Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Malware/Slow Computer


  • This topic is locked This topic is locked
7 replies to this topic

#1 lmarconi

lmarconi

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 27 February 2010 - 09:21 PM

My laptop is a 4 yr old Thinkpad T60. I'm still running the original XP that came with the computer - I've never had the time or need to do a system wipe. As a result, there's about 4 years worth of junk on here (and I'm sure some malware, or at least remnants of malware).

Had some random fake antivirus malware pop up early. I was able to catch it quickly, shut down, boot into safe mode, disable from running on start up and manually delete the file, but I'm not positive I got all of it.

I've run Malwarebytes and done full scans with Microsoft Security Essentials and Windows Defender, but none of them have found anything. The systems running so slowly though that I'm considering doing a full system wipe and starting over with a clean slate, but it's a busy time at work and I don't have the time to reinstall everything at the moment. Would appreciate any help spotting the remnants of malware/junk on here so I can keep it secure and usable until I have the chance to do a full overhaul.

I pasted the DDS log below and attached the "Attach" log. I tried running GMER but both times I tried it it completely crashed my system - the first time I got a blue screen about halfway through the scan and the second time, the scan completed after about 3 hrs but crashed my system when I tried to save the file.

Here's the DDS log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by LM at 17:46:16.65 on Sat 02/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1490 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\THINKV~2\AMSG\amsg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\Philips\SPC230NC\Monitor.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Philips\Philips SPC230NC Webcam\TrayMin230.exe
C:\WINDOWS\system32\CTPdeSrv.exe
C:\Documents and Settings\LM\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [AMSG] c:\progra~1\thinkv~2\amsg\amsg.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SPC230NC_Monitor] c:\windows\philips\spc230nc\Monitor.exe
mRun: [SPC_Monitor] c:\windows\philips\spc230nc\Monitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\traymi~1.lnk - c:\program files\philips\philips spc230nc webcam\TrayMin230.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: aol.com\free
Trusted Zone: bu.edu\www
Trusted Zone: netflix.com\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15103/CTPID.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
LSA: Notification Packages = scecli psqlpwd csspwntfy
mASetup: {028E2D30-93C4-EAEB-0801-040005020704} - c:\windows\system32\drwatson.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lm~1\applic~1\mozilla\firefox\profiles\8jlhcghw.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\documents and settings\lm\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\lm\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-8-20 58048]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-8-20 102463]
R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-15 46142]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-12-21 3968]
R2 smihlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2005-12-8 3328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-26 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-8-20 108256]
S3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\drivers\PAEAFLT.sys [2009-1-1 8576]
S3 SPC230NC;Philips SPC230NC Webcam;c:\windows\system32\drivers\SPC230NC.SYS [2009-1-1 461056]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-01-30 18:28:21 0 d-----w- c:\docume~1\lm~1\applic~1\Office Genuine Advantage

==================== Find3M ====================

2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-19 04:53:37 230432 ----a-w- C:\SPC230NC.DAT
2010-01-08 18:41:35 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-11 03:14:02 49184 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-31 00:00:18 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-09-28 17:15:04 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092820080929\index.dat

============= FINISH: 17:47:11.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 lmarconi

lmarconi
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 04 March 2010 - 12:34 AM

Hi,

Not trying to bump my topic or anything and I know you guys are very busy, but I just want to make sure that this is something you guys can help with...I'm afraid to do any online banking or use any sensitive passwords until I get the a-ok that I completely obliterated the virus...

If this isn't something you can help with or you're too busy, please let me know!

- L

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:44 AM

Posted 04 March 2010 - 05:53 PM

Hi lmarconi,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum and apologies for the delay. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#4 lmarconi

lmarconi
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 04 March 2010 - 09:31 PM

Hi

Thanks so much for your help, much appreciated.

Ran ComboFix after I got your message with all antivirus software turned off. Log is below, hope it's clean!

ComboFix 10-03-04.02 - Lucia Marconi 03/04/2010 21:10:13.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1506 [GMT -5:00]
Running from: c:\documents and settings\Lucia Marconi\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.inf

.
((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-04 03:50 . 2010-03-04 03:50 -------- d-----w- c:\documents and settings\Lucia Marconi\vue_2
2010-03-04 03:49 . 2010-03-04 03:49 -------- d-----w- c:\program files\VUE
2010-03-04 03:49 . 2010-03-04 03:49 -------- d--h--w- c:\program files\Zero G Registry
2010-03-04 03:49 . 2010-03-04 03:49 -------- d--h--w- c:\documents and settings\Lucia Marconi\InstallAnywhere
2010-02-28 02:37 . 2010-02-28 04:50 -------- d-----w- c:\program files\Sophos
2010-02-28 02:32 . 2010-02-28 02:32 388096 ----a-r- c:\documents and settings\Lucia Marconi\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-28 02:32 . 2010-02-28 02:32 -------- d-----w- c:\program files\TrendMicro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 22:32 . 2009-02-12 13:33 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-04 16:29 . 2007-12-30 02:18 -------- d-----w- c:\documents and settings\Lucia Marconi\Application Data\.purple
2010-03-02 04:50 . 2008-12-15 23:28 -------- d-----w- c:\program files\Songbird
2010-02-28 04:48 . 2006-06-29 12:11 -------- d-----w- c:\program files\HP
2010-02-28 04:45 . 2007-07-29 19:17 -------- d-----w- c:\program files\DivX
2010-02-28 04:45 . 2006-06-29 11:30 -------- d-----w- c:\program files\AIM
2010-02-28 04:44 . 2006-06-29 11:30 -------- d-----w- c:\documents and settings\Lucia Marconi\Application Data\Aim
2010-02-24 14:16 . 2009-10-02 16:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-15 21:24 . 2009-01-01 21:20 -------- d-----w- c:\documents and settings\Lucia Marconi\Application Data\Skype
2010-02-15 21:05 . 2009-01-01 21:21 -------- d-----w- c:\documents and settings\Lucia Marconi\Application Data\skypePM
2010-01-30 18:28 . 2010-01-30 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-30 18:28 . 2010-01-30 18:28 -------- d-----w- c:\documents and settings\Lucia Marconi\Application Data\Office Genuine Advantage
2010-01-28 16:42 . 2009-02-12 13:33 -------- d-----w- c:\documents and settings\Lucia Marconi\Application Data\Thunderbird
2010-01-21 18:51 . 2010-01-21 18:51 -------- d-----w- c:\program files\Audacity
2010-01-19 04:53 . 2009-01-01 21:09 230432 ----a-w- C:\SPC230NC.DAT
2010-01-18 02:15 . 2010-01-18 02:15 -------- d-----w- c:\program files\7-Zip
2010-01-15 02:37 . 2007-12-30 03:36 -------- d-----w- c:\documents and settings\Lucia Marconi\Application Data\gtk-2.0
2010-01-08 18:41 . 2009-01-02 18:47 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-12-31 16:50 . 1980-01-01 07:00 353792 ------w- c:\windows\system32\drivers\srv.sys
2009-12-30 04:23 . 2009-12-30 04:23 281 ----a-w- c:\windows\EReg072.dat
2009-12-21 19:14 . 1980-01-01 07:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 02:39 . 2009-12-17 02:39 79488 ----a-w- c:\documents and settings\Lucia Marconi\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-16 18:43 . 2004-08-09 17:51 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 1980-01-01 07:00 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-11 03:14 . 2009-12-11 03:14 49184 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-08 19:26 . 1980-01-01 07:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 05:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696]
"AMSG"="c:\progra~1\THINKV~2\AMSG\amsg.exe" [2005-11-14 487424]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"SPC230NC_Monitor"="c:\windows\Philips\SPC230NC\Monitor.exe" [2007-12-10 323584]
"SPC_Monitor"="c:\windows\Philips\SPC230NC\Monitor.exe" [2007-12-10 323584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]
TrayMin230.lnk - c:\program files\Philips\Philips SPC230NC Webcam\TrayMin230.exe [2009-1-1 241664]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-6-19 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-08 21:59 39936 ------w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ------w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ------w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 01:12 110592 ----a-w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
2005-12-22 01:08 1996336 ------w- c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
2007-07-17 15:03 868352 ------w- c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-11-28 20:55 98304 ------w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 01:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2004-08-06 10:50 139320 ------w- c:\program files\Network Associates\Common Framework\UpdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2009-10-08 23:49 2919608 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDService.exe]
2005-11-15 20:13 49152 ------r- c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-11-18 21:31 21633320 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-01-05 16:28 1410296 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 05:11 132496 ------w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
2006-03-09 23:14 94208 ------w- c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ------r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Philips\\Intelligent Agent\\Philips Intelligent Agent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Songbird\\songbird.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58729:TCP"= 58729:TCP:Pando Media Booster
"58729:UDP"= 58729:UDP:Pando Media Booster
"56727:TCP"= 56727:TCP:Pando Media Booster
"56727:UDP"= 56727:UDP:Pando Media Booster

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/18/2009 8:45 PM 721904]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [8/20/2006 12:02 PM 58048]
R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 3:11 PM 46142]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 6:45 PM 3968]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [12/8/2005 4:44 PM 3328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/26/2009 5:25 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\8.tmp --> c:\windows\system32\8.tmp [?]
S3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\drivers\PAEAFLT.sys [1/1/2009 4:00 PM 8576]
S3 SPC230NC;Philips SPC230NC Webcam;c:\windows\system32\drivers\SPC230NC.SYS [1/1/2009 4:00 PM 461056]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{028E2D30-93C4-EAEB-0801-040005020704}]
2004-08-04 05:59 28112 ------w- c:\windows\system32\drwatson.exe
.
Contents of the 'Scheduled Tasks' folder

2010-02-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2010-03-05 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-06-02 08:12]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: aol.com\free
Trusted Zone: bu.edu\www
Trusted Zone: netflix.com\www
FF - ProfilePath - c:\documents and settings\Lucia Marconi\Application Data\Mozilla\Firefox\Profiles\8jlhcghw.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\documents and settings\Lucia Marconi\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Lucia Marconi\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - .
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ACWLIcon - c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe
MSConfigStartUp-dajsdxxh - c:\documents and settings\Lucia Marconi\Local Settings\Application Data\pqkvwc\jdufsftav.exe
MSConfigStartUp-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
MSConfigStartUp-lphcnuhj0e105 - c:\windows\system32\lphcnuhj0e105.exe
MSConfigStartUp-LPManager - c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-SMrhcjuhj0e105 - c:\program files\rhcjuhj0e105\rhcjuhj0e105.exe
AddRemove-Simtowerv1.0 - c:\maxis\Simtower\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 21:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\8.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-918050642-2503048208-469574750-1005\Software\Creative Tech\Component Installed\{B17F00C9-19EC-43A2-BD81-44D8E5D4D994}\Object\{00000000-0000-0000-0000-000000000000}\User Settings\4*3*9 ]
"AlwaysCovertFormat"=dword:00000000
"Format"=dword:00000000
"Format_Channel"=dword:00000002
"Format_Value"=dword:00000000
"Format_Quality"=dword:0001f400
"Encoding Language"=dword:00000000

[HKEY_USERS\S-1-5-21-918050642-2503048208-469574750-1005\Software\Creative Tech\Component Installed\{B17F00C9-19EC-43A2-BD81-44D8E5D4D994}\Object\{00000000-0000-0000-0000-000000000000}\User Settings\D*1*9 ]
"AlwaysCovertFormat"=dword:00000000
"Format"=dword:00000000
"Format_Channel"=dword:00000002
"Format_Value"=dword:00000000
"Format_Quality"=dword:0001f400
"Encoding Language"=dword:00000000

[HKEY_USERS\S-1-5-21-918050642-2503048208-469574750-1005\Software\Creative Tech\Component Installed\{B17F00C9-19EC-43A2-BD81-44D8E5D4D994}\Object\{00000000-0000-0000-0000-000000000000}\User Settings\L*1*9 ]
"AlwaysCovertFormat"=dword:00000000
"Format"=dword:00000000
"Format_Channel"=dword:00000002
"Format_Value"=dword:00000000
"Format_Quality"=dword:0001f400
"Encoding Language"=dword:00000000

[HKEY_USERS\S-1-5-21-918050642-2503048208-469574750-1005\Software\Creative Tech\Component Installed\{B17F00C9-19EC-43A2-BD81-44D8E5D4D994}\Object\{00000000-0000-0000-0000-000000000000}\User Settings\*9 *]
"AlwaysCovertFormat"=dword:00000000
"Format"=dword:00000000
"Format_Channel"=dword:00000002
"Format_Value"=dword:00000000
"Format_Quality"=dword:0001f400
"Encoding Language"=dword:00000000

[HKEY_USERS\S-1-5-21-918050642-2503048208-469574750-1005\Software\Creative Tech\Component Installed\{B17F00C9-19EC-43A2-BD81-44D8E5D4D994}\Object\{00000000-0000-0000-0000-000000000000}\User Settings\*-*9 ]
"AlwaysCovertFormat"=dword:00000000
"Format"=dword:00000000
"Format_Channel"=dword:00000002
"Format_Value"=dword:00000000
"Format_Quality"=dword:0001f400
"Encoding Language"=dword:00000000

[HKEY_USERS\S-1-5-21-918050642-2503048208-469574750-1005\Software\Creative Tech\Component Installed\{B17F00C9-19EC-43A2-BD81-44D8E5D4D994}\Object\{00000000-0000-0000-0000-000000000000}\User Settings\* *s*]
"AlwaysCovertFormat"=dword:00000000
"Format"=dword:00000000
"Format_Channel"=dword:00000002
"Format_Value"=dword:00000000
"Format_Quality"=dword:0001f400
"Encoding Language"=dword:00000000

[HKEY_USERS\S-1-5-21-918050642-2503048208-469574750-1005\Software\Creative Tech\Component Installed\{B17F00C9-19EC-43A2-BD81-44D8E5D4D994}\Object\{00000000-0000-0000-0000-000000000000}\User Settings\*1*9 ]
"AlwaysCovertFormat"=dword:00000000
"Format"=dword:00000000
"Format_Channel"=dword:00000002
"Format_Value"=dword:00000000
"Format_Quality"=dword:0001f400
"Encoding Language"=dword:00000000

[HKEY_USERS\S-1-5-21-918050642-2503048208-469574750-1005\Software\Creative Tech\Component Installed\{B17F00C9-19EC-43A2-BD81-44D8E5D4D994}\Object\{00000000-0000-0000-0000-000000000000}\User Settings\ **]
"AlwaysCovertFormat"=dword:00000000
"Format"=dword:00000000
"Format_Channel"=dword:00000002
"Format_Value"=dword:00000000
"Format_Quality"=dword:0001f400
"Encoding Language"=dword:00000000

[HKEY_USERS\S-1-5-21-918050642-2503048208-469574750-1005\Software\Creative Tech\Component Installed\{B17F00C9-19EC-43A2-BD81-44D8E5D4D994}\Object\{00000000-0000-0000-0000-000000000000}\User Settings\ y**]
"AlwaysCovertFormat"=dword:00000000
"Format"=dword:00000000
"Format_Channel"=dword:00000002
"Format_Value"=dword:00000000
"Format_Quality"=dword:0001f400
"Encoding Language"=dword:00000000

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1360)
c:\windows\system32\vrlogon.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll

- - - - - - - > 'lsass.exe'(1416)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

- - - - - - - > 'explorer.exe'(2796)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\lenovo\system update\suservice.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\CTPdeSrv.exe
.
**************************************************************************
.
Completion time: 2010-03-04 21:25:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-05 02:25
ComboFix2.txt 2009-07-04 16:54
ComboFix3.txt 2009-07-04 16:46

Pre-Run: 22,270,017,536 bytes free
Post-Run: 22,285,619,200 bytes free

- - End Of File - - 2EC3423247D83A69ECE6D8EC199295C8


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:44 AM

Posted 04 March 2010 - 09:57 PM

Seems ComboFix is run many times.!
  1. Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    CODE
    DDS::
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    Trusted Zone: aol.com\free
    Trusted Zone: bu.edu\www
    Trusted Zone: netflix.com\www
    Registry::
    [HKEY_CURRENT_USSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyEnable"=-
    [HKEY_CURRENT_USSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyServer "=-
    skipfix::


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  2. Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  3. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 18 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.


#6 lmarconi

lmarconi
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 05 March 2010 - 11:31 AM

Hi farbar,

Thanks again for your help. Looks like Combofix deleted some IE settings, which is good because I only use Firefox anyways.

I removed Viewpoint and I removed 4 different Java programs and installed the latest version of Java. I attached the Combofix log since it was too long to paste.

Thanks again for your help!

Attached Files

  • Attached File  log.txt   226.23KB   3 downloads


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:44 AM

Posted 05 March 2010 - 11:51 AM

You need IE to update Windows. That is why we cleaned those settings.

It looks good. thumbup2.gif
  1. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  2. You remove other tools or logs from your computer.

Happy Surfing lmarconi. smile.gif

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:44 AM

Posted 11 March 2010 - 04:26 PM

You are most welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users