkpoint
RP190: 11/22/2009 3:45:52 AM - System Checkpoint
RP191: 11/26/2009 12:32:55 AM - Software Distribution Service 3.0
RP192: 11/27/2009 1:13:52 AM - System Checkpoint
RP193: 11/27/2009 11:22:20 AM - Revo Uninstaller's restore point - Coffee Rush
RP194: 11/27/2009 11:22:36 AM - Removed Coffee Rush
RP195: 11/27/2009 11:47:43 PM - Revo Uninstaller's restore point - Sallys Quick Clips
RP196: 11/28/2009 11:52:46 PM - System Checkpoint
RP197: 12/2/2009 7:15:45 AM - Revo Uninstaller's restore point - ViiKii Desktop Plug-in
RP198: 12/2/2009 7:16:08 AM - Removed ViiKii Desktop Plug-in
RP200: 12/3/2009 6:11:52 PM - Software Distribution Service 3.0
RP201: 12/5/2009 2:10:33 AM - Installed Bonjour
RP202: 12/9/2009 5:36:50 PM - Software Distribution Service 3.0
RP203: 12/11/2009 3:22:54 PM - Installed Windows XP KB909667.
RP204: 12/12/2009 4:51:57 PM - Revo Uninstaller's restore point - Alexandra Fortune - Mystery of the Lunar Archipelago
RP205: 12/12/2009 5:03:53 PM - Revo Uninstaller's restore point - Bookworm Adventures Vol. 2
RP206: 12/12/2009 5:04:27 PM - Revo Uninstaller's restore point - Bookworm Adventures Vol. 2
RP207: 12/12/2009 5:06:46 PM - Revo Uninstaller's restore point - Diablo II
RP208: 12/12/2009 6:56:13 PM - Installed HiJackThis
RP209: 12/12/2009 8:40:58 PM - Installed SUPERAntiSpyware Free Edition

==== Installed Programs ======================


Torrent
2007 Microsoft Office Suite Service Pack 1 (SP1)
Access IBM
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 9.1
Adobe Setup
Adobe Shockwave Player 11
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AFP Workbench for Windows
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AT&T Network Client
AviSynth 2.5
Bonjour
BUFFALO TurboUSB for FLASH/HDD
CCleaner
CDisplay 1.8
Chinese Homework
ClearType Tuning Control Panel Applet
Conexant 20561 SmartAudio HD
Defraggler
DimSum 0.7.9
DreamerRO Low Rate Client
Escape the Museum 2 1.00
eWebEditPro 5 Client
Fences
Fishdom Spooky Splash
Glary Utilities 2.17.0.776
Google Chrome
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HiJackThis
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB889816)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB917332)
Hotfix for Windows XP (KB918837)
Hotfix for Windows XP (KB923293)
Hotfix for Windows XP (KB934205)
Hotfix for Windows XP (KB935192)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
IBM-TVC
IBM 32-bit Runtime Environment for Java 2, v5.0
IBM Ayudame
IBM Infoprint Select
IBM ISMA Peer-To-Peer
IBM Lotus Sametime Connect 7.5.1
IBM Lotus Symphony
IBM My Help
IBM Personal Communications
IBM Printer Software Uninstall
IBM Tivoli Storage Manager Client
iDump (Freeware) Build:29
ILC
Inkscape 0.46
Intel® Graphics Media Accelerator Driver
Intel® Network Connections Drivers
Intel® PROSet/Wireless WiFi Software
Intel Active Management Technology
InterVideo Register Manager
InterVideo WinDVD
iTunes
Java™ 6 Update 7
K-Lite Mega Codec Pack 5.1.0
Lenovo System Interface Driver
Lenovo ThinkVantage Toolbox
LiveUpdate 3.1 (Symantec Corporation)
Lotus Notes 8.0.2
LucisArt 3 ED/SE
Lupas Rename 2000 v5.0 Release
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer 2003
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Office Visio 2007 Service Pack 1 (SP1)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Standard 2007
Microsoft Office Visio Viewer 2007
Microsoft Office Word Viewer 2003
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows Journal Viewer
Mobile Partner
Mozilla Firefox (3.5.5)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
My Help - Workstation Setup Wizard
On Screen Display
OpenDNS Updater 1.3.0.187
PDF Settings
PGP Desktop
Presentation Director
Printer Software Uninstall
Productivity Center Supplement for ThinkPad
QuickTime
Real Alternative 2.0.0 Lite
Revo Uninstaller 1.83
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.02
Roxio DigitalMedia Audio
Roxio DigitalMedia Copy
Roxio DigitalMedia Data
Search & Replace Master version 1.2
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio 2007 (KB957831)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950582)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Snapshot Viewer
Spelling Dictionaries Support For Adobe Reader 9
Stanza
Stickies 7.0a
SUPERAntiSpyware Free Edition
Symantec Client Security
System Update
The KMPlayer (remove only)
The Treasures Of Montezuma 2
ThinkPad Bluetooth with Enhanced Data Rate Software
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Setup
ThinkPad Keyboard Customizer Utility
ThinkPad Modem Adapter
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad TrackPoint Driver
ThinkPad UltraNav Driver
ThinkPad UltraNav Utility
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Productivity Center
Tweak UI
TweetDeck
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB925876)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Videora iPod Converter 5.03
Videora iPod touch Converter 5.03
WebFldrs XP
Westward IV
WildGames
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Presentation Foundation
WindSlayer
WinUHA 2.0 RC1 (2005.02.27)
WonderKing
Workstation Security Tool 2.4
XML Paper Specification Shared Components Pack 1.0
Yahoo! Messenger
Youda Legend - The Curse of the Amsterdam Diamond 1.00
Zuma's Revenge!

==== Event Viewer Messages From Past Week ========

12/9/2009 7:38:08 AM, error: Service Control Manager [7000] - The rimsptsk service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/9/2009 7:38:08 AM, error: Service Control Manager [7000] - The rimmptsk service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/9/2009 7:38:08 AM, error: Service Control Manager [7000] - The Ricoh xD-Picture Card Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/9/2009 7:22:20 PM, error: Dhcp [1002] - The IP address lease 9.187.109.56 for the Network Card with network address 0022680ACE06 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
12/7/2009 8:59:24 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
12/7/2009 8:52:43 AM, error: Dhcp [1002] - The IP address lease 192.168.2.105 for the Network Card with network address 0022680ACE06 has been denied by the DHCP server 9.187.103.22 (The DHCP Server sent a DHCPNACK message).
12/7/2009 11:18:48 AM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
12/7/2009 11:18:48 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
12/7/2009 11:08:21 AM, error: ipnathlp [30013] - The DHCP allocator has disabled itself on IP address 9.187.109.212, since the IP address is outside the 192.168.0.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, please change the scope to include the IP address, or change the IP address to fall within the scope.
12/7/2009 11:07:46 AM, error: ipnathlp [30005] - The DHCP allocator has detected a DHCP server with IP address 9.187.109.4 on the same network as the interface with IP address 192.168.0.1. The allocator has disabled itself on the interface in order to avoid confusing DHCP clients.
12/6/2009 9:32:50 PM, error: iastor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
12/12/2009 6:34:30 PM, error: Service Control Manager [7000] - The Helper driver for SDT-Tool service failed to start due to the following error: The system cannot find the path specified.
12/12/2009 6:16:41 PM, error: Service Control Manager [7000] - The eab1D service failed to start due to the following error: Insufficient system resources exist to complete the requested service.
12/12/2009 5:16:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/12/2009 5:15:24 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ANC eeCtrl Fips IBMTPCHK intelppm IPSec lenovo.smi MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRT SAVRTPEL SYMTDI Tcpip Tcpip6 TPHKDRV TPPWRIF TSMAPIP
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The PDLC X.25 service depends on the PDLC Buffer Manager service which failed to start because of the following error: The dependency service or group failed to start.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The PDLC V25bis signalling service depends on the PDLC Buffer Manager service which failed to start because of the following error: The dependency service or group failed to start.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The PDLC SDLC service depends on the PDLC Buffer Manager service which failed to start because of the following error: The dependency service or group failed to start.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The PDLC SDLC Leased service depends on the PDLC Buffer Manager service which failed to start because of the following error: The dependency service or group failed to start.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The PDLC QLLC service depends on the PDLC Buffer Manager service which failed to start because of the following error: The dependency service or group failed to start.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The PDLC Mapper service depends on the PDLC X.25 service which failed to start because of the following error: The dependency service or group failed to start.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The PDLC LAPB service depends on the PDLC Buffer Manager service which failed to start because of the following error: The dependency service or group failed to start.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The PDLC Hayes At signalling service depends on the PDLC Buffer Manager service which failed to start because of the following error: The dependency service or group failed to start.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The PDLC DLC Classes service depends on the PDLC Buffer Manager service which failed to start because of the following error: The dependency service or group failed to start.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The PDLC Connection Manager service depends on the PDLC Message Driver service which failed to start because of the following error: The dependency service or group failed to start.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The PDLC Buffer Manager service depends on the PDLC Message Driver service which failed to start because of the following error: The dependency service or group failed to start.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The PDLC Adapter Factory service depends on the PDLC Message Driver service which failed to start because of the following error: The dependency service or group failed to start.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The IBM Enterprise Extender (HPR/IPv6) service depends on the PDLC OEM Interface service which failed to start because of the following error: The dependency service or group failed to start.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The IBM Enterprise Extender (HPR/IPv4) service depends on the PDLC OEM Interface service which failed to start because of the following error: The dependency service or group failed to start.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The AppnApi service depends on the PDLC Mapper service which failed to start because of the following error: The dependency service or group failed to start.
12/12/2009 5:15:24 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/12/2009 4:31:07 PM, error: Service Control Manager [7000] - The c3197D service failed to start due to the following error: Insufficient system resources exist to complete the requested service.
12/12/2009 4:28:57 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
12/12/2009 3:14:35 PM, error: Service Control Manager [7034] - The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 2 time(s).
12/12/2009 3:14:31 PM, error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
12/12/2009 2:49:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/12/2009 2:49:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/11/2009 5:48:23 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the ISSI service to connect.

==== End Of File ===========================

Attached Files


Edited by Calisael, 12 December 2009 - 12:37 PM.


#4 Calisael

Calisael
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 12 December 2009 - 12:43 PM

Update: ran MBAM and hijackthis after the combofix:
MBAM (will rerun again after the clean):
Database version _linenums:3351'>Malwarebytes' Anti-Malware 1.42Database version: 3351Windows 5.1.2600 Service Pack 2Internet Explorer 7.0.5730.1112/13/2009 4:54:44 PMmbam-log-2009-12-13 (16-54-37).txtScan type: Full Scan (C:\|)Objects scanned: 321037Time elapsed: 3 hour(s), 11 minute(s), 34 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\sdwork\IBM_Core_Policy_Import_Feb15_2007.exe (Trojan.FakeAlert) -> No action taken.C:\System Volume Information\_restore{01E266C2-86F5-40B2-9145-B4252FFF29C3}\RP195\A0093480.exe (Malware.Packer.Krunchy) -> No action taken.

Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:02:05 PM, on 12/13/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16945)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\WiFi\bin\S24EvMon.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\LENOVO\HOTKEY\TPHKSVC.exeC:\WINDOWS\system32\Drivers\trcboot.exeC:\Program Files\IBM\Personal Communications\PCS_AGNT.EXEC:\Program Files\IBM\Personal Communications\tpam.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\TpShocks.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exeC:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exeC:\Program Files\Lenovo\HOTKEY\TPONSCR.exeC:\Program Files\IBM\My Help\workspace\service\delayStart.exeC:\Program Files\Lenovo\Zoom\TpScrex.exeC:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\ThinkPad\ConnectUtilities\ACTray.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exeC:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exeC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exeC:\Program Files\Intel\WiFi\bin\EvtEng.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exeC:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Lenovo\HOTKEY\TPFNF6R.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\soffice.exeC:\Program Files\C4ebreg\c4ebreg.exec:\sdwork\issimsvc.exeC:\Program Files\KanaReminder\Reminder.exeC:\Program Files\ThinkPad\Utilities\TpKmapMn.exeC:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeC:\Program Files\Intel\AMT\LMS.exeC:\Program Files\ThinkPad\Bluetooth Software\BTTray.exeC:\notes\ntmulti.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\AT&T Network Client\NetCfgSv.EXEC:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exeC:\fscapture\FSCapture.exeC:\Program Files\Stickies\stickies.exec:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exeC:\WINDOWS\system32\PGPserv.exeC:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exec:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exeC:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exeC:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exeC:\WINDOWS\system32\TpKmpSVC.exeC:\Program Files\ThinkPad\Utilities\TpKmapMn.exeC:\Program Files\ThinkPad\Utilities\TpKmapMn.exeC:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exeC:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exeC:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXEc:\program files\lenovo\system update\suservice.exeC:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exeC:\WINDOWS\system32\Drivers\ldlcserv.exeC:\WINDOWS\system32\Drivers\ldlcserv6.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exeC:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exeC:\Documents and Settings\joj\Desktop\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"]http://en-US.start3.mozilla.com/firefox?cl...:en-US:official[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.yahoo.com"]http://www.yahoo.com[/url]R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =;<local>;*.localO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO3 - Toolbar: Lenovo ThinkVantage Toolbox - {86B9B5DD-FB75-4035-BD52-3C94F7849CAF} - C:\Program Files\PC-Doctor\ATLPcdToolbar544928.dllO4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanupO4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe"O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [TpShocks] TpShocks.exeO4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitorO4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLogO4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /rO4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exeO4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helperO4 - HKLM\..\Run: [MyHelpService] C:\Program Files\IBM\My Help\workspace\service\delayStart.exeO4 - HKLM\..\Run: [pmonmh] C:\Program Files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19/pmonmh.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exeO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [Isamtray] "C:\Program Files\C4ebreg\isamtray.exe"O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeO4 - HKLM\..\Run: [TrackPointSrv] C:\Program Files\Lenovo\TrackPoint\tp4serv.exeO4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exeO4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exeO4 - HKLM\..\Run: [ISSI Service] "c:\sdwork\issimsvc.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exeO4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exeO4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exeO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exeO4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startupO4 - HKLM\..\Run: [C4EBReg] "C:\Program Files\C4ebreg\c4ebreg.exe" /qO4 - HKLM\..\Run: [SODCPreLoad] C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\preload.exe C:\PROGRA~1\IBM\Lotus\Symphony\data\.sodc\O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [Kana Reminder] "C:\Program Files\KanaReminder\Reminder.exe"O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exeO4 - HKCU\..\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /tO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\joj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - Startup: FastStone Capture.lnk = C:\fscapture\FSCapture.exeO4 - Startup: IBM-TVC.appref-msO4 - Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exeO4 - Global Startup: Bluetooth.lnk = ?O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exeO4 - Global Startup: PGPtray.exe.lnk = ?O4 - Global Startup: TweetDeck.lnk = C:\Program Files\TweetDeck\TweetDeck.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htmO8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htmO9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htmO11 - Options group: [JAVA_IBM] Java (IBM)O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.comO16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java2 Runtime Environment 1.5.0) - http://O17 - HKLM\System\CCS\Services\Tcpip\..\{997CA173-8700-43D9-9918-682C889E2651}: Domain = ph.ibm.comO17 - HKLM\System\CCS\Services\Tcpip\..\{997CA173-8700-43D9-9918-682C889E2651}: NameServer = 208.67.222.222,208.67.220.220O17 - HKLM\System\CCS\Services\Tcpip\..\{AECC8EBE-6AF2-4269-AA17-6E6F84A2459C}: Domain = ph.ibm.comO17 - HKLM\System\CCS\Services\Tcpip\..\{AECC8EBE-6AF2-4269-AA17-6E6F84A2459C}: NameServer = 208.67.222.222,208.67.220.220O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ph.ibm.com,ibm.comO17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ph.ibm.com,ibm.comO22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences\FencesMenu.dllO23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exeO23 - Service: Access Connections Main Service (AcSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\system32\Drivers\appnnode.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: csrcmds - IBM Corporation - C:\Program Files\IBM\Personal Communications\csrcmds.exeO23 - Service: IBM Command Line Trace (cstrcser) - IBM Corporation - C:\WINDOWS\system32\drivers\cstrcser.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exeO23 - Service: Intel PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exeO23 - Service: gnab_device - Unknown owner - C:\WINDOWS\system32\GNabcoms.exeO23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Corp. - C:\Program Files\C4ebreg\c4ebreg.exeO23 - Service: ISSI (ISSIMon) - IBM Corp. - c:\sdwork\issimsvc.exeO23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exeO23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeO23 - Service: IBM Enterprise Extender (IPv4) (ldlcserv) - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exeO23 - Service: IBM Enterprise Extender (IPv6) (ldlcserv6) - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv6.exeO23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Intel Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exeO23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exeO23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Network Client\NetCfgSv.EXEO23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exeO23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXEO23 - Service: Intel PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exeO23 - Service: Intel PROSet/Wireless WiFi Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exeO23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exeO23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exeO23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exeO23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exeO23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exeO23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exeO23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exeO23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exeO23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exeO23 - Service: Intel Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe--End of file - 17468 bytes
After restart:
Database version _linenums:3351'>Malwarebytes' Anti-Malware 1.42Database version: 3351Windows 5.1.2600 Service Pack 2Internet Explorer 7.0.5730.1112/13/2009 8:16:00 PMmbam-log-2009-12-13 (20-16-00).txtScan type: Quick ScanObjects scanned: 119742Time elapsed: 51 minute(s), 22 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)

Edited by Calisael, 13 December 2009 - 07:18 AM.


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:31 AM

Posted 24 December 2009 - 08:02 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  • Click on the My Controls link at the top of the page to enter your control panel.
  • Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  • Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  • Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.
Information on A/V control HERE

PS> Please copy and paste the logs into your reply. Please don't use a codebox, it makes it more difficult for us to research it. Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 Calisael

Calisael
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 26 December 2009 - 11:14 AM

Hi! the old issue was there was a persistent virus and malwarebytes was closing up before i get to access it, but i ran combofix which seems to fix those issues,
but i would just like to make sure that the problem is gone for sure.. this is very much appreciated!

Oh and Merry Christmas and a Happy New Year!


====log below ( i zipped Attach.txt as instructed in the file ) ====

DDS (Ver_09-12-01.01) - NTFSx86
Run by joj at 0:05:42.56 on Sun 12/27/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1944.469 [GMT 8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\WINDOWS\system32\Drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\IBM\Personal Communications\tpam.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
C:\Program Files\C4ebreg\isamtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
C:\Program Files\C4ebreg\c4ebreg.exe
C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\soffice.exe
c:\sdwork\issimsvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\KanaReminder\Reminder.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\notes\ntmulti.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\AT&T Network Client\NetCfgSv.EXE
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\TweetDeck\TweetDeck.exe
C:\fscapture\FSCapture.exe
C:\Windows 7 Shortcuts 0.4\Windows 7 0.4.exe
C:\Program Files\Stickies\stickies.exe
C:\WINDOWS\system32\PGPserv.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\Drivers\ldlcserv.exe
C:\WINDOWS\system32\Drivers\ldlcserv6.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\IBM\My Help\MyHelp.exe
C:\Program Files\IBM\My Help\jre\bin\myhelpw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\joj\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\joj\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\joj\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = ;<local>;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: Lenovo ThinkVantage Toolbox: {86b9b5dd-fb75-4035-bd52-3c94f7849caf} - c:\program files\pc-doctor\ATLPcdToolbar544928.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [Kana Reminder] "c:\program files\kanareminder\Reminder.exe"
uRun: [TPKMAPMN] c:\program files\thinkpad\utilities\TpKmapMn.exe
uRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
uRun: [Google Update] "c:\documents and settings\joj\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [sbitunesagent] c:\program files\songbird\songbirditunesagent.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [stgclean] c:\sdwork\w32main2.exe /cleanup
mRun: [Tpam.exe] "c:\program files\ibm\personal communications\tpam.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [TpShocks] TpShocks.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [MyHelpService] c:\program files\ibm\my help\workspace\service\delayStart.exe
mRun: [pmonmh] c:\program files\ibm\my help\plugins\\com.ibm.myhelp.common_1.4.19/pmonmh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~2\symant~2\VPTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Isamtray] "c:\program files\c4ebreg\isamtray.exe"
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [ISSI Service] "c:\sdwork\issimsvc.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [C4EBReg] "c:\program files\c4ebreg\c4ebreg.exe" /q
mRun: [SODCPreLoad] c:\program files\ibm\lotus\symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\preload.exe c:\progra~1\ibm\lotus\symphony\data\.sodc\
StartupFolder: c:\docume~1\joj\startm~1\programs\startup\fastst~1.lnk - c:\fscapture\FSCapture.exe
StartupFolder: c:\documents and settings\joj\start menu\programs\startup\IBM-TVC.appref-ms
StartupFolder: c:\docume~1\joj\startm~1\programs\startup\shortc~1.lnk - c:\windows 7 shortcuts 0.4\Windows 7 0.4.exe
StartupFolder: c:\docume~1\joj\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{01d0b438-ce21-4fad-8845-a0f00db65f4f}\Icon6560581611.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tweetd~1.lnk - c:\program files\tweetdeck\TweetDeck.exe
uPolicies-explorer: NoDevMgrUpdate = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: ibm.com\w3-950.chs
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: {997CA173-8700-43D9-9918-682C889E2651} = 208.67.222.222,208.67.220.220
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: pcsinst - pcsinst.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
LSA: Notification Packages = scecli PGPpwflt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joj\applic~1\mozilla\firefox\profiles\izxqrpgw.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\joj\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np72esk32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPeWebEditPro.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-6-29 20520]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-12 13480]
R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\virtualcd\VCdRom.sys [2001-12-19 8576]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2006-11-21 202344]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 ldlcserv6;IBM Enterprise Extender (IPv6);c:\windows\system32\drivers\ldlcserv6.exe [2007-11-2 40960]
R2 pdlndldl6;IBM Enterprise Extender (HPR/IPv6);c:\windows\system32\drivers\pdlndldl6.sys [2007-11-2 70656]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2008-10-13 53248]
R2 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2007-3-14 116416]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-10-13 62320]
R2 UNS;Intel Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-10-16 2058776]
R3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [2009-5-4 15872]
R3 e1yexpress;Intel Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-6-13 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-13 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091225.002\naveng.sys [2009-12-26 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091225.002\navex15.sys [2009-12-26 1323568]
S0 0261B;0261B;c:\windows\system32\drivers\0261b.sys --> c:\windows\system32\drivers\0261B.SYS [?]
S0 0269;0269;c:\windows\system32\drivers\0269.sys --> c:\windows\system32\drivers\0269.SYS [?]
S1 30bA;30bA;\??\c:\windows\system32\drivers\30ba.sys --> c:\windows\system32\drivers\30bA.SYS [?]
S1 69e1C;69e1C;\??\c:\windows\system32\drivers\69e1c.sys --> c:\windows\system32\drivers\69e1C.SYS [?]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2009-5-21 45424]
S3 9af262;9af262;c:\windows\system32\9af262.sys [2009-12-12 54624]
S3 csrcmds;csrcmds;c:\program files\ibm\personal communications\csrcmds.exe [2007-11-2 49152]
S3 cstrcser;IBM Command Line Trace;c:\windows\system32\drivers\cstrcser.exe [2007-11-2 36864]
S3 gnab_device;gnab_device;c:\windows\system32\gnabcoms.exe -service --> c:\windows\system32\GNabcoms.exe -service [?]
S3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [2009-10-7 6016]

=============== Created Last 30 ================

2009-12-20 02:24:28 0 d-----w- c:\program files\TweetDeck
2009-12-19 19:40:43 0 d-----w- c:\docume~1\joj\applic~1\Songbird2
2009-12-19 16:54:06 0 d-----w- c:\program files\Samantha Swift - Mystery From Atlantis
2009-12-18 10:33:11 6508 ----a-w- c:\windows\system32\d3d9caps.tmp
2009-12-17 04:52:34 0 d-----w- c:\program files\iPhone Explorer
2009-12-15 02:16:35 0 d-----w- C:\Windows 7 Shortcuts 0.4
2009-12-13 05:09:32 77312 ----a-w- c:\windows\MBR.exe
2009-12-13 05:09:31 261632 ----a-w- c:\windows\PEV.exe
2009-12-13 05:09:31 161792 ----a-w- c:\windows\SWREG.exe
2009-12-13 05:09:30 98816 ----a-w- c:\windows\sed.exe
2009-12-12 12:41:23 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-12 12:41:03 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-12 12:41:03 0 d-----w- c:\docume~1\joj\applic~1\SUPERAntiSpyware.com
2009-12-12 12:39:52 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-12 10:56:13 0 d-----w- c:\program files\TrendMicro
2009-12-12 08:43:59 7680 ----a-w- c:\windows\system32\drivers\RKL8A.tmp.sys
2009-12-12 07:31:52 715264 ----a-w- c:\windows\system32\be4263.tmp
2009-12-12 07:31:51 54624 ----a-w- c:\windows\system32\9af262.sys
2009-12-12 07:31:49 2335270 ----a-w- c:\windows\system32\01a261.mht
2009-12-11 07:27:05 0 d-----w- c:\docume~1\alluse~1\applic~1\PCDr
2009-12-11 07:25:38 0 d-----w- c:\program files\PC-Doctor
2009-12-11 07:17:40 512752 ----a-w- c:\windows\qfeC2.tmp
2009-12-05 12:42:37 0 d-----w- c:\program files\Gravity
2009-12-04 18:10:04 0 d-----w- c:\program files\Stanza
2009-12-01 15:31:57 0 d-----w- c:\docume~1\joj\applic~1\ViiKiiDesktopPlugin.5E22EA0FF243470AB5EDDF282C0A5B52E9909C36.1
2009-12-01 01:11:51 0 d-----w- c:\docume~1\joj\applic~1\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2009-11-28 04:49:49 0 d-----w- c:\docume~1\joj\applic~1\runic games
2009-11-28 04:43:55 0 d-----w- c:\program files\Runic Games
2009-11-28 04:38:35 47 ----a-w- c:\windows\WinBIN2ISO.INI
2009-11-28 04:30:35 0 d-----w- C:\virtualcd
2009-11-28 01:50:50 0 d-----w- c:\windows\Westward IV
2009-11-28 01:50:50 0 d-----w- c:\program files\Westward IV
2009-11-27 05:36:56 0 ----a-w- C:\rmaps
2009-11-27 03:21:03 0 d-----w- c:\docume~1\joj\applic~1\GlarySoft
2009-11-27 00:48:33 0 d-----w- c:\program files\VS Revo Group

==================== Find3M ====================

2009-12-19 17:53:08 63356 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-18 10:33:11 6508 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-03 08:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 08:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 01:10:44 6016 ----a-w- c:\windows\system32\drivers\isamfilter.sys
2009-11-17 18:57:03 64792 ----a-w- c:\windows\isamunin.exe
2009-11-14 06:00:00 68664 ----a-w- c:\windows\fonts\HappyPhantom-ITALIC.ttf
2009-11-14 05:58:00 68288 ----a-w- c:\windows\fonts\HappyPhantom Bold-ITALIC.ttf
2009-11-14 05:47:00 58448 ----a-w- c:\windows\fonts\HappyPhantom-Regular.ttf
2009-11-14 05:32:00 57836 ----a-w- c:\windows\fonts\HappyPhantom-Bold.ttf
2009-11-03 14:14:36 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-10-29 07:46:59 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-06 01:11:17 50400 ----a-w- c:\windows\fonts\Helvetica 75 Bold.ttf
2009-10-06 01:07:24 51624 ----a-w- c:\windows\fonts\Helvetica
2009-07-10 14:20:18 25 ----a-w- c:\program files\popcinfot.dat

============= FINISH: 0:05:55.10 ===============

Attached Files


Edited by Calisael, 26 December 2009 - 11:18 AM.


#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:31 AM

Posted 27 December 2009 - 08:08 AM

Hello, Calisael
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 Calisael

Calisael
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 27 December 2009 - 12:06 PM

Hi Tom!

Thanks so much for the help!
as you've instructed, here is the GMER log:

=====
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-28 00:58:59
Windows 5.1.2600 Service Pack 2
Running: l8kbxq0w.exe; Driver: C:\DOCUME~1\joj\LOCALS~1\Temp\kxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT 879D4368 ZwConnectPort
SSDT sprt.sys ZwCreateKey [0xF74D60E0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA8B2B350]
SSDT sprt.sys ZwEnumerateKey [0xF74F4CA4]
SSDT sprt.sys ZwEnumerateValueKey [0xF74F5032]
SSDT sprt.sys ZwOpenKey [0xF74D60C0]
SSDT sprt.sys ZwQueryKey [0xF74F510A]
SSDT sprt.sys ZwQueryValueKey [0xF74F4F8A]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA8B2B580]

INT 0x63 ? 89C03BF8
INT 0x73 ? 89C03BF8
INT 0x74 ? 89C03BF8
INT 0x84 ? 89C03BF8
INT 0x94 ? 89C03BF8
INT 0xA4 ? 8A76EBF8
INT 0xA4 ? 89C03BF8
INT 0xB4 ? 8A6FEBF8
INT 0xB4 ? 8A6FEBF8
INT 0xB4 ? 89C03BF8
INT 0xB4 ? 8A6FEBF8

---- Kernel code sections - GMER 1.0.15 ----

? sprt.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B9BC2934 5 Bytes JMP 89C031D8

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A7712D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7507C4C] sprt.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7507CA0] sprt.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74D7042] sprt.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74D713E] sprt.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74D70C0] sprt.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74D7800] sprt.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74D76D6] sprt.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 89C032D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74E6E9C] sprt.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61449C27] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61449D87] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61449C27] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61449CF2] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5680] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A6E41F8

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\usbuhci \Device\USBPDO-0 89C3D1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{997CA173-8700-43D9-9918-682C889E2651} 8795B500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A76F1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A76F1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A76F1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A76F1F8
Device \Driver\usbehci \Device\USBPDO-1 89BEF1F8
Device \Driver\usbuhci \Device\USBPDO-2 89C3D1F8
Device \Driver\usbuhci \Device\USBPDO-3 89C3D1F8
Device \Driver\usbuhci \Device\USBPDO-4 89C3D1F8

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBPDO-5 89C3D1F8
Device \Driver\usbehci \Device\USBPDO-6 89BEF1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7001F8
Device \Driver\usbuhci \Device\USBPDO-7 89C3D1F8
Device \Driver\Cdrom \Device\CdRom0 89B871F8
Device \Driver\iastor \Device\Ide\iaStor0 [F7B4E0B0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 8A6FE1F8
Device \Driver\atapi \Device\Ide\IdePort1 8A6FE1F8
Device \Driver\iastor \Device\Ide\IAAStorageDevice-0 [F7B4E0B0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iastor \Device\Ide\IAAStorageDevice-1 [F7B4E0B0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 8795B500
Device \Driver\NetBT \Device\NetbiosSmb 8795B500

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 89C3D1F8
Device \Driver\usbuhci \Device\USBFDO-1 89C3D1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8785F500
Device \Driver\usbuhci \Device\USBFDO-2 89C3D1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8785F500
Device \Driver\usbehci \Device\USBFDO-3 89BEF1F8
Device \Driver\usbuhci \Device\USBFDO-4 89C3D1F8
Device \Driver\Ftdisk \Device\FtControl 8A7001F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{AECC8EBE-6AF2-4269-AA17-6E6F84A2459C} 8795B500
Device \Driver\usbuhci \Device\USBFDO-5 89C3D1F8
Device \Driver\usbuhci \Device\USBFDO-6 89C3D1F8
Device \Driver\usbehci \Device\USBFDO-7 89BEF1F8
Device \FileSystem\Cdfs \Cdfs 879511F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001c26feda2b.REN.REN.REN
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD3 0xB3 0x19 0x39 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001c26feda2b.REN.REN.REN (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD3 0xB3 0x19 0x39 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 25: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 26: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 27: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 28: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 29: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 30: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 31: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 34: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 35: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 36: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 37: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 38: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 39: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 40: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 41: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 42: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 43: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 44: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 45: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 46: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 47: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 48: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 49: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 50: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 51: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 52: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 54: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 55: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 56: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 58: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 59: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:31 AM

Posted 28 December 2009 - 04:11 AM

Hi,


Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 Calisael

Calisael
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 28 December 2009 - 10:49 AM

Hi Tom! combofix log below:

ComboFix 09-12-27.03 - joj 12/28/2009 22:46:36.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1944.1135 [GMT 8:00]
Running from: c:\documents and settings\joj\Desktop\schrauber.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\documents and settings\All Users\Start Menu\Programs\Startup\TweetDeck.lnk
c:\windows\patchw.dll
c:\windows\WINDOWS

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))
.

2009-12-27 07:09 . 2009-12-27 07:09 -------- d-----w- c:\program files\iPod
2009-12-27 07:09 . 2009-12-27 07:10 -------- d-----w- c:\program files\iTunes
2009-12-27 07:05 . 2009-12-27 07:05 -------- d-----w- c:\program files\QuickTime
2009-12-20 02:24 . 2009-12-20 02:24 -------- d-----w- c:\program files\TweetDeck
2009-12-19 19:40 . 2009-12-20 02:31 -------- d-----w- c:\documents and settings\joj\Application Data\Songbird2
2009-12-19 19:40 . 2009-12-19 19:40 -------- d-----w- c:\documents and settings\joj\Local Settings\Application Data\Songbird2
2009-12-19 16:54 . 2009-12-19 16:54 -------- d-----w- c:\program files\Samantha Swift - Mystery From Atlantis
2009-12-17 04:57 . 2009-12-17 04:57 -------- d-----w- c:\documents and settings\joj\Local Settings\Application Data\myPod_Apps
2009-12-17 04:52 . 2009-12-17 04:56 -------- d-----w- c:\program files\iPhone Explorer
2009-12-15 02:16 . 2009-12-15 02:17 -------- d-----w- C:\Windows 7 Shortcuts 0.4
2009-12-12 12:41 . 2009-12-12 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-12 12:41 . 2009-12-12 17:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-12 12:41 . 2009-12-12 12:41 -------- d-----w- c:\documents and settings\joj\Application Data\SUPERAntiSpyware.com
2009-12-12 12:39 . 2009-12-12 12:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-12 11:48 . 2009-12-12 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-12 10:56 . 2009-12-12 10:56 -------- d-----w- c:\program files\TrendMicro
2009-12-12 08:43 . 2009-12-12 08:43 7680 ----a-w- c:\windows\system32\drivers\RKL8A.tmp.sys
2009-12-12 07:31 . 2009-12-12 07:31 54624 ----a-w- c:\windows\system32\9af262.sys
2009-12-11 07:27 . 2009-12-22 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PCDr
2009-12-11 07:25 . 2009-12-11 07:27 -------- d-----w- c:\program files\PC-Doctor
2009-12-05 12:42 . 2009-12-23 18:04 -------- d-----w- c:\program files\Gravity
2009-12-04 18:10 . 2009-12-04 18:10 -------- d-----w- c:\program files\Stanza
2009-12-01 15:31 . 2009-12-01 23:17 -------- d-----w- c:\documents and settings\joj\Application Data\ViiKiiDesktopPlugin.5E22EA0FF243470AB5EDDF282C0A5B52E9909C36.1
2009-12-01 01:11 . 2009-12-01 01:11 -------- d-----w- c:\documents and settings\joj\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 15:01 . 2009-05-04 07:46 -------- d-----w- c:\documents and settings\joj\Application Data\stickies
2009-12-28 14:59 . 2005-04-05 17:21 -------- d-----w- c:\program files\C4ebreg
2009-12-28 14:56 . 2007-03-05 22:09 40 ----a-w- c:\windows\system32\profile.dat
2009-12-28 14:56 . 2009-08-14 09:53 975624 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-28 06:34 . 2006-03-27 21:50 -------- d-----w- c:\program files\WST
2009-12-28 01:56 . 2006-01-24 00:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-27 10:11 . 2009-05-20 13:35 -------- d-----w- c:\program files\uTorrent
2009-12-27 07:09 . 2009-05-12 13:09 -------- d-----w- c:\program files\Common Files\Apple
2009-12-27 04:50 . 2009-06-23 09:37 -------- d-----w- c:\program files\MP3Gain
2009-12-20 07:45 . 2009-05-10 03:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-20 04:53 . 2009-08-01 03:01 -------- d-----w- c:\program files\Games
2009-12-20 02:16 . 2009-04-23 07:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-19 19:40 . 2009-09-02 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-12-19 17:53 . 2009-08-28 07:22 63356 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-19 17:08 . 2009-07-22 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2009-12-18 10:33 . 2009-12-18 10:33 6508 ----a-w- c:\windows\system32\d3d9caps.tmp
2009-12-18 10:33 . 2009-05-05 04:31 6508 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-18 10:19 . 2008-10-13 05:39 -------- d-----w- c:\program files\AT&T Network Client
2009-12-17 23:53 . 2005-04-04 18:17 85816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-17 06:14 . 2009-09-07 13:46 -------- d-----w- c:\documents and settings\joj\Application Data\WindSolutions
2009-12-15 15:40 . 2009-05-21 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-15 15:39 . 2009-05-21 06:46 -------- d-----w- c:\program files\Microsoft Works
2009-12-13 04:51 . 2009-06-10 04:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 17:17 . 2005-04-05 19:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-12 17:15 . 2009-09-18 15:09 -------- d-----w- c:\program files\Outspark
2009-12-12 13:47 . 2009-11-28 04:49 -------- d-----w- c:\documents and settings\joj\Application Data\runic games
2009-12-12 13:47 . 2009-11-28 04:43 -------- d-----w- c:\program files\Runic Games
2009-12-12 08:05 . 2009-05-04 13:57 -------- d-----w- c:\documents and settings\joj\Application Data\Thinstall
2009-12-11 07:22 . 2009-12-11 07:17 512752 ----a-w- c:\windows\qfeC2.tmp
2009-12-09 16:16 . 2009-05-20 13:34 -------- d-----w- c:\documents and settings\joj\Application Data\uTorrent
2009-12-04 18:10 . 2009-05-11 08:05 -------- d-----w- c:\program files\Bonjour
2009-12-04 05:11 . 2009-05-12 13:11 -------- d-----w- c:\documents and settings\joj\Application Data\Apple Computer
2009-12-03 08:14 . 2009-06-10 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 08:13 . 2009-06-10 04:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 01:10 . 2009-10-07 00:55 6016 ----a-w- c:\windows\system32\drivers\isamfilter.sys
2009-12-01 23:17 . 2009-08-06 05:43 -------- d-----w- c:\program files\Google
2009-11-28 13:06 . 2009-05-04 07:44 -------- d-----w- c:\program files\KanaReminder
2009-11-28 04:25 . 2009-07-03 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-11-28 01:53 . 2009-09-07 08:10 -------- d-----w- c:\documents and settings\joj\Application Data\Big Fish Games
2009-11-28 01:51 . 2009-11-28 01:50 -------- d-----w- c:\program files\Westward IV
2009-11-27 03:27 . 2009-09-12 15:40 -------- d-----w- c:\program files\LeeGTs Games
2009-11-27 03:21 . 2009-11-27 03:21 -------- d-----w- c:\documents and settings\joj\Application Data\GlarySoft
2009-11-27 00:48 . 2009-11-27 00:48 -------- d-----w- c:\program files\VS Revo Group
2009-11-26 13:11 . 2009-11-26 13:11 -------- d-----w- c:\program files\Glary Utilities
2009-11-22 10:04 . 2009-08-05 14:34 42 ----a-w- c:\windows\popcinfot.dat
2009-11-20 14:58 . 2009-11-20 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\EscapeTheMuseum2
2009-11-18 14:15 . 2009-11-18 14:15 -------- d-----w- c:\documents and settings\joj\Application Data\Oberon Games
2009-11-18 14:15 . 2009-11-18 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Oberon Games
2009-11-18 14:04 . 2009-11-18 14:04 -------- d-----w- c:\program files\NT Registry Optimizer
2009-11-18 13:55 . 2009-08-19 02:55 -------- d-----w- c:\program files\Pando Networks
2009-11-17 18:57 . 2005-07-29 18:05 64792 ----a-w- c:\windows\isamunin.exe
2009-11-15 13:19 . 2009-11-15 13:19 -------- d-----w- c:\documents and settings\joj\Application Data\EleFun Games
2009-11-13 06:00 . 2009-11-13 06:00 -------- d-----w- c:\documents and settings\joj\Application Data\Yahoo!
2009-11-09 01:40 . 2009-11-08 13:59 -------- d-----w- c:\program files\EuroAsiaSoftware
2009-11-08 14:04 . 2009-11-08 14:04 -------- d-----w- c:\program files\ChineseTools
2009-11-06 14:05 . 2009-05-04 07:44 -------- d-----w- c:\program files\The KMPlayer
2009-11-05 16:21 . 2009-11-05 16:21 -------- d-----w- c:\documents and settings\joj\Application Data\HdO Adventure
2009-11-05 14:17 . 2009-08-28 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Alawar Stargaze
2009-11-05 14:17 . 2009-11-05 14:17 -------- d-----w- c:\program files\The Treasures Of Montezuma 2
2009-11-05 02:09 . 2009-10-21 09:59 -------- d-----w- c:\documents and settings\joj\Application Data\DisplayFusion
2009-11-04 13:57 . 2009-11-04 13:49 -------- d-----w- c:\program files\SnapShot Adventures - Secret of Bird Island
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\joj\Application Data\Intel
2009-11-03 14:17 . 2009-08-08 16:57 -------- d-----w- c:\program files\Common Files\Intel
2009-11-03 14:17 . 2008-10-13 05:28 -------- d-----w- c:\program files\Intel
2009-11-03 14:14 . 2009-11-03 14:14 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-11-02 13:03 . 2009-11-02 11:32 -------- d-----w- c:\program files\Defraggler
2009-11-02 07:08 . 2009-11-02 07:08 -------- d-----w- c:\program files\CCleaner
2009-11-02 06:36 . 2009-11-02 06:36 586 ----a-w- c:\windows\uninstallstickies.bat
2009-11-02 06:36 . 2009-05-04 07:44 -------- d-----w- c:\program files\Stickies
2009-11-01 15:19 . 2009-11-01 15:19 -------- d-----w- c:\program files\WinUHA
2009-11-01 13:29 . 2009-11-01 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Gogii
2009-10-31 18:55 . 2009-10-31 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2009-10-30 08:55 . 2009-10-30 08:55 -------- d-----w- c:\documents and settings\joj\Application Data\Stardock
2009-10-30 08:55 . 2009-10-30 08:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{A87EB928-0C6C-4071-AEF1-59E32BAEDF1B}
2009-10-30 08:55 . 2009-10-30 08:55 -------- d-----w- c:\program files\Stardock
2009-10-29 07:46 . 2004-08-04 05:00 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 05:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 05:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2004-08-04 05:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 05:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 05:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-04 05:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-04 05:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-04 05:00 112128 ----a-w- c:\windows\system32\rastls.dll
2009-07-10 14:20 . 2009-07-02 10:48 25 ----a-w- c:\program files\popcinfot.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{86B9B5DD-FB75-4035-BD52-3C94F7849CAF}"= "c:\program files\PC-Doctor\ATLPcdToolbar544928.dll" [2009-11-22 137712]

[HKEY_CLASSES_ROOT\clsid\{86b9b5dd-fb75-4035-bd52-3c94f7849caf}]
[HKEY_CLASSES_ROOT\ATLPcdToolbar.PcdBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{E00A7D25-2CFC-428B-8BF8-04436490448C}]
[HKEY_CLASSES_ROOT\ATLPcdToolbar.PcdBand]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2008-09-18 05:07 310328 ----a-w- c:\windows\system32\PGPfsshl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
"Kana Reminder"="c:\program files\KanaReminder\Reminder.exe" [2005-11-29 1185280]
"TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2007-09-21 49152]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]
"Google Update"="c:\documents and settings\joj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-24 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pmonmh"="c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"stgclean"="c:\sdwork\w32main2.exe" [2009-11-23 297472]
"Tpam.exe"="c:\program files\IBM\Personal Communications\tpam.exe" [2007-11-02 28672]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"TpShocks"="TpShocks.exe" [2009-07-08 337184]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-09-08 421888]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2009-09-08 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2009-07-14 128296]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-14 1541416]
"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-08-03 62240]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"MyHelpService"="c:\program files\IBM\My Help\workspace\service\delayStart.exe" [2009-03-12 94208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2007-03-14 125632]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 144784]
"Isamtray"="c:\program files\C4ebreg\isamtray.exe" [2009-11-17 285976]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-10-07 256576]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2008-03-04 92960]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-07-29 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2009-07-29 172032]
"ISSI Service"="c:\sdwork\issimsvc.exe" [2009-12-09 241392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-07-22 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-07-22 124248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-05-11 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-05-11 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-05-11 142872]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-02-12 357400]
"C4EBReg"="c:\program files\C4ebreg\c4ebreg.exe" [2009-11-17 478488]
"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\preload.exe" [2009-02-09 40960]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\joj\Start Menu\Programs\Startup\
FastStone Capture.lnk - c:\fscapture\FSCapture.exe [2009-5-5 1111552]
IBM-TVC.appref-ms [2009-12-14 298]
Shortcut to Windows 7 0.4.lnk - c:\windows 7 shortcuts 0.4\Windows 7 0.4.exe [2009-12-15 204673]
Stickies.lnk - c:\program files\Stickies\stickies.exe [2009-5-4 1101824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-2-9 50688]
PGPtray.exe.lnk - c:\windows\Installer\{01D0B438-CE21-4FAD-8845-A0F00DB65F4F}\Icon6560581611.exe [2009-8-6 55296]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2009-10-02 128360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]
2007-11-02 10:45 49152 ----a-w- c:\windows\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 08:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli PGPpwflt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C4EBReg]
2009-11-17 18:55 478488 ----a-w- c:\program files\C4ebreg\c4ebreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 08:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetSP - restore settings on power failure]
2007-01-13 08:00 24576 ----a-w- c:\program files\AT&T Network Client\NetSP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 15:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"IBMconfig"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Printer\\ScanBack\\scanwiz.exe"=
"c:\\WINDOWS\\system32\\GNabcoms.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\IBM\\My Help\\jre\\bin\\myhelpw.exe"=
"c:\\Program Files\\IBM\\Sametime Connect\\jre\\bin\\sametime75.exe"=
"c:\\Program Files\\AT&T Network Client\\NetClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57362:TCP"= 57362:TCP:Pando Media Booster
"57362:UDP"= 57362:UDP:Pando Media Booster

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [6/29/2009 1:51 PM 20520]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [5/12/2008 6:04 PM 13480]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\virtualcd\VCdRom.sys [12/19/2001 11:45 AM 8576]
R2 ldlcserv6;IBM Enterprise Extender (IPv6);c:\windows\system32\drivers\ldlcserv6.exe [11/2/2007 12:09 PM 40960]
R2 pdlndldl6;IBM Enterprise Extender (HPR/IPv6);c:\windows\system32\drivers\pdlndldl6.sys [11/2/2007 12:09 PM 70656]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [10/13/2008 1:32 PM 53248]
R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [10/13/2008 1:35 PM 62320]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [10/16/2009 12:25 AM 2058776]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/13/2008 4:42 PM 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/13/2009 2:42 AM 102448]
S0 0261B;0261B;c:\windows\system32\drivers\0261B.SYS --> c:\windows\system32\drivers\0261B.SYS [?]
S0 0269;0269;c:\windows\system32\drivers\0269.SYS --> c:\windows\system32\drivers\0269.SYS [?]
S1 30bA;30bA;\??\c:\windows\system32\drivers\30bA.SYS --> c:\windows\system32\drivers\30bA.SYS [?]
S1 69e1C;69e1C;\??\c:\windows\system32\drivers\69e1C.SYS --> c:\windows\system32\drivers\69e1C.SYS [?]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [5/21/2009 8:48 PM 45424]
S3 9af262;9af262;c:\windows\system32\9af262.sys [12/12/2009 3:31 PM 54624]
S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [5/4/2009 3:43 PM 15872]
S3 csrcmds;csrcmds;c:\program files\IBM\Personal Communications\csrcmds.exe [11/2/2007 12:09 PM 49152]
S3 cstrcser;IBM Command Line Trace;c:\windows\system32\drivers\cstrcser.exe [11/2/2007 12:09 PM 36864]
S3 gnab_device;gnab_device;c:\windows\system32\GNabcoms.exe -service --> c:\windows\system32\GNabcoms.exe -service [?]
S3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [10/7/2009 8:55 AM 6016]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/1/2009 12:09 AM 721904]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://w3.ibm.com/
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = ;<local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
Trusted Zone: ibm.com\w3-950.chs
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\joj\Application Data\Mozilla\Firefox\Profiles\izxqrpgw.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\joj\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np72esk32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPeWebEditPro.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-sbitunesagent - c:\program files\Songbird\songbirditunesagent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 23:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1060)
c:\windows\system32\pcsinst.dll

- - - - - - - > 'explorer.exe'(5932)
c:\windows\system32\WININET.dll
c:\windows\system32\PGPhk.dll
c:\windows\system32\PGPfsshl.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Stardock\Fences\FencesMenu.dll
c:\program files\stardock\fences\DesktopDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\Drivers\trcboot.exe
c:\program files\IBM\Personal Communications\PCS_AGNT.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Intel\AMT\LMS.exe
c:\notes\ntmulti.exe
c:\program files\AT&T Network Client\NetCfgSv.EXE
c:\windows\system32\PGPserv.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\IBM\My Help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\Drivers\ldlcserv.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\soffice.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\PGP Corporation\PGP Desktop\PGPtray.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\IBM\My Help\MyHelp.exe
c:\program files\IBM\My Help\jre\bin\myhelpw.exe
.
**************************************************************************
.
Completion time: 2009-12-28 23:09:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-28 15:09
ComboFix2.txt 2009-12-13 05:41

Pre-Run: 37,569,564,672 bytes free
Post-Run: 37,557,981,184 bytes free

- - End Of File - - 21C2987E694BD3986D48D6E2C53EB25A

#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:31 AM

Posted 29 December 2009 - 11:20 AM

Hi,

You run Combofix 2 times, please post back with the content of C:\Qoobox\Combofix2.txt
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#12 Calisael

Calisael
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 29 December 2009 - 12:33 PM

Hi again Tom!

here is the combofix2 content:
======
ComboFix 09-12-28.06 - joj 12/30/2009 0:46.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1944.1365 [GMT 8:00]
Running from: c:\documents and settings\joj\Desktop\schrauber.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-28 14:33 . 2009-12-28 15:09 -------- d-----w- C:\schrauber
2009-12-27 07:09 . 2009-12-27 07:09 -------- d-----w- c:\program files\iPod
2009-12-27 07:09 . 2009-12-27 07:10 -------- d-----w- c:\program files\iTunes
2009-12-27 07:05 . 2009-12-27 07:05 -------- d-----w- c:\program files\QuickTime
2009-12-20 02:24 . 2009-12-20 02:24 -------- d-----w- c:\program files\TweetDeck
2009-12-19 19:40 . 2009-12-20 02:31 -------- d-----w- c:\documents and settings\joj\Application Data\Songbird2
2009-12-19 19:40 . 2009-12-19 19:40 -------- d-----w- c:\documents and settings\joj\Local Settings\Application Data\Songbird2
2009-12-19 16:54 . 2009-12-19 16:54 -------- d-----w- c:\program files\Samantha Swift - Mystery From Atlantis
2009-12-17 04:57 . 2009-12-17 04:57 -------- d-----w- c:\documents and settings\joj\Local Settings\Application Data\myPod_Apps
2009-12-17 04:52 . 2009-12-17 04:56 -------- d-----w- c:\program files\iPhone Explorer
2009-12-15 02:16 . 2009-12-15 02:17 -------- d-----w- C:\Windows 7 Shortcuts 0.4
2009-12-12 12:41 . 2009-12-12 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-12 12:41 . 2009-12-12 17:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-12 12:41 . 2009-12-12 12:41 -------- d-----w- c:\documents and settings\joj\Application Data\SUPERAntiSpyware.com
2009-12-12 12:39 . 2009-12-12 12:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-12 11:48 . 2009-12-12 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-12 10:56 . 2009-12-12 10:56 -------- d-----w- c:\program files\TrendMicro
2009-12-12 08:43 . 2009-12-12 08:43 7680 ----a-w- c:\windows\system32\drivers\RKL8A.tmp.sys
2009-12-12 07:31 . 2009-12-12 07:31 54624 ----a-w- c:\windows\system32\9af262.sys
2009-12-11 07:27 . 2009-12-22 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PCDr
2009-12-11 07:25 . 2009-12-11 07:27 -------- d-----w- c:\program files\PC-Doctor
2009-12-05 12:42 . 2009-12-23 18:04 -------- d-----w- c:\program files\Gravity
2009-12-04 18:10 . 2009-12-04 18:10 -------- d-----w- c:\program files\Stanza
2009-12-01 15:31 . 2009-12-01 23:17 -------- d-----w- c:\documents and settings\joj\Application Data\ViiKiiDesktopPlugin.5E22EA0FF243470AB5EDDF282C0A5B52E9909C36.1
2009-12-01 01:11 . 2009-12-01 01:11 -------- d-----w- c:\documents and settings\joj\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 16:59 . 2009-05-04 07:46 -------- d-----w- c:\documents and settings\joj\Application Data\stickies
2009-12-29 16:56 . 2005-04-05 17:21 -------- d-----w- c:\program files\C4ebreg
2009-12-29 16:54 . 2007-03-05 22:09 40 ----a-w- c:\windows\system32\profile.dat
2009-12-29 16:54 . 2009-08-14 09:53 975624 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-29 16:37 . 2009-05-10 03:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-29 07:57 . 2006-03-27 21:50 -------- d-----w- c:\program files\WST
2009-12-29 00:43 . 2006-01-24 00:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-27 10:11 . 2009-05-20 13:35 -------- d-----w- c:\program files\uTorrent
2009-12-27 07:09 . 2009-05-12 13:09 -------- d-----w- c:\program files\Common Files\Apple
2009-12-27 04:50 . 2009-06-23 09:37 -------- d-----w- c:\program files\MP3Gain
2009-12-20 04:53 . 2009-08-01 03:01 -------- d-----w- c:\program files\Games
2009-12-20 02:16 . 2009-04-23 07:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-19 19:40 . 2009-09-02 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-12-19 17:53 . 2009-08-28 07:22 63356 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-19 17:08 . 2009-07-22 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2009-12-18 10:33 . 2009-12-18 10:33 6508 ----a-w- c:\windows\system32\d3d9caps.tmp
2009-12-18 10:33 . 2009-05-05 04:31 6508 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-18 10:19 . 2008-10-13 05:39 -------- d-----w- c:\program files\AT&T Network Client
2009-12-17 23:53 . 2005-04-04 18:17 85816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-17 06:14 . 2009-09-07 13:46 -------- d-----w- c:\documents and settings\joj\Application Data\WindSolutions
2009-12-15 15:40 . 2009-05-21 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-15 15:39 . 2009-05-21 06:46 -------- d-----w- c:\program files\Microsoft Works
2009-12-13 04:51 . 2009-06-10 04:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 17:17 . 2005-04-05 19:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-12 17:15 . 2009-09-18 15:09 -------- d-----w- c:\program files\Outspark
2009-12-12 13:47 . 2009-11-28 04:49 -------- d-----w- c:\documents and settings\joj\Application Data\runic games
2009-12-12 13:47 . 2009-11-28 04:43 -------- d-----w- c:\program files\Runic Games
2009-12-12 08:05 . 2009-05-04 13:57 -------- d-----w- c:\documents and settings\joj\Application Data\Thinstall
2009-12-11 07:22 . 2009-12-11 07:17 512752 ----a-w- c:\windows\qfeC2.tmp
2009-12-09 16:16 . 2009-05-20 13:34 -------- d-----w- c:\documents and settings\joj\Application Data\uTorrent
2009-12-04 18:10 . 2009-05-11 08:05 -------- d-----w- c:\program files\Bonjour
2009-12-04 05:11 . 2009-05-12 13:11 -------- d-----w- c:\documents and settings\joj\Application Data\Apple Computer
2009-12-03 08:14 . 2009-06-10 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 08:13 . 2009-06-10 04:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 01:10 . 2009-10-07 00:55 6016 ----a-w- c:\windows\system32\drivers\isamfilter.sys
2009-12-01 23:17 . 2009-08-06 05:43 -------- d-----w- c:\program files\Google
2009-11-28 13:06 . 2009-05-04 07:44 -------- d-----w- c:\program files\KanaReminder
2009-11-28 04:25 . 2009-07-03 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-11-28 01:53 . 2009-09-07 08:10 -------- d-----w- c:\documents and settings\joj\Application Data\Big Fish Games
2009-11-28 01:51 . 2009-11-28 01:50 -------- d-----w- c:\program files\Westward IV
2009-11-27 03:27 . 2009-09-12 15:40 -------- d-----w- c:\program files\LeeGTs Games
2009-11-27 03:21 . 2009-11-27 03:21 -------- d-----w- c:\documents and settings\joj\Application Data\GlarySoft
2009-11-27 00:48 . 2009-11-27 00:48 -------- d-----w- c:\program files\VS Revo Group
2009-11-26 13:11 . 2009-11-26 13:11 -------- d-----w- c:\program files\Glary Utilities
2009-11-22 10:04 . 2009-08-05 14:34 42 ----a-w- c:\windows\popcinfot.dat
2009-11-20 14:58 . 2009-11-20 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\EscapeTheMuseum2
2009-11-18 14:15 . 2009-11-18 14:15 -------- d-----w- c:\documents and settings\joj\Application Data\Oberon Games
2009-11-18 14:15 . 2009-11-18 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Oberon Games
2009-11-18 14:04 . 2009-11-18 14:04 -------- d-----w- c:\program files\NT Registry Optimizer
2009-11-18 13:55 . 2009-08-19 02:55 -------- d-----w- c:\program files\Pando Networks
2009-11-17 18:57 . 2005-07-29 18:05 64792 ----a-w- c:\windows\isamunin.exe
2009-11-15 13:19 . 2009-11-15 13:19 -------- d-----w- c:\documents and settings\joj\Application Data\EleFun Games
2009-11-13 06:00 . 2009-11-13 06:00 -------- d-----w- c:\documents and settings\joj\Application Data\Yahoo!
2009-11-09 01:40 . 2009-11-08 13:59 -------- d-----w- c:\program files\EuroAsiaSoftware
2009-11-08 14:04 . 2009-11-08 14:04 -------- d-----w- c:\program files\ChineseTools
2009-11-06 14:05 . 2009-05-04 07:44 -------- d-----w- c:\program files\The KMPlayer
2009-11-05 16:21 . 2009-11-05 16:21 -------- d-----w- c:\documents and settings\joj\Application Data\HdO Adventure
2009-11-05 14:17 . 2009-08-28 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Alawar Stargaze
2009-11-05 14:17 . 2009-11-05 14:17 -------- d-----w- c:\program files\The Treasures Of Montezuma 2
2009-11-05 02:09 . 2009-10-21 09:59 -------- d-----w- c:\documents and settings\joj\Application Data\DisplayFusion
2009-11-04 13:57 . 2009-11-04 13:49 -------- d-----w- c:\program files\SnapShot Adventures - Secret of Bird Island
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\joj\Application Data\Intel
2009-11-03 14:17 . 2009-08-08 16:57 -------- d-----w- c:\program files\Common Files\Intel
2009-11-03 14:17 . 2008-10-13 05:28 -------- d-----w- c:\program files\Intel
2009-11-03 14:14 . 2009-11-03 14:14 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-11-02 13:03 . 2009-11-02 11:32 -------- d-----w- c:\program files\Defraggler
2009-11-02 07:08 . 2009-11-02 07:08 -------- d-----w- c:\program files\CCleaner
2009-11-02 06:36 . 2009-11-02 06:36 586 ----a-w- c:\windows\uninstallstickies.bat
2009-11-02 06:36 . 2009-05-04 07:44 -------- d-----w- c:\program files\Stickies
2009-11-01 15:19 . 2009-11-01 15:19 -------- d-----w- c:\program files\WinUHA
2009-11-01 13:29 . 2009-11-01 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Gogii
2009-10-31 18:55 . 2009-10-31 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2009-10-29 07:46 . 2004-08-04 05:00 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 05:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 05:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2004-08-04 05:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 05:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 05:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-04 05:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-04 05:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-04 05:00 112128 ----a-w- c:\windows\system32\rastls.dll
2009-07-10 14:20 . 2009-07-02 10:48 25 ----a-w- c:\program files\popcinfot.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{86B9B5DD-FB75-4035-BD52-3C94F7849CAF}"= "c:\program files\PC-Doctor\ATLPcdToolbar544928.dll" [2009-11-22 137712]

[HKEY_CLASSES_ROOT\clsid\{86b9b5dd-fb75-4035-bd52-3c94f7849caf}]
[HKEY_CLASSES_ROOT\ATLPcdToolbar.PcdBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{E00A7D25-2CFC-428B-8BF8-04436490448C}]
[HKEY_CLASSES_ROOT\ATLPcdToolbar.PcdBand]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2008-09-18 05:07 310328 ----a-w- c:\windows\system32\PGPfsshl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
"Kana Reminder"="c:\program files\KanaReminder\Reminder.exe" [2005-11-29 1185280]
"TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2007-09-21 49152]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]
"Google Update"="c:\documents and settings\joj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-24 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pmonmh"="c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"stgclean"="c:\sdwork\w32main2.exe" [2009-11-23 297472]
"Tpam.exe"="c:\program files\IBM\Personal Communications\tpam.exe" [2007-11-02 28672]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"TpShocks"="TpShocks.exe" [2009-07-08 337184]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-09-08 421888]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2009-09-08 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2009-07-14 128296]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-14 1541416]
"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-08-03 62240]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"MyHelpService"="c:\program files\IBM\My Help\workspace\service\delayStart.exe" [2009-03-12 94208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2007-03-14 125632]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 144784]
"Isamtray"="c:\program files\C4ebreg\isamtray.exe" [2009-11-17 285976]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-10-07 256576]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2008-03-04 92960]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-07-29 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2009-07-29 172032]
"ISSI Service"="c:\sdwork\issimsvc.exe" [2009-12-09 241392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-07-22 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-07-22 124248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-05-11 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-05-11 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-05-11 142872]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-02-12 357400]
"C4EBReg"="c:\program files\C4ebreg\c4ebreg.exe" [2009-11-17 478488]
"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\preload.exe" [2009-02-09 40960]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\joj\Start Menu\Programs\Startup\
FastStone Capture.lnk - c:\fscapture\FSCapture.exe [2009-5-5 1111552]
IBM-TVC.appref-ms [2009-12-29 298]
Shortcut to Windows 7 0.4.lnk - c:\windows 7 shortcuts 0.4\Windows 7 0.4.exe [2009-12-15 204673]
Stickies.lnk - c:\program files\Stickies\stickies.exe [2009-5-4 1101824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-2-9 50688]
PGPtray.exe.lnk - c:\windows\Installer\{01D0B438-CE21-4FAD-8845-A0F00DB65F4F}\Icon6560581611.exe [2009-8-6 55296]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2009-10-02 128360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]
2007-11-02 10:45 49152 ----a-w- c:\windows\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 08:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli PGPpwflt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C4EBReg]
2009-11-17 18:55 478488 ----a-w- c:\program files\C4ebreg\c4ebreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 08:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetSP - restore settings on power failure]
2007-01-13 08:00 24576 ----a-w- c:\program files\AT&T Network Client\NetSP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 15:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"IBMconfig"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Printer\\ScanBack\\scanwiz.exe"=
"c:\\WINDOWS\\system32\\GNabcoms.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\IBM\\My Help\\jre\\bin\\myhelpw.exe"=
"c:\\Program Files\\IBM\\Sametime Connect\\jre\\bin\\sametime75.exe"=
"c:\\Program Files\\AT&T Network Client\\NetClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57362:TCP"= 57362:TCP:Pando Media Booster
"57362:UDP"= 57362:UDP:Pando Media Booster

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [6/29/2009 1:51 PM 20520]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [5/12/2008 6:04 PM 13480]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\virtualcd\VCdRom.sys [12/19/2001 11:45 AM 8576]
R2 ldlcserv6;IBM Enterprise Extender (IPv6);c:\windows\system32\drivers\ldlcserv6.exe [11/2/2007 12:09 PM 40960]
R2 pdlndldl6;IBM Enterprise Extender (HPR/IPv6);c:\windows\system32\drivers\pdlndldl6.sys [11/2/2007 12:09 PM 70656]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [10/13/2008 1:32 PM 53248]
R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [10/13/2008 1:35 PM 62320]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [10/16/2009 12:25 AM 2058776]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/13/2008 4:42 PM 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/13/2009 2:42 AM 102448]
S0 0261B;0261B;c:\windows\system32\drivers\0261B.SYS --> c:\windows\system32\drivers\0261B.SYS [?]
S0 0269;0269;c:\windows\system32\drivers\0269.SYS --> c:\windows\system32\drivers\0269.SYS [?]
S1 30bA;30bA;\??\c:\windows\system32\drivers\30bA.SYS --> c:\windows\system32\drivers\30bA.SYS [?]
S1 69e1C;69e1C;\??\c:\windows\system32\drivers\69e1C.SYS --> c:\windows\system32\drivers\69e1C.SYS [?]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [5/21/2009 8:48 PM 45424]
S3 9af262;9af262;c:\windows\system32\9af262.sys [12/12/2009 3:31 PM 54624]
S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [5/4/2009 3:43 PM 15872]
S3 csrcmds;csrcmds;c:\program files\IBM\Personal Communications\csrcmds.exe [11/2/2007 12:09 PM 49152]
S3 cstrcser;IBM Command Line Trace;c:\windows\system32\drivers\cstrcser.exe [11/2/2007 12:09 PM 36864]
S3 gnab_device;gnab_device;c:\windows\system32\GNabcoms.exe -service --> c:\windows\system32\GNabcoms.exe -service [?]
S3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [10/7/2009 8:55 AM 6016]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/1/2009 12:09 AM 721904]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = ;<local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
Trusted Zone: ibm.com\w3-950.chs
TCP: {997CA173-8700-43D9-9918-682C889E2651} = 208.67.222.222,208.67.220.220
TCP: {AECC8EBE-6AF2-4269-AA17-6E6F84A2459C} = 208.67.222.222,208.67.220.220
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\joj\Application Data\Mozilla\Firefox\Profiles\izxqrpgw.default\
FF - prefs.js: browser.search.selectedEngine - Webster
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\joj\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np72esk32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPeWebEditPro.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 00:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xF76B7000]<< >>UNKNOWN [0xF76A7000]<< >>UNKNOWN [0xF75A8000]<< >>UNKNOWN [0x806FF000]<< >>UNKNOWN [0xF7B04000]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0xf76bbfc3
\Driver\ACPI -> 0xf75aecb8
\Driver\atapi -> 0xf746a814
\Driver\iaStor -> 0xf7b426ae
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Intel® WiFi Link 5100 AGN -> SendCompleteHandler -> 0xba5f2bb0
PacketIndicateHandler -> 0xba5e1a0d
SendHandler -> 0xba5f5b40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\pcsinst.dll

- - - - - - - > 'explorer.exe'(3876)
c:\windows\system32\WININET.dll
c:\windows\system32\PGPhk.dll
c:\windows\system32\PGPfsshl.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Stardock\Fences\FencesMenu.dll
c:\program files\stardock\fences\DesktopDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\Drivers\trcboot.exe
c:\program files\IBM\Personal Communications\PCS_AGNT.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Intel\AMT\LMS.exe
c:\notes\ntmulti.exe
c:\program files\AT&T Network Client\NetCfgSv.EXE
c:\windows\system32\PGPserv.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\rundll32.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\wdfmgr.exe
c:\program files\IBM\My Help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\Drivers\ldlcserv.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\soffice.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\PGP Corporation\PGP Desktop\PGPtray.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\IBM\My Help\MyHelp.exe
c:\program files\IBM\My Help\jre\bin\myhelpw.exe
.
**************************************************************************
.
Completion time: 2009-12-30 01:06:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-29 17:06
ComboFix2.txt 2009-12-28 15:09
ComboFix3.txt 2009-12-13 05:41

Pre-Run: 37,663,354,880 bytes free
Post-Run: 37,494,730,752 bytes free

- - End Of File - - AA109B8CE2188F7F8DD6E842F8B96BB3

#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:31 AM

Posted 29 December 2009 - 01:28 PM

Did you run Combofix again? :(

Now we have 3 Logfiles from Combofix. Please do not run Combofix one more time.

Just navigate into the folder C:\Qoobox and copy/paste the content of the logfiles

ComboFix2.txt
ComboFix3.txt

here in this thread.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 Calisael

Calisael
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 29 December 2009 - 02:17 PM

oops i misunderstood i thought you mean i should run combofix 2 times, sorry.. i actually have combofix 2-4 already.
i'll attach all 3 to make sure:

===COMBOFIX2:=============
ComboFix 09-12-28.06 - joj 12/30/2009 0:46.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1944.1365 [GMT 8:00]
Running from: c:\documents and settings\joj\Desktop\schrauber.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-28 14:33 . 2009-12-28 15:09 -------- d-----w- C:\schrauber
2009-12-27 07:09 . 2009-12-27 07:09 -------- d-----w- c:\program files\iPod
2009-12-27 07:09 . 2009-12-27 07:10 -------- d-----w- c:\program files\iTunes
2009-12-27 07:05 . 2009-12-27 07:05 -------- d-----w- c:\program files\QuickTime
2009-12-20 02:24 . 2009-12-20 02:24 -------- d-----w- c:\program files\TweetDeck
2009-12-19 19:40 . 2009-12-20 02:31 -------- d-----w- c:\documents and settings\joj\Application Data\Songbird2
2009-12-19 19:40 . 2009-12-19 19:40 -------- d-----w- c:\documents and settings\joj\Local Settings\Application Data\Songbird2
2009-12-19 16:54 . 2009-12-19 16:54 -------- d-----w- c:\program files\Samantha Swift - Mystery From Atlantis
2009-12-17 04:57 . 2009-12-17 04:57 -------- d-----w- c:\documents and settings\joj\Local Settings\Application Data\myPod_Apps
2009-12-17 04:52 . 2009-12-17 04:56 -------- d-----w- c:\program files\iPhone Explorer
2009-12-15 02:16 . 2009-12-15 02:17 -------- d-----w- C:\Windows 7 Shortcuts 0.4
2009-12-12 12:41 . 2009-12-12 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-12 12:41 . 2009-12-12 17:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-12 12:41 . 2009-12-12 12:41 -------- d-----w- c:\documents and settings\joj\Application Data\SUPERAntiSpyware.com
2009-12-12 12:39 . 2009-12-12 12:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-12 11:48 . 2009-12-12 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-12 10:56 . 2009-12-12 10:56 -------- d-----w- c:\program files\TrendMicro
2009-12-12 08:43 . 2009-12-12 08:43 7680 ----a-w- c:\windows\system32\drivers\RKL8A.tmp.sys
2009-12-12 07:31 . 2009-12-12 07:31 54624 ----a-w- c:\windows\system32\9af262.sys
2009-12-11 07:27 . 2009-12-22 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PCDr
2009-12-11 07:25 . 2009-12-11 07:27 -------- d-----w- c:\program files\PC-Doctor
2009-12-05 12:42 . 2009-12-23 18:04 -------- d-----w- c:\program files\Gravity
2009-12-04 18:10 . 2009-12-04 18:10 -------- d-----w- c:\program files\Stanza
2009-12-01 15:31 . 2009-12-01 23:17 -------- d-----w- c:\documents and settings\joj\Application Data\ViiKiiDesktopPlugin.5E22EA0FF243470AB5EDDF282C0A5B52E9909C36.1
2009-12-01 01:11 . 2009-12-01 01:11 -------- d-----w- c:\documents and settings\joj\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 16:59 . 2009-05-04 07:46 -------- d-----w- c:\documents and settings\joj\Application Data\stickies
2009-12-29 16:56 . 2005-04-05 17:21 -------- d-----w- c:\program files\C4ebreg
2009-12-29 16:54 . 2007-03-05 22:09 40 ----a-w- c:\windows\system32\profile.dat
2009-12-29 16:54 . 2009-08-14 09:53 975624 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-29 16:37 . 2009-05-10 03:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-29 07:57 . 2006-03-27 21:50 -------- d-----w- c:\program files\WST
2009-12-29 00:43 . 2006-01-24 00:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-27 10:11 . 2009-05-20 13:35 -------- d-----w- c:\program files\uTorrent
2009-12-27 07:09 . 2009-05-12 13:09 -------- d-----w- c:\program files\Common Files\Apple
2009-12-27 04:50 . 2009-06-23 09:37 -------- d-----w- c:\program files\MP3Gain
2009-12-20 04:53 . 2009-08-01 03:01 -------- d-----w- c:\program files\Games
2009-12-20 02:16 . 2009-04-23 07:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-19 19:40 . 2009-09-02 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-12-19 17:53 . 2009-08-28 07:22 63356 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-19 17:08 . 2009-07-22 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2009-12-18 10:33 . 2009-12-18 10:33 6508 ----a-w- c:\windows\system32\d3d9caps.tmp
2009-12-18 10:33 . 2009-05-05 04:31 6508 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-18 10:19 . 2008-10-13 05:39 -------- d-----w- c:\program files\AT&T Network Client
2009-12-17 23:53 . 2005-04-04 18:17 85816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-17 06:14 . 2009-09-07 13:46 -------- d-----w- c:\documents and settings\joj\Application Data\WindSolutions
2009-12-15 15:40 . 2009-05-21 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-15 15:39 . 2009-05-21 06:46 -------- d-----w- c:\program files\Microsoft Works
2009-12-13 04:51 . 2009-06-10 04:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 17:17 . 2005-04-05 19:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-12 17:15 . 2009-09-18 15:09 -------- d-----w- c:\program files\Outspark
2009-12-12 13:47 . 2009-11-28 04:49 -------- d-----w- c:\documents and settings\joj\Application Data\runic games
2009-12-12 13:47 . 2009-11-28 04:43 -------- d-----w- c:\program files\Runic Games
2009-12-12 08:05 . 2009-05-04 13:57 -------- d-----w- c:\documents and settings\joj\Application Data\Thinstall
2009-12-11 07:22 . 2009-12-11 07:17 512752 ----a-w- c:\windows\qfeC2.tmp
2009-12-09 16:16 . 2009-05-20 13:34 -------- d-----w- c:\documents and settings\joj\Application Data\uTorrent
2009-12-04 18:10 . 2009-05-11 08:05 -------- d-----w- c:\program files\Bonjour
2009-12-04 05:11 . 2009-05-12 13:11 -------- d-----w- c:\documents and settings\joj\Application Data\Apple Computer
2009-12-03 08:14 . 2009-06-10 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 08:13 . 2009-06-10 04:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 01:10 . 2009-10-07 00:55 6016 ----a-w- c:\windows\system32\drivers\isamfilter.sys
2009-12-01 23:17 . 2009-08-06 05:43 -------- d-----w- c:\program files\Google
2009-11-28 13:06 . 2009-05-04 07:44 -------- d-----w- c:\program files\KanaReminder
2009-11-28 04:25 . 2009-07-03 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-11-28 01:53 . 2009-09-07 08:10 -------- d-----w- c:\documents and settings\joj\Application Data\Big Fish Games
2009-11-28 01:51 . 2009-11-28 01:50 -------- d-----w- c:\program files\Westward IV
2009-11-27 03:27 . 2009-09-12 15:40 -------- d-----w- c:\program files\LeeGTs Games
2009-11-27 03:21 . 2009-11-27 03:21 -------- d-----w- c:\documents and settings\joj\Application Data\GlarySoft
2009-11-27 00:48 . 2009-11-27 00:48 -------- d-----w- c:\program files\VS Revo Group
2009-11-26 13:11 . 2009-11-26 13:11 -------- d-----w- c:\program files\Glary Utilities
2009-11-22 10:04 . 2009-08-05 14:34 42 ----a-w- c:\windows\popcinfot.dat
2009-11-20 14:58 . 2009-11-20 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\EscapeTheMuseum2
2009-11-18 14:15 . 2009-11-18 14:15 -------- d-----w- c:\documents and settings\joj\Application Data\Oberon Games
2009-11-18 14:15 . 2009-11-18 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Oberon Games
2009-11-18 14:04 . 2009-11-18 14:04 -------- d-----w- c:\program files\NT Registry Optimizer
2009-11-18 13:55 . 2009-08-19 02:55 -------- d-----w- c:\program files\Pando Networks
2009-11-17 18:57 . 2005-07-29 18:05 64792 ----a-w- c:\windows\isamunin.exe
2009-11-15 13:19 . 2009-11-15 13:19 -------- d-----w- c:\documents and settings\joj\Application Data\EleFun Games
2009-11-13 06:00 . 2009-11-13 06:00 -------- d-----w- c:\documents and settings\joj\Application Data\Yahoo!
2009-11-09 01:40 . 2009-11-08 13:59 -------- d-----w- c:\program files\EuroAsiaSoftware
2009-11-08 14:04 . 2009-11-08 14:04 -------- d-----w- c:\program files\ChineseTools
2009-11-06 14:05 . 2009-05-04 07:44 -------- d-----w- c:\program files\The KMPlayer
2009-11-05 16:21 . 2009-11-05 16:21 -------- d-----w- c:\documents and settings\joj\Application Data\HdO Adventure
2009-11-05 14:17 . 2009-08-28 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Alawar Stargaze
2009-11-05 14:17 . 2009-11-05 14:17 -------- d-----w- c:\program files\The Treasures Of Montezuma 2
2009-11-05 02:09 . 2009-10-21 09:59 -------- d-----w- c:\documents and settings\joj\Application Data\DisplayFusion
2009-11-04 13:57 . 2009-11-04 13:49 -------- d-----w- c:\program files\SnapShot Adventures - Secret of Bird Island
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\joj\Application Data\Intel
2009-11-03 14:17 . 2009-08-08 16:57 -------- d-----w- c:\program files\Common Files\Intel
2009-11-03 14:17 . 2008-10-13 05:28 -------- d-----w- c:\program files\Intel
2009-11-03 14:14 . 2009-11-03 14:14 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-11-02 13:03 . 2009-11-02 11:32 -------- d-----w- c:\program files\Defraggler
2009-11-02 07:08 . 2009-11-02 07:08 -------- d-----w- c:\program files\CCleaner
2009-11-02 06:36 . 2009-11-02 06:36 586 ----a-w- c:\windows\uninstallstickies.bat
2009-11-02 06:36 . 2009-05-04 07:44 -------- d-----w- c:\program files\Stickies
2009-11-01 15:19 . 2009-11-01 15:19 -------- d-----w- c:\program files\WinUHA
2009-11-01 13:29 . 2009-11-01 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Gogii
2009-10-31 18:55 . 2009-10-31 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2009-10-29 07:46 . 2004-08-04 05:00 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 05:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 05:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2004-08-04 05:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 05:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 05:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-04 05:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-04 05:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-04 05:00 112128 ----a-w- c:\windows\system32\rastls.dll
2009-07-10 14:20 . 2009-07-02 10:48 25 ----a-w- c:\program files\popcinfot.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{86B9B5DD-FB75-4035-BD52-3C94F7849CAF}"= "c:\program files\PC-Doctor\ATLPcdToolbar544928.dll" [2009-11-22 137712]

[HKEY_CLASSES_ROOT\clsid\{86b9b5dd-fb75-4035-bd52-3c94f7849caf}]
[HKEY_CLASSES_ROOT\ATLPcdToolbar.PcdBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{E00A7D25-2CFC-428B-8BF8-04436490448C}]
[HKEY_CLASSES_ROOT\ATLPcdToolbar.PcdBand]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2008-09-18 05:07 310328 ----a-w- c:\windows\system32\PGPfsshl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
"Kana Reminder"="c:\program files\KanaReminder\Reminder.exe" [2005-11-29 1185280]
"TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2007-09-21 49152]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]
"Google Update"="c:\documents and settings\joj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-24 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pmonmh"="c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"stgclean"="c:\sdwork\w32main2.exe" [2009-11-23 297472]
"Tpam.exe"="c:\program files\IBM\Personal Communications\tpam.exe" [2007-11-02 28672]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"TpShocks"="TpShocks.exe" [2009-07-08 337184]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-09-08 421888]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2009-09-08 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2009-07-14 128296]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-14 1541416]
"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-08-03 62240]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"MyHelpService"="c:\program files\IBM\My Help\workspace\service\delayStart.exe" [2009-03-12 94208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2007-03-14 125632]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 144784]
"Isamtray"="c:\program files\C4ebreg\isamtray.exe" [2009-11-17 285976]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-10-07 256576]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2008-03-04 92960]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-07-29 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2009-07-29 172032]
"ISSI Service"="c:\sdwork\issimsvc.exe" [2009-12-09 241392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-07-22 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-07-22 124248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-05-11 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-05-11 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-05-11 142872]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-02-12 357400]
"C4EBReg"="c:\program files\C4ebreg\c4ebreg.exe" [2009-11-17 478488]
"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\preload.exe" [2009-02-09 40960]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\joj\Start Menu\Programs\Startup\
FastStone Capture.lnk - c:\fscapture\FSCapture.exe [2009-5-5 1111552]
IBM-TVC.appref-ms [2009-12-29 298]
Shortcut to Windows 7 0.4.lnk - c:\windows 7 shortcuts 0.4\Windows 7 0.4.exe [2009-12-15 204673]
Stickies.lnk - c:\program files\Stickies\stickies.exe [2009-5-4 1101824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-2-9 50688]
PGPtray.exe.lnk - c:\windows\Installer\{01D0B438-CE21-4FAD-8845-A0F00DB65F4F}\Icon6560581611.exe [2009-8-6 55296]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2009-10-02 128360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]
2007-11-02 10:45 49152 ----a-w- c:\windows\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 08:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli PGPpwflt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C4EBReg]
2009-11-17 18:55 478488 ----a-w- c:\program files\C4ebreg\c4ebreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 08:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetSP - restore settings on power failure]
2007-01-13 08:00 24576 ----a-w- c:\program files\AT&T Network Client\NetSP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 15:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"IBMconfig"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Printer\\ScanBack\\scanwiz.exe"=
"c:\\WINDOWS\\system32\\GNabcoms.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\IBM\\My Help\\jre\\bin\\myhelpw.exe"=
"c:\\Program Files\\IBM\\Sametime Connect\\jre\\bin\\sametime75.exe"=
"c:\\Program Files\\AT&T Network Client\\NetClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57362:TCP"= 57362:TCP:Pando Media Booster
"57362:UDP"= 57362:UDP:Pando Media Booster

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [6/29/2009 1:51 PM 20520]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [5/12/2008 6:04 PM 13480]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\virtualcd\VCdRom.sys [12/19/2001 11:45 AM 8576]
R2 ldlcserv6;IBM Enterprise Extender (IPv6);c:\windows\system32\drivers\ldlcserv6.exe [11/2/2007 12:09 PM 40960]
R2 pdlndldl6;IBM Enterprise Extender (HPR/IPv6);c:\windows\system32\drivers\pdlndldl6.sys [11/2/2007 12:09 PM 70656]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [10/13/2008 1:32 PM 53248]
R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [10/13/2008 1:35 PM 62320]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [10/16/2009 12:25 AM 2058776]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/13/2008 4:42 PM 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/13/2009 2:42 AM 102448]
S0 0261B;0261B;c:\windows\system32\drivers\0261B.SYS --> c:\windows\system32\drivers\0261B.SYS [?]
S0 0269;0269;c:\windows\system32\drivers\0269.SYS --> c:\windows\system32\drivers\0269.SYS [?]
S1 30bA;30bA;\??\c:\windows\system32\drivers\30bA.SYS --> c:\windows\system32\drivers\30bA.SYS [?]
S1 69e1C;69e1C;\??\c:\windows\system32\drivers\69e1C.SYS --> c:\windows\system32\drivers\69e1C.SYS [?]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [5/21/2009 8:48 PM 45424]
S3 9af262;9af262;c:\windows\system32\9af262.sys [12/12/2009 3:31 PM 54624]
S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [5/4/2009 3:43 PM 15872]
S3 csrcmds;csrcmds;c:\program files\IBM\Personal Communications\csrcmds.exe [11/2/2007 12:09 PM 49152]
S3 cstrcser;IBM Command Line Trace;c:\windows\system32\drivers\cstrcser.exe [11/2/2007 12:09 PM 36864]
S3 gnab_device;gnab_device;c:\windows\system32\GNabcoms.exe -service --> c:\windows\system32\GNabcoms.exe -service [?]
S3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [10/7/2009 8:55 AM 6016]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/1/2009 12:09 AM 721904]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = ;<local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
Trusted Zone: ibm.com\w3-950.chs
TCP: {997CA173-8700-43D9-9918-682C889E2651} = 208.67.222.222,208.67.220.220
TCP: {AECC8EBE-6AF2-4269-AA17-6E6F84A2459C} = 208.67.222.222,208.67.220.220
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\joj\Application Data\Mozilla\Firefox\Profiles\izxqrpgw.default\
FF - prefs.js: browser.search.selectedEngine - Webster
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\joj\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np72esk32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPeWebEditPro.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 00:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xF76B7000]<< >>UNKNOWN [0xF76A7000]<< >>UNKNOWN [0xF75A8000]<< >>UNKNOWN [0x806FF000]<< >>UNKNOWN [0xF7B04000]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0xf76bbfc3
\Driver\ACPI -> 0xf75aecb8
\Driver\atapi -> 0xf746a814
\Driver\iaStor -> 0xf7b426ae
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Intel® WiFi Link 5100 AGN -> SendCompleteHandler -> 0xba5f2bb0
PacketIndicateHandler -> 0xba5e1a0d
SendHandler -> 0xba5f5b40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\pcsinst.dll

- - - - - - - > 'explorer.exe'(3876)
c:\windows\system32\WININET.dll
c:\windows\system32\PGPhk.dll
c:\windows\system32\PGPfsshl.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Stardock\Fences\FencesMenu.dll
c:\program files\stardock\fences\DesktopDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\Drivers\trcboot.exe
c:\program files\IBM\Personal Communications\PCS_AGNT.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Intel\AMT\LMS.exe
c:\notes\ntmulti.exe
c:\program files\AT&T Network Client\NetCfgSv.EXE
c:\windows\system32\PGPserv.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\rundll32.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\wdfmgr.exe
c:\program files\IBM\My Help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\Drivers\ldlcserv.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\soffice.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\PGP Corporation\PGP Desktop\PGPtray.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\IBM\My Help\MyHelp.exe
c:\program files\IBM\My Help\jre\bin\myhelpw.exe
.
**************************************************************************
.
Completion time: 2009-12-30 01:06:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-29 17:06
ComboFix2.txt 2009-12-28 15:09
ComboFix3.txt 2009-12-13 05:41

Pre-Run: 37,663,354,880 bytes free
Post-Run: 37,494,730,752 bytes free

- - End Of File - - AA109B8CE2188F7F8DD6E842F8B96BB3

=====COMBOFIX 3======
ComboFix 09-12-27.03 - joj 12/28/2009 22:46:36.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1944.1135 [GMT 8:00]
Running from: c:\documents and settings\joj\Desktop\schrauber.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\documents and settings\All Users\Start Menu\Programs\Startup\TweetDeck.lnk
c:\windows\patchw.dll
c:\windows\WINDOWS

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))
.

2009-12-27 07:09 . 2009-12-27 07:09 -------- d-----w- c:\program files\iPod
2009-12-27 07:09 . 2009-12-27 07:10 -------- d-----w- c:\program files\iTunes
2009-12-27 07:05 . 2009-12-27 07:05 -------- d-----w- c:\program files\QuickTime
2009-12-20 02:24 . 2009-12-20 02:24 -------- d-----w- c:\program files\TweetDeck
2009-12-19 19:40 . 2009-12-20 02:31 -------- d-----w- c:\documents and settings\joj\Application Data\Songbird2
2009-12-19 19:40 . 2009-12-19 19:40 -------- d-----w- c:\documents and settings\joj\Local Settings\Application Data\Songbird2
2009-12-19 16:54 . 2009-12-19 16:54 -------- d-----w- c:\program files\Samantha Swift - Mystery From Atlantis
2009-12-17 04:57 . 2009-12-17 04:57 -------- d-----w- c:\documents and settings\joj\Local Settings\Application Data\myPod_Apps
2009-12-17 04:52 . 2009-12-17 04:56 -------- d-----w- c:\program files\iPhone Explorer
2009-12-15 02:16 . 2009-12-15 02:17 -------- d-----w- C:\Windows 7 Shortcuts 0.4
2009-12-12 12:41 . 2009-12-12 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-12 12:41 . 2009-12-12 17:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-12 12:41 . 2009-12-12 12:41 -------- d-----w- c:\documents and settings\joj\Application Data\SUPERAntiSpyware.com
2009-12-12 12:39 . 2009-12-12 12:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-12 11:48 . 2009-12-12 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-12 10:56 . 2009-12-12 10:56 -------- d-----w- c:\program files\TrendMicro
2009-12-12 08:43 . 2009-12-12 08:43 7680 ----a-w- c:\windows\system32\drivers\RKL8A.tmp.sys
2009-12-12 07:31 . 2009-12-12 07:31 54624 ----a-w- c:\windows\system32\9af262.sys
2009-12-11 07:27 . 2009-12-22 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PCDr
2009-12-11 07:25 . 2009-12-11 07:27 -------- d-----w- c:\program files\PC-Doctor
2009-12-05 12:42 . 2009-12-23 18:04 -------- d-----w- c:\program files\Gravity
2009-12-04 18:10 . 2009-12-04 18:10 -------- d-----w- c:\program files\Stanza
2009-12-01 15:31 . 2009-12-01 23:17 -------- d-----w- c:\documents and settings\joj\Application Data\ViiKiiDesktopPlugin.5E22EA0FF243470AB5EDDF282C0A5B52E9909C36.1
2009-12-01 01:11 . 2009-12-01 01:11 -------- d-----w- c:\documents and settings\joj\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 15:01 . 2009-05-04 07:46 -------- d-----w- c:\documents and settings\joj\Application Data\stickies
2009-12-28 14:59 . 2005-04-05 17:21 -------- d-----w- c:\program files\C4ebreg
2009-12-28 14:56 . 2007-03-05 22:09 40 ----a-w- c:\windows\system32\profile.dat
2009-12-28 14:56 . 2009-08-14 09:53 975624 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-28 06:34 . 2006-03-27 21:50 -------- d-----w- c:\program files\WST
2009-12-28 01:56 . 2006-01-24 00:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-27 10:11 . 2009-05-20 13:35 -------- d-----w- c:\program files\uTorrent
2009-12-27 07:09 . 2009-05-12 13:09 -------- d-----w- c:\program files\Common Files\Apple
2009-12-27 04:50 . 2009-06-23 09:37 -------- d-----w- c:\program files\MP3Gain
2009-12-20 07:45 . 2009-05-10 03:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-20 04:53 . 2009-08-01 03:01 -------- d-----w- c:\program files\Games
2009-12-20 02:16 . 2009-04-23 07:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-19 19:40 . 2009-09-02 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-12-19 17:53 . 2009-08-28 07:22 63356 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-19 17:08 . 2009-07-22 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2009-12-18 10:33 . 2009-12-18 10:33 6508 ----a-w- c:\windows\system32\d3d9caps.tmp
2009-12-18 10:33 . 2009-05-05 04:31 6508 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-18 10:19 . 2008-10-13 05:39 -------- d-----w- c:\program files\AT&T Network Client
2009-12-17 23:53 . 2005-04-04 18:17 85816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-17 06:14 . 2009-09-07 13:46 -------- d-----w- c:\documents and settings\joj\Application Data\WindSolutions
2009-12-15 15:40 . 2009-05-21 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-15 15:39 . 2009-05-21 06:46 -------- d-----w- c:\program files\Microsoft Works
2009-12-13 04:51 . 2009-06-10 04:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 17:17 . 2005-04-05 19:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-12 17:15 . 2009-09-18 15:09 -------- d-----w- c:\program files\Outspark
2009-12-12 13:47 . 2009-11-28 04:49 -------- d-----w- c:\documents and settings\joj\Application Data\runic games
2009-12-12 13:47 . 2009-11-28 04:43 -------- d-----w- c:\program files\Runic Games
2009-12-12 08:05 . 2009-05-04 13:57 -------- d-----w- c:\documents and settings\joj\Application Data\Thinstall
2009-12-11 07:22 . 2009-12-11 07:17 512752 ----a-w- c:\windows\qfeC2.tmp
2009-12-09 16:16 . 2009-05-20 13:34 -------- d-----w- c:\documents and settings\joj\Application Data\uTorrent
2009-12-04 18:10 . 2009-05-11 08:05 -------- d-----w- c:\program files\Bonjour
2009-12-04 05:11 . 2009-05-12 13:11 -------- d-----w- c:\documents and settings\joj\Application Data\Apple Computer
2009-12-03 08:14 . 2009-06-10 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 08:13 . 2009-06-10 04:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 01:10 . 2009-10-07 00:55 6016 ----a-w- c:\windows\system32\drivers\isamfilter.sys
2009-12-01 23:17 . 2009-08-06 05:43 -------- d-----w- c:\program files\Google
2009-11-28 13:06 . 2009-05-04 07:44 -------- d-----w- c:\program files\KanaReminder
2009-11-28 04:25 . 2009-07-03 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-11-28 01:53 . 2009-09-07 08:10 -------- d-----w- c:\documents and settings\joj\Application Data\Big Fish Games
2009-11-28 01:51 . 2009-11-28 01:50 -------- d-----w- c:\program files\Westward IV
2009-11-27 03:27 . 2009-09-12 15:40 -------- d-----w- c:\program files\LeeGTs Games
2009-11-27 03:21 . 2009-11-27 03:21 -------- d-----w- c:\documents and settings\joj\Application Data\GlarySoft
2009-11-27 00:48 . 2009-11-27 00:48 -------- d-----w- c:\program files\VS Revo Group
2009-11-26 13:11 . 2009-11-26 13:11 -------- d-----w- c:\program files\Glary Utilities
2009-11-22 10:04 . 2009-08-05 14:34 42 ----a-w- c:\windows\popcinfot.dat
2009-11-20 14:58 . 2009-11-20 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\EscapeTheMuseum2
2009-11-18 14:15 . 2009-11-18 14:15 -------- d-----w- c:\documents and settings\joj\Application Data\Oberon Games
2009-11-18 14:15 . 2009-11-18 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Oberon Games
2009-11-18 14:04 . 2009-11-18 14:04 -------- d-----w- c:\program files\NT Registry Optimizer
2009-11-18 13:55 . 2009-08-19 02:55 -------- d-----w- c:\program files\Pando Networks
2009-11-17 18:57 . 2005-07-29 18:05 64792 ----a-w- c:\windows\isamunin.exe
2009-11-15 13:19 . 2009-11-15 13:19 -------- d-----w- c:\documents and settings\joj\Application Data\EleFun Games
2009-11-13 06:00 . 2009-11-13 06:00 -------- d-----w- c:\documents and settings\joj\Application Data\Yahoo!
2009-11-09 01:40 . 2009-11-08 13:59 -------- d-----w- c:\program files\EuroAsiaSoftware
2009-11-08 14:04 . 2009-11-08 14:04 -------- d-----w- c:\program files\ChineseTools
2009-11-06 14:05 . 2009-05-04 07:44 -------- d-----w- c:\program files\The KMPlayer
2009-11-05 16:21 . 2009-11-05 16:21 -------- d-----w- c:\documents and settings\joj\Application Data\HdO Adventure
2009-11-05 14:17 . 2009-08-28 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Alawar Stargaze
2009-11-05 14:17 . 2009-11-05 14:17 -------- d-----w- c:\program files\The Treasures Of Montezuma 2
2009-11-05 02:09 . 2009-10-21 09:59 -------- d-----w- c:\documents and settings\joj\Application Data\DisplayFusion
2009-11-04 13:57 . 2009-11-04 13:49 -------- d-----w- c:\program files\SnapShot Adventures - Secret of Bird Island
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\joj\Application Data\Intel
2009-11-03 14:17 . 2009-08-08 16:57 -------- d-----w- c:\program files\Common Files\Intel
2009-11-03 14:17 . 2008-10-13 05:28 -------- d-----w- c:\program files\Intel
2009-11-03 14:14 . 2009-11-03 14:14 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-11-02 13:03 . 2009-11-02 11:32 -------- d-----w- c:\program files\Defraggler
2009-11-02 07:08 . 2009-11-02 07:08 -------- d-----w- c:\program files\CCleaner
2009-11-02 06:36 . 2009-11-02 06:36 586 ----a-w- c:\windows\uninstallstickies.bat
2009-11-02 06:36 . 2009-05-04 07:44 -------- d-----w- c:\program files\Stickies
2009-11-01 15:19 . 2009-11-01 15:19 -------- d-----w- c:\program files\WinUHA
2009-11-01 13:29 . 2009-11-01 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Gogii
2009-10-31 18:55 . 2009-10-31 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2009-10-30 08:55 . 2009-10-30 08:55 -------- d-----w- c:\documents and settings\joj\Application Data\Stardock
2009-10-30 08:55 . 2009-10-30 08:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{A87EB928-0C6C-4071-AEF1-59E32BAEDF1B}
2009-10-30 08:55 . 2009-10-30 08:55 -------- d-----w- c:\program files\Stardock
2009-10-29 07:46 . 2004-08-04 05:00 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 05:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 05:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2004-08-04 05:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 05:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 05:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-04 05:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-04 05:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-04 05:00 112128 ----a-w- c:\windows\system32\rastls.dll
2009-07-10 14:20 . 2009-07-02 10:48 25 ----a-w- c:\program files\popcinfot.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{86B9B5DD-FB75-4035-BD52-3C94F7849CAF}"= "c:\program files\PC-Doctor\ATLPcdToolbar544928.dll" [2009-11-22 137712]

[HKEY_CLASSES_ROOT\clsid\{86b9b5dd-fb75-4035-bd52-3c94f7849caf}]
[HKEY_CLASSES_ROOT\ATLPcdToolbar.PcdBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{E00A7D25-2CFC-428B-8BF8-04436490448C}]
[HKEY_CLASSES_ROOT\ATLPcdToolbar.PcdBand]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2008-09-18 05:07 310328 ----a-w- c:\windows\system32\PGPfsshl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
"Kana Reminder"="c:\program files\KanaReminder\Reminder.exe" [2005-11-29 1185280]
"TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2007-09-21 49152]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]
"Google Update"="c:\documents and settings\joj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-24 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pmonmh"="c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"stgclean"="c:\sdwork\w32main2.exe" [2009-11-23 297472]
"Tpam.exe"="c:\program files\IBM\Personal Communications\tpam.exe" [2007-11-02 28672]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"TpShocks"="TpShocks.exe" [2009-07-08 337184]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-09-08 421888]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2009-09-08 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2009-07-14 128296]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-14 1541416]
"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-08-03 62240]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"MyHelpService"="c:\program files\IBM\My Help\workspace\service\delayStart.exe" [2009-03-12 94208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2007-03-14 125632]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 144784]
"Isamtray"="c:\program files\C4ebreg\isamtray.exe" [2009-11-17 285976]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-10-07 256576]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2008-03-04 92960]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-07-29 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2009-07-29 172032]
"ISSI Service"="c:\sdwork\issimsvc.exe" [2009-12-09 241392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-07-22 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-07-22 124248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-05-11 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-05-11 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-05-11 142872]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-02-12 357400]
"C4EBReg"="c:\program files\C4ebreg\c4ebreg.exe" [2009-11-17 478488]
"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\preload.exe" [2009-02-09 40960]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\joj\Start Menu\Programs\Startup\
FastStone Capture.lnk - c:\fscapture\FSCapture.exe [2009-5-5 1111552]
IBM-TVC.appref-ms [2009-12-14 298]
Shortcut to Windows 7 0.4.lnk - c:\windows 7 shortcuts 0.4\Windows 7 0.4.exe [2009-12-15 204673]
Stickies.lnk - c:\program files\Stickies\stickies.exe [2009-5-4 1101824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-2-9 50688]
PGPtray.exe.lnk - c:\windows\Installer\{01D0B438-CE21-4FAD-8845-A0F00DB65F4F}\Icon6560581611.exe [2009-8-6 55296]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2009-10-02 128360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]
2007-11-02 10:45 49152 ----a-w- c:\windows\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 08:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli PGPpwflt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C4EBReg]
2009-11-17 18:55 478488 ----a-w- c:\program files\C4ebreg\c4ebreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 08:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetSP - restore settings on power failure]
2007-01-13 08:00 24576 ----a-w- c:\program files\AT&T Network Client\NetSP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 15:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"IBMconfig"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Printer\\ScanBack\\scanwiz.exe"=
"c:\\WINDOWS\\system32\\GNabcoms.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\IBM\\My Help\\jre\\bin\\myhelpw.exe"=
"c:\\Program Files\\IBM\\Sametime Connect\\jre\\bin\\sametime75.exe"=
"c:\\Program Files\\AT&T Network Client\\NetClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57362:TCP"= 57362:TCP:Pando Media Booster
"57362:UDP"= 57362:UDP:Pando Media Booster

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [6/29/2009 1:51 PM 20520]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [5/12/2008 6:04 PM 13480]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\virtualcd\VCdRom.sys [12/19/2001 11:45 AM 8576]
R2 ldlcserv6;IBM Enterprise Extender (IPv6);c:\windows\system32\drivers\ldlcserv6.exe [11/2/2007 12:09 PM 40960]
R2 pdlndldl6;IBM Enterprise Extender (HPR/IPv6);c:\windows\system32\drivers\pdlndldl6.sys [11/2/2007 12:09 PM 70656]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [10/13/2008 1:32 PM 53248]
R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [10/13/2008 1:35 PM 62320]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [10/16/2009 12:25 AM 2058776]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/13/2008 4:42 PM 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/13/2009 2:42 AM 102448]
S0 0261B;0261B;c:\windows\system32\drivers\0261B.SYS --> c:\windows\system32\drivers\0261B.SYS [?]
S0 0269;0269;c:\windows\system32\drivers\0269.SYS --> c:\windows\system32\drivers\0269.SYS [?]
S1 30bA;30bA;\??\c:\windows\system32\drivers\30bA.SYS --> c:\windows\system32\drivers\30bA.SYS [?]
S1 69e1C;69e1C;\??\c:\windows\system32\drivers\69e1C.SYS --> c:\windows\system32\drivers\69e1C.SYS [?]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [5/21/2009 8:48 PM 45424]
S3 9af262;9af262;c:\windows\system32\9af262.sys [12/12/2009 3:31 PM 54624]
S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [5/4/2009 3:43 PM 15872]
S3 csrcmds;csrcmds;c:\program files\IBM\Personal Communications\csrcmds.exe [11/2/2007 12:09 PM 49152]
S3 cstrcser;IBM Command Line Trace;c:\windows\system32\drivers\cstrcser.exe [11/2/2007 12:09 PM 36864]
S3 gnab_device;gnab_device;c:\windows\system32\GNabcoms.exe -service --> c:\windows\system32\GNabcoms.exe -service [?]
S3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [10/7/2009 8:55 AM 6016]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/1/2009 12:09 AM 721904]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://w3.ibm.com/
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = ;<local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
Trusted Zone: ibm.com\w3-950.chs
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\joj\Application Data\Mozilla\Firefox\Profiles\izxqrpgw.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\joj\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np72esk32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPeWebEditPro.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-sbitunesagent - c:\program files\Songbird\songbirditunesagent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 23:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1060)
c:\windows\system32\pcsinst.dll

- - - - - - - > 'explorer.exe'(5932)
c:\windows\system32\WININET.dll
c:\windows\system32\PGPhk.dll
c:\windows\system32\PGPfsshl.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Stardock\Fences\FencesMenu.dll
c:\program files\stardock\fences\DesktopDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\Drivers\trcboot.exe
c:\program files\IBM\Personal Communications\PCS_AGNT.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Intel\AMT\LMS.exe
c:\notes\ntmulti.exe
c:\program files\AT&T Network Client\NetCfgSv.EXE
c:\windows\system32\PGPserv.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\IBM\My Help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\Drivers\ldlcserv.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\soffice.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\PGP Corporation\PGP Desktop\PGPtray.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\IBM\My Help\MyHelp.exe
c:\program files\IBM\My Help\jre\bin\myhelpw.exe
.
**************************************************************************
.
Completion time: 2009-12-28 23:09:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-28 15:09
ComboFix2.txt 2009-12-13 05:41

Pre-Run: 37,569,564,672 bytes free
Post-Run: 37,557,981,184 bytes free

- - End Of File - - 21C2987E694BD3986D48D6E2C53EB25A

====COMBOFIX4======
ComboFix 09-12-11.05 - joj 12/13/2009 13:17:07.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1944.1283 [GMT 8:00]
Running from: c:\documents and settings\joj\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\joj\LOCALS~1\Temp\tij.dat
c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk
c:\documents and settings\joj\Local Settings\Temp\tij.dat
c:\documents and settings\joj\My Documents\cc_20091213_122922.reg
C:\install.exe
C:\LOG.TXT
C:\Thumbs.db
c:\windows\system32\9af262.dll
c:\windows\system32\twain_32.dll
c:\windows\WINDOWS\INF\IBM (PCL)nt5lmpcl2a.inf
c:\windows\WINDOWS\INF\IBM (PS)nt5lexpsnt.inf
c:\windows\WINDOWS\SYSTEM32\DRVNPANT.DLL
c:\windows\WINDOWS\SYSTEM32\LEXCFI.DLL
c:\windows\WINDOWS\SYSTEM32\LEXDRVX.DLL
c:\windows\WINDOWS\SYSTEM32\LexFiles.log
c:\windows\WINDOWS\SYSTEM32\lexlog.dlL
c:\windows\WINDOWS\SYSTEM32\LEXMV95.HLP
c:\windows\WINDOWS\SYSTEM32\LEXPSHOW.HLP
c:\windows\WINDOWS\SYSTEM32\LMPCLHOW.HLP
c:\windows\WINDOWS\SYSTEM32\Monitor.bak
c:\windows\WINDOWS\SYSTEM32\Monitor.inf

.
((((((((((((((((((((((((( Files Created from 2009-11-13 to 2009-12-13 )))))))))))))))))))))))))))))))
.

2009-12-12 12:41 . 2009-12-12 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-12 12:41 . 2009-12-12 17:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-12 12:41 . 2009-12-12 12:41 -------- d-----w- c:\documents and settings\joj\Application Data\SUPERAntiSpyware.com
2009-12-12 12:39 . 2009-12-12 12:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-12 11:48 . 2009-12-12 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-12 10:56 . 2009-12-12 10:56 -------- d-----w- c:\program files\TrendMicro
2009-12-12 08:43 . 2009-12-12 08:43 7680 ----a-w- c:\windows\system32\drivers\RKL8A.tmp.sys
2009-12-12 07:31 . 2009-12-12 07:31 54624 ----a-w- c:\windows\system32\9af262.sys
2009-12-11 07:27 . 2009-12-11 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PCDr
2009-12-11 07:25 . 2009-12-11 07:27 -------- d-----w- c:\program files\PC-Doctor
2009-12-05 12:42 . 2009-12-05 12:42 -------- d-----w- c:\program files\Gravity
2009-12-04 18:10 . 2009-12-04 18:10 -------- d-----w- c:\program files\Stanza
2009-12-04 00:33 . 2009-12-04 00:33 -------- d-----w- c:\program files\TweetDeck
2009-12-01 15:31 . 2009-12-01 23:17 -------- d-----w- c:\documents and settings\joj\Application Data\ViiKiiDesktopPlugin.5E22EA0FF243470AB5EDDF282C0A5B52E9909C36.1
2009-12-01 01:11 . 2009-12-01 01:11 -------- d-----w- c:\documents and settings\joj\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2009-11-28 04:49 . 2009-12-12 13:47 -------- d-----w- c:\documents and settings\joj\Application Data\runic games
2009-11-28 04:43 . 2009-12-12 13:47 -------- d-----w- c:\program files\Runic Games
2009-11-28 04:30 . 2009-11-28 04:42 -------- d-----w- C:\virtualcd
2009-11-28 01:50 . 2009-11-28 01:51 -------- d-----w- c:\program files\Westward IV
2009-11-28 01:50 . 2009-11-28 01:50 -------- d-----w- c:\windows\Westward IV
2009-11-27 03:21 . 2009-11-27 03:21 -------- d-----w- c:\documents and settings\joj\Application Data\GlarySoft
2009-11-27 00:48 . 2009-11-27 00:48 -------- d-----w- c:\program files\VS Revo Group
2009-11-26 13:11 . 2009-11-26 13:11 -------- d-----w- c:\program files\Glary Utilities
2009-11-25 14:26 . 2009-11-25 14:26 -------- d-----w- C:\Gyromancer
2009-11-24 08:09 . 2009-11-24 08:17 -------- d-----w- c:\documents and settings\joj\Local Settings\Application Data\Temp
2009-11-24 08:09 . 2009-11-24 08:17 -------- d-----w- c:\documents and settings\joj\Local Settings\Application Data\Google
2009-11-20 14:58 . 2009-11-20 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\EscapeTheMuseum2
2009-11-18 14:15 . 2009-11-18 14:15 -------- d-----w- c:\documents and settings\joj\Application Data\Oberon Games
2009-11-18 14:15 . 2009-11-18 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Oberon Games
2009-11-18 14:04 . 2009-11-18 14:04 -------- d-----w- c:\program files\NT Registry Optimizer
2009-11-15 13:19 . 2009-11-15 13:19 -------- d-----w- c:\documents and settings\joj\Application Data\EleFun Games
2009-11-13 06:00 . 2009-11-13 06:00 -------- d-----w- c:\documents and settings\joj\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-13 05:34 . 2009-05-04 07:46 -------- d-----w- c:\documents and settings\joj\Application Data\stickies
2009-12-13 05:31 . 2005-04-05 17:21 -------- d-----w- c:\program files\C4ebreg
2009-12-13 05:29 . 2007-03-05 22:09 40 ----a-w- c:\windows\system32\profile.dat
2009-12-13 05:29 . 2009-08-14 09:53 778616 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-13 04:51 . 2009-06-10 04:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 18:00 . 2006-01-24 00:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-12 17:17 . 2005-04-05 19:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-12 17:15 . 2009-09-18 15:09 -------- d-----w- c:\program files\Outspark
2009-12-12 08:05 . 2009-05-04 13:57 -------- d-----w- c:\documents and settings\joj\Application Data\Thinstall
2009-12-12 07:43 . 2009-05-20 13:35 -------- d-----w- c:\program files\uTorrent
2009-12-11 07:22 . 2009-12-11 07:17 512752 ----a-w- c:\windows\qfeC2.tmp
2009-12-11 05:56 . 2006-03-27 21:50 -------- d-----w- c:\program files\WST
2009-12-09 16:16 . 2009-05-20 13:34 -------- d-----w- c:\documents and settings\joj\Application Data\uTorrent
2009-12-09 11:19 . 2005-04-04 18:17 86792 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-06 06:39 . 2009-05-05 04:31 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-04 18:10 . 2009-05-11 08:05 -------- d-----w- c:\program files\Bonjour
2009-12-04 05:11 . 2009-05-12 13:11 -------- d-----w- c:\documents and settings\joj\Application Data\Apple Computer
2009-12-03 08:14 . 2009-06-10 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 08:13 . 2009-06-10 04:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 01:10 . 2009-10-07 00:55 6016 ----a-w- c:\windows\system32\drivers\isamfilter.sys
2009-12-01 23:17 . 2009-08-06 05:43 -------- d-----w- c:\program files\Google
2009-11-28 13:06 . 2009-05-04 07:44 -------- d-----w- c:\program files\KanaReminder
2009-11-28 04:25 . 2009-07-03 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-11-28 04:24 . 2009-08-01 03:01 -------- d-----w- c:\program files\Games
2009-11-28 01:53 . 2009-09-07 08:10 -------- d-----w- c:\documents and settings\joj\Application Data\Big Fish Games
2009-11-27 03:27 . 2009-09-12 15:40 -------- d-----w- c:\program files\LeeGTs Games
2009-11-24 02:51 . 2009-05-21 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-22 10:04 . 2009-08-05 14:34 42 ----a-w- c:\windows\popcinfot.dat
2009-11-22 06:42 . 2009-05-10 03:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-18 13:55 . 2009-08-19 02:55 -------- d-----w- c:\program files\Pando Networks
2009-11-17 18:57 . 2005-07-29 18:05 64792 ----a-w- c:\windows\isamunin.exe
2009-11-09 01:40 . 2009-11-08 13:59 -------- d-----w- c:\program files\EuroAsiaSoftware
2009-11-08 14:04 . 2009-11-08 14:04 -------- d-----w- c:\program files\ChineseTools
2009-11-06 14:05 . 2009-05-04 07:44 -------- d-----w- c:\program files\The KMPlayer
2009-11-05 16:21 . 2009-11-05 16:21 -------- d-----w- c:\documents and settings\joj\Application Data\HdO Adventure
2009-11-05 14:17 . 2009-08-28 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Alawar Stargaze
2009-11-05 14:17 . 2009-11-05 14:17 -------- d-----w- c:\program files\The Treasures Of Montezuma 2
2009-11-05 02:09 . 2009-10-21 09:59 -------- d-----w- c:\documents and settings\joj\Application Data\DisplayFusion
2009-11-04 13:57 . 2009-11-04 13:49 -------- d-----w- c:\program files\SnapShot Adventures - Secret of Bird Island
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-11-03 14:17 . 2009-11-03 14:17 -------- d-----w- c:\documents and settings\joj\Application Data\Intel
2009-11-03 14:17 . 2009-08-08 16:57 -------- d-----w- c:\program files\Common Files\Intel
2009-11-03 14:17 . 2008-10-13 05:28 -------- d-----w- c:\program files\Intel
2009-11-03 14:14 . 2009-11-03 14:14 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-11-03 04:58 . 2009-08-28 07:22 62648 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-02 13:03 . 2009-11-02 11:32 -------- d-----w- c:\program files\Defraggler
2009-11-02 07:08 . 2009-11-02 07:08 -------- d-----w- c:\program files\CCleaner
2009-11-02 06:36 . 2009-11-02 06:36 586 ----a-w- c:\windows\uninstallstickies.bat
2009-11-02 06:36 . 2009-05-04 07:44 -------- d-----w- c:\program files\Stickies
2009-11-01 15:19 . 2009-11-01 15:19 -------- d-----w- c:\program files\WinUHA
2009-11-01 13:29 . 2009-11-01 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Gogii
2009-10-31 18:55 . 2009-10-31 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2009-10-30 08:55 . 2009-10-30 08:55 -------- d-----w- c:\documents and settings\joj\Application Data\Stardock
2009-10-30 08:55 . 2009-10-30 08:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{A87EB928-0C6C-4071-AEF1-59E32BAEDF1B}
2009-10-30 08:55 . 2009-10-30 08:55 -------- d-----w- c:\program files\Stardock
2009-10-29 07:46 . 2004-08-04 05:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 05:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 05:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2004-08-04 05:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 05:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 05:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 00:51 . 2009-04-23 07:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-17 00:29 . 2008-10-13 05:39 -------- d-----w- c:\program files\AT&T Network Client
2009-10-15 16:25 . 2009-10-15 16:25 -------- d-----w- c:\program files\Common Files\postureAgent
2009-10-13 10:53 . 2004-08-04 05:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-04 05:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-04 05:00 112128 ----a-w- c:\windows\system32\rastls.dll
2009-09-21 07:23 . 2009-09-21 07:23 16896 ----a-w- c:\windows\system32\S24NCfg.dll
2009-09-15 04:34 . 2009-02-09 06:16 5977216 ----a-w- c:\windows\system32\drivers\NETw5x32.sys
2009-09-15 04:19 . 2009-02-09 06:16 2756608 ----a-w- c:\windows\system32\NETw5r32.dll
2009-09-15 04:18 . 2009-02-09 06:16 675840 ----a-w- c:\windows\system32\NETw5c32.dll
2009-07-10 14:20 . 2009-07-02 10:48 25 ----a-w- c:\program files\popcinfot.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{86B9B5DD-FB75-4035-BD52-3C94F7849CAF}"= "c:\program files\PC-Doctor\ATLPcdToolbar544928.dll" [2009-11-22 137712]

[HKEY_CLASSES_ROOT\clsid\{86b9b5dd-fb75-4035-bd52-3c94f7849caf}]
[HKEY_CLASSES_ROOT\ATLPcdToolbar.PcdBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{E00A7D25-2CFC-428B-8BF8-04436490448C}]
[HKEY_CLASSES_ROOT\ATLPcdToolbar.PcdBand]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2008-09-18 05:07 310328 ----a-w- c:\windows\system32\PGPfsshl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
"Kana Reminder"="c:\program files\KanaReminder\Reminder.exe" [2005-11-29 1185280]
"TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2007-09-21 49152]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]
"Google Update"="c:\documents and settings\joj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-24 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pmonmh"="c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"stgclean"="c:\sdwork\w32main2.exe" [2009-11-23 297472]
"Tpam.exe"="c:\program files\IBM\Personal Communications\tpam.exe" [2007-11-02 28672]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"TpShocks"="TpShocks.exe" [2009-07-08 337184]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-09-08 421888]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2009-09-08 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2009-07-14 128296]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-14 1541416]
"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-08-03 62240]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"MyHelpService"="c:\program files\IBM\My Help\workspace\service\delayStart.exe" [2009-03-12 94208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2007-03-14 125632]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 144784]
"Isamtray"="c:\program files\C4ebreg\isamtray.exe" [2009-11-17 285976]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-10-07 256576]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2008-03-04 92960]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-07-29 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2009-07-29 172032]
"ISSI Service"="c:\sdwork\issimsvc.exe" [2009-12-09 241392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-07-22 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-07-22 124248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-05-11 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-05-11 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-05-11 142872]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-02-12 357400]
"C4EBReg"="c:\program files\C4ebreg\c4ebreg.exe" [2009-11-17 478488]
"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\preload.exe" [2009-02-09 40960]

c:\documents and settings\joj\Start Menu\Programs\Startup\
FastStone Capture.lnk - c:\fscapture\FSCapture.exe [2009-5-5 1111552]
IBM-TVC.appref-ms [2009-11-18 298]
Stickies.lnk - c:\program files\Stickies\stickies.exe [2009-5-4 1101824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2008-8-18 604776]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-2-9 50688]
PGPtray.exe.lnk - c:\windows\Installer\{01D0B438-CE21-4FAD-8845-A0F00DB65F4F}\Icon6560581611.exe [2009-8-6 55296]
TweetDeck.lnk - c:\program files\TweetDeck\TweetDeck.exe [2009-12-4 95232]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2009-10-02 128360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]
2007-11-02 10:45 49152 ----a-w- c:\windows\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 08:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi9"=c:\docume~1\joj\LOCALS~1\Temp\tij.dat 2nEJPKEMFO

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli PGPpwflt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C4EBReg]
2009-11-17 18:55 478488 ----a-w- c:\program files\C4ebreg\c4ebreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-08 13:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetSP - restore settings on power failure]
2007-01-13 08:00 24576 ----a-w- c:\program files\AT&T Network Client\NetSP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 17:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"IBMconfig"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Printer\\ScanBack\\scanwiz.exe"=
"c:\\WINDOWS\\system32\\GNabcoms.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\IBM\\My Help\\jre\\bin\\myhelpw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57362:TCP"= 57362:TCP:Pando Media Booster
"57362:UDP"= 57362:UDP:Pando Media Booster

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/1/2009 12:09 AM 721904]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [6/29/2009 1:51 PM 20520]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [5/12/2008 6:04 PM 13480]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\virtualcd\VCdRom.sys [12/19/2001 11:45 AM 8576]
R2 ldlcserv6;IBM Enterprise Extender (IPv6);c:\windows\system32\drivers\ldlcserv6.exe [11/2/2007 12:09 PM 40960]
R2 pdlndldl6;IBM Enterprise Extender (HPR/IPv6);c:\windows\system32\drivers\pdlndldl6.sys [11/2/2007 12:09 PM 70656]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [10/13/2008 1:32 PM 53248]
R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [10/13/2008 1:35 PM 62320]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [10/16/2009 12:25 AM 2058776]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/13/2008 4:42 PM 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/13/2009 2:42 AM 102448]
R3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [10/7/2009 8:55 AM 6016]
S0 0261B;0261B;c:\windows\system32\drivers\0261B.SYS --> c:\windows\system32\drivers\0261B.SYS [?]
S0 0269;0269;c:\windows\system32\drivers\0269.SYS --> c:\windows\system32\drivers\0269.SYS [?]
S1 30bA;30bA;\??\c:\windows\system32\drivers\30bA.SYS --> c:\windows\system32\drivers\30bA.SYS [?]
S1 69e1C;69e1C;\??\c:\windows\system32\drivers\69e1C.SYS --> c:\windows\system32\drivers\69e1C.SYS [?]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [5/21/2009 8:48 PM 45424]
S3 4267;4267;\??\c:\windows\system32\4267.sys --> c:\windows\system32\4267.sys [?]
S3 6fd3;6fd3;\??\c:\windows\system32\6fd3.sys --> c:\windows\system32\6fd3.sys [?]
S3 7ba2;7ba2;\??\c:\windows\system32\7ba2.sys --> c:\windows\system32\7ba2.sys [?]
S3 8b06;8b06;\??\c:\windows\system32\8b06.sys --> c:\windows\system32\8b06.sys [?]
S3 9af262;9af262;c:\windows\system32\9af262.sys [12/12/2009 3:31 PM 54624]
S3 b158;b158;\??\c:\windows\system32\b158.sys --> c:\windows\system32\b158.sys [?]
S3 b844;b844;\??\c:\windows\system32\b844.sys --> c:\windows\system32\b844.sys [?]
S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [5/4/2009 3:43 PM 15872]
S3 chkproc1;chkproc1;\??\c:\documents and settings\joj\Desktop\Helios\chkproc.sys --> c:\documents and settings\joj\Desktop\Helios\chkproc.sys [?]
S3 csrcmds;csrcmds;c:\program files\IBM\Personal Communications\csrcmds.exe [11/2/2007 12:09 PM 49152]
S3 cstrcser;IBM Command Line Trace;c:\windows\system32\drivers\cstrcser.exe [11/2/2007 12:09 PM 36864]
S3 gnab_device;gnab_device;c:\windows\system32\GNabcoms.exe -service --> c:\windows\system32\GNabcoms.exe -service [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/10/2009 12:42 PM 38224]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 SDTHelper;Helper driver for SDT-Tool;\??\c:\documents and settings\joj\Desktop\xidar\sdthlpr.sys --> c:\documents and settings\joj\Desktop\xidar\sdthlpr.sys [?]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = ;<local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
Trusted Zone: ibm.com\w3-950.chs
TCP: {997CA173-8700-43D9-9918-682C889E2651} = 208.67.222.222,208.67.220.220
TCP: {AECC8EBE-6AF2-4269-AA17-6E6F84A2459C} = 208.67.222.222,208.67.220.220
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\joj\Application Data\Mozilla\Firefox\Profiles\izxqrpgw.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\joj\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np72esk32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPeWebEditPro.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-!SASWinLogon - c:\program files\SUPERAntiSpyware\SASWINLO.dll
Notify-ACNotify - ACNotify.dll
Notify-atmgrtok - atmgrtok.dll
MSConfigStartUp-Google Pinyin 2 Autoupdater - c:\program files\Google\Google Pinyin 2\GooglePinyinDaemon.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-13 13:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xF76B7000]<< >>UNKNOWN [0xF76A7000]<< >>UNKNOWN [0xF748F000]<< >>UNKNOWN [0x806FF000]<< >>UNKNOWN [0xF7B04000]<< >>UNKNOWN [0xF74D5000]<< >>UNKNOWN [0x8A6DA938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0xf76bbfc3
\Driver\ACPI -> 0xf7495cb8
\Driver\atapi -> 0x8a6b21f8
\Driver\iaStor -> 0xf7b4e0b0
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Intel® WiFi Link 5100 AGN -> SendCompleteHandler -> 0xba5f2bb0
PacketIndicateHandler -> 0xba5e1a0d
SendHandler -> 0xba5f5b40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1564)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\IBM\Personal Communications\atmgrtok.dll
c:\program files\IBM\Personal Communications\MILLUTIL.DLL
c:\windows\system32\pcsinst.dll

- - - - - - - > 'explorer.exe'(308)
c:\windows\system32\WININET.dll
c:\windows\system32\PGPhk.dll
c:\windows\system32\PGPfsshl.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Stardock\Fences\FencesMenu.dll
c:\program files\stardock\fences\DesktopDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\IBM\Personal Communications\PCS_AGNT.EXE
c:\windows\System32\SCardSvr.exe
c:\windows\system32\Drivers\trcboot.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Intel\AMT\LMS.exe
c:\notes\ntmulti.exe
c:\program files\AT&T Network Client\NetCfgSv.EXE
c:\windows\system32\PGPserv.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\IBM\My Help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exe
c:\windows\system32\Drivers\ldlcserv.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\soffice.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\PGP Corporation\PGP Desktop\PGPtray.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
c:\program files\IBM\My Help\MyHelp.exe
c:\program files\IBM\My Help\jre\bin\myhelpw.exe
.
**************************************************************************
.
Completion time: 2009-12-13 13:41:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-13 05:41

Pre-Run: 18,559,070,208 bytes free
Post-Run: 18,854,547,456 bytes free

- - End Of File - - A09F30BA506CAC868ACF1AE66A26C58D

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:31 AM

Posted 29 December 2009 - 04:52 PM

Hi,


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\RKL8A.tmp.sys
c:\windows\system32\9af262.sys
c:\windows\qfeC2.tmp
c:\windows\system32\drivers\0261B.SYS
c:\windows\system32\drivers\0269.SYS
c:\windows\system32\drivers\30bA.SYS
c:\windows\system32\drivers\69e1C.SYS
c:\windows\system32\4267.sys
c:\windows\system32\6fd3.sys
c:\windows\system32\7ba2.sys
c:\windows\system32\8b06.sys
c:\windows\system32\9af262.sys
c:\windows\system32\b158.sys
c:\windows\system32\b844.sys

Registry::
[-HKEY_CLASSES_ROOT\clsid\{86b9b5dd-fb75-4035-bd52-3c94f7849caf}]
[-HKEY_CLASSES_ROOT\ATLPcdToolbar.PcdBand.1]
[-HKEY_CLASSES_ROOT\TypeLib\{E00A7D25-2CFC-428B-8BF8-04436490448C}]
[-HKEY_CLASSES_ROOT\ATLPcdToolbar.PcdBand]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi9"=-

Driver::
0261B
0269
30bA
69e1C
4267
6fd3
7ba2
8b06
9af262
b158
b844

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users