Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Infected!


  • This topic is locked This topic is locked
41 replies to this topic

#1 DiCanio

DiCanio

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 08 April 2010 - 11:14 AM

I tried running gmer 6 or 7 times and all it did was freeze my computer. also, my antivirus program refuses to run a scan for some reason.


DDS (Ver_10-03-17.01) - NTFSx86
Run by 100350691 at 22:02:03.82 on 07/04/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.1295 [GMT -4:00]

AV: F-Secure Client Security 8.01 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

============== Running Processes ===============

svchost.exe
C:\WINDOWS\System32\svchost -k DComLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\LANDesk\Shared Files\rainstall.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\LANDesk\LDClient\amtmon.exe
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\PROGRA~1\LANDesk\LDClient\LDInventoryProvider.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe
D:\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: profitizeme browser enhancer: {7e1f6620-3469-12a3-e6fb-7dae3e66ff52} - c:\windows\system32\fezwramhpvolm.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [uTorrent] "c:\program files\utorrent\utorrent .exe"
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TpShocks] TpShocks.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [indrerrm] "c:\windows\system32\$.indrerrm\indrerrm"
mRun: [Jqumepetiyogo] rundll32.exe "c:\windows\ahepogicab.dll",Startup
StartupFolder: c:\docume~1\100350~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 0 (0x0)
uPolicies-explorer: NoStartMenuNetworkPlaces = 1 (0x1)
uPolicies-explorer: NoSecurityTab = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
mPolicies-system: DisableStatusMessages = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
mPolicies-system: AllowMultipleTSSessions = 1 (0x1)
IE: E&xport to Microsoft Exce

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:15 AM

Posted 12 April 2010 - 10:01 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 DiCanio

DiCanio
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 12 April 2010 - 11:10 AM

the reports close as soon as I open them (it says the files are infected), so I just attached them.. my computer is in very poor condition right now.. I hope something can be done. I appreciate your help. smile.gif


also, it's very difficult for me to be in normal mode (popups and interruptions constantly) so if you can please let me know what I can and cannot do in safe mode that would make my life so much easier. thanks again!

Attached Files


Edited by DiCanio, 12 April 2010 - 11:14 AM.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:15 AM

Posted 12 April 2010 - 02:28 PM

Hi,

could you please try to run the gmer scan in safe mode and let me know if it completes.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 DiCanio

DiCanio
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 12 April 2010 - 03:06 PM

tried the gmer scan several times before (and again just now) and the end result is a blue screen and my computer shutting down every time.

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:15 AM

Posted 12 April 2010 - 05:55 PM

Hi,

please run a scan with rootrepeal instead:
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.

As well as a scan with mbr:
Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >"C:\mbr.log"
    Note: There is a blanke between mbr.exe and -t.
  • press Enter.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\). The file will not open automatically, you need to go to C:\mbr.log yourself and open it.
  • Copy and paste the results of the mbr.log in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 DiCanio

DiCanio
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 12 April 2010 - 06:57 PM

1.
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/04/12 19:38
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iastor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys
Address: 0xB9CC4000 Size: 892928 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8E5B000 Size: 49152 File Visible: No Signed: -
Status: -

==EOF==



2.
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
kernel: MBR read successfully
user & kernel MBR OK


#8 DiCanio

DiCanio
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 13 April 2010 - 02:50 PM

^i hope those are the right logs btw!

also i hate to be pushy but i would really appreciate if things can be done as quick as possible. I've got exams coming up in school and I need my computer up and running quickly. I'll be online all day tomorrow starting at around 11am so my replies will be almost instantaneous! lets get this solved!


thanks so much, i really really appreciate it.

Edited by DiCanio, 13 April 2010 - 09:58 PM.


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:15 AM

Posted 14 April 2010 - 01:09 PM

Hi,

how late is it at your place?
Please run a scan with ComboFix:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 DiCanio

DiCanio
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 14 April 2010 - 01:51 PM

it is 2:50pm for me right now.

ComboFix 10-04-14.01 - 100350691 14/04/2010 14:34:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.1342 [GMT -4:00]
Running from: d:\my documents\Downloads\ComboFix.exe
AV: F-Secure Client Security 8.01 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\100350691\Local Settings\Application Data\{29566559-11A0-4F55-BD94-0A5B6F60E7D9}
c:\documents and settings\100350691\Local Settings\Application Data\{29566559-11A0-4F55-BD94-0A5B6F60E7D9}\chrome.manifest
c:\documents and settings\100350691\Local Settings\Application Data\{29566559-11A0-4F55-BD94-0A5B6F60E7D9}\chrome\content\_cfg.js
c:\documents and settings\100350691\Local Settings\Application Data\{29566559-11A0-4F55-BD94-0A5B6F60E7D9}\chrome\content\overlay.xul
c:\documents and settings\100350691\Local Settings\Application Data\{29566559-11A0-4F55-BD94-0A5B6F60E7D9}\install.rdf
c:\recycler\S-1-5-21-1078081533-630328440-725345543-1007
c:\recycler\S-1-5-21-1078081533-630328440-725345543-500
c:\recycler\S-1-5-21-3480948581-185864461-3731221626-500
c:\recycler\temp-106494
c:\recycler\temp-1076960
c:\recycler\temp-1141264
c:\recycler\temp-1146547
c:\recycler\temp-1158125
c:\recycler\temp-1178489
c:\recycler\temp-1196441
c:\recycler\temp-1227615
c:\recycler\temp-1235649
c:\recycler\temp-1236719
c:\recycler\temp-1246541
c:\recycler\temp-1247959
c:\recycler\temp-1255099
c:\recycler\temp-131577
c:\recycler\temp-1376990
c:\recycler\temp-1385019
c:\recycler\temp-1390201
c:\recycler\temp-1422426
c:\recycler\temp-1426761
c:\recycler\temp-1445183
c:\recycler\temp-1471290
c:\recycler\temp-1489013
c:\recycler\temp-1490948
c:\recycler\temp-152282
c:\recycler\temp-1527479
c:\recycler\temp-1551019
c:\recycler\temp-1575759
c:\recycler\temp-1604186
c:\recycler\temp-1638228
c:\recycler\temp-1645150
c:\recycler\temp-164692
c:\recycler\temp-1667736
c:\recycler\temp-1681245
c:\recycler\temp-1779678
c:\recycler\temp-1832003
c:\recycler\temp-1840563
c:\recycler\temp-1843732
c:\recycler\temp-187981
c:\recycler\temp-1943987
c:\recycler\temp-1950158
c:\recycler\temp-1952633
c:\recycler\temp-1994021
c:\recycler\temp-1994911
c:\recycler\temp-2036620
c:\recycler\temp-204777
c:\recycler\temp-2049101
c:\recycler\temp-2053421
c:\recycler\temp-2067366
c:\recycler\temp-2076868
c:\recycler\temp-2082769
c:\recycler\temp-2086858
c:\recycler\temp-2086989
c:\recycler\temp-2092072
c:\recycler\temp-2124160
c:\recycler\temp-2175290
c:\recycler\temp-2175436
c:\recycler\temp-2176250
c:\recycler\temp-2189653
c:\recycler\temp-2222224
c:\recycler\temp-2256590
c:\recycler\temp-2318769
c:\recycler\temp-2320721
c:\recycler\temp-2327933
c:\recycler\temp-232846
c:\recycler\temp-2370055
c:\recycler\temp-2401685
c:\recycler\temp-2430081
c:\recycler\temp-2441928
c:\recycler\temp-2459382
c:\recycler\temp-2459865
c:\recycler\temp-2504477
c:\recycler\temp-2525679
c:\recycler\temp-2539045
c:\recycler\temp-255020
c:\recycler\temp-2553862
c:\recycler\temp-2564903
c:\recycler\temp-2585664
c:\recycler\temp-2585671
c:\recycler\temp-2616392
c:\recycler\temp-2617248
c:\recycler\temp-2634227
c:\recycler\temp-2639965
c:\recycler\temp-2653213
c:\recycler\temp-2657149
c:\recycler\temp-2667627
c:\recycler\temp-2675852
c:\recycler\temp-2689916
c:\recycler\temp-2693228
c:\recycler\temp-2721711
c:\recycler\temp-2725641
c:\recycler\temp-2774299
c:\recycler\temp-2787591
c:\recycler\temp-2788682
c:\recycler\temp-2796942
c:\recycler\temp-2837781
c:\recycler\temp-2841780
c:\recycler\temp-2842486
c:\recycler\temp-2886710
c:\recycler\temp-2902611
c:\recycler\temp-2909628
c:\recycler\temp-2917510
c:\recycler\temp-2919427
c:\recycler\temp-292557
c:\recycler\temp-2933521
c:\recycler\temp-2936418
c:\recycler\temp-2936823
c:\recycler\temp-2943198
c:\recycler\temp-296118
c:\recycler\temp-2963248
c:\recycler\temp-2976057
c:\recycler\temp-298449
c:\recycler\temp-2987267
c:\recycler\temp-298868
c:\recycler\temp-3064978
c:\recycler\temp-3068211
c:\recycler\temp-3088108
c:\recycler\temp-309266
c:\recycler\temp-3217865
c:\recycler\temp-3238019
c:\recycler\temp-328418
c:\recycler\temp-3284550
c:\recycler\temp-3319932
c:\recycler\temp-3357330
c:\recycler\temp-3378005
c:\recycler\temp-3416287
c:\recycler\temp-341665
c:\recycler\temp-3426999
c:\recycler\temp-3449071
c:\recycler\temp-3450231
c:\recycler\temp-3495399
c:\recycler\temp-3498962
c:\recycler\temp-3591862
c:\recycler\temp-3602583
c:\recycler\temp-3602686
c:\recycler\temp-3615703
c:\recycler\temp-3616146
c:\recycler\temp-3635942
c:\recycler\temp-3674188
c:\recycler\temp-3675751
c:\recycler\temp-3678789
c:\recycler\temp-3680827
c:\recycler\temp-3685209
c:\recycler\temp-3719093
c:\recycler\temp-3747594
c:\recycler\temp-3759499
c:\recycler\temp-3769851
c:\recycler\temp-3775596
c:\recycler\temp-3797426
c:\recycler\temp-3843730
c:\recycler\temp-3855342
c:\recycler\temp-385963
c:\recycler\temp-3862598
c:\recycler\temp-3890914
c:\recycler\temp-3905608
c:\recycler\temp-3919791
c:\recycler\temp-3929668
c:\recycler\temp-394120
c:\recycler\temp-3968558
c:\recycler\temp-3978303
c:\recycler\temp-399547
c:\recycler\temp-4017291
c:\recycler\temp-4031252
c:\recycler\temp-4069434
c:\recycler\temp-4071676
c:\recycler\temp-4087882
c:\recycler\temp-4093850
c:\recycler\temp-4121660
c:\recycler\temp-4122404
c:\recycler\temp-4123647
c:\recycler\temp-4125317
c:\recycler\temp-4126588
c:\recycler\temp-413086
c:\recycler\temp-4176243
c:\recycler\temp-4190663
c:\recycler\temp-4195428
c:\recycler\temp-4234286
c:\recycler\temp-4235103
c:\recycler\temp-4241806
c:\recycler\temp-4266733
c:\recycler\temp-4287023
c:\recycler\temp-4303017
c:\recycler\temp-4309256
c:\recycler\temp-4337965
c:\recycler\temp-433871
c:\recycler\temp-4338813
c:\recycler\temp-4357249
c:\recycler\temp-4391002
c:\recycler\temp-4399688
c:\recycler\temp-4406960
c:\recycler\temp-4412794
c:\recycler\temp-4418308
c:\recycler\temp-441852
c:\recycler\temp-4452110
c:\recycler\temp-4476334
c:\recycler\temp-4521332
c:\recycler\temp-452645
c:\recycler\temp-458323
c:\recycler\temp-4585658
c:\recycler\temp-459094
c:\recycler\temp-4645699
c:\recycler\temp-4647907
c:\recycler\temp-4668371
c:\recycler\temp-4680007
c:\recycler\temp-468567
c:\recycler\temp-4713646
c:\recycler\temp-4768078
c:\recycler\temp-4782993
c:\recycler\temp-4787355
c:\recycler\temp-4842903
c:\recycler\temp-4843097
c:\recycler\temp-4874275
c:\recycler\temp-4883278
c:\recycler\temp-4884834
c:\recycler\temp-4892630
c:\recycler\temp-4895494
c:\recycler\temp-4942813
c:\recycler\temp-4946820
c:\recycler\temp-497418
c:\recycler\temp-4975050
c:\recycler\temp-4999971
c:\recycler\temp-5000074
c:\recycler\temp-5009802
c:\recycler\temp-5013637
c:\recycler\temp-5016160
c:\recycler\temp-5026867
c:\recycler\temp-502982
c:\recycler\temp-5082599
c:\recycler\temp-5090743
c:\recycler\temp-5144597
c:\recycler\temp-5158441
c:\recycler\temp-5160747
c:\recycler\temp-5202098
c:\recycler\temp-5214619
c:\recycler\temp-5257748
c:\recycler\temp-5287340
c:\recycler\temp-5387068
c:\recycler\temp-54079
c:\recycler\temp-5419541
c:\recycler\temp-5433312
c:\recycler\temp-5505911
c:\recycler\temp-5528370
c:\recycler\temp-5545445
c:\recycler\temp-5568067
c:\recycler\temp-557249
c:\recycler\temp-5580548
c:\recycler\temp-5584316
c:\recycler\temp-5625113
c:\recycler\temp-5625289
c:\recycler\temp-5644844
c:\recycler\temp-5644988
c:\recycler\temp-5659518
c:\recycler\temp-5668858
c:\recycler\temp-5685063
c:\recycler\temp-5685582
c:\recycler\temp-5693080
c:\recycler\temp-5696897
c:\recycler\temp-5704234
c:\recycler\temp-5714505
c:\recycler\temp-5752334
c:\recycler\temp-5790861
c:\recycler\temp-5804977
c:\recycler\temp-5806338
c:\recycler\temp-5866282
c:\recycler\temp-5877271
c:\recycler\temp-5892299
c:\recycler\temp-5901131
c:\recycler\temp-5915258
c:\recycler\temp-5952369
c:\recycler\temp-5953173
c:\recycler\temp-5957197
c:\recycler\temp-5983833
c:\recycler\temp-598813
c:\recycler\temp-6021888
c:\recycler\temp-6043867
c:\recycler\temp-6087418
c:\recycler\temp-6093251
c:\recycler\temp-6101904
c:\recycler\temp-611255
c:\recycler\temp-6123426
c:\recycler\temp-613173
c:\recycler\temp-6163178
c:\recycler\temp-6164133
c:\recycler\temp-619378
c:\recycler\temp-623812
c:\recycler\temp-6242086
c:\recycler\temp-6285840
c:\recycler\temp-6300282
c:\recycler\temp-6301493
c:\recycler\temp-630467
c:\recycler\temp-6309947
c:\recycler\temp-6337122
c:\recycler\temp-6337459
c:\recycler\temp-6364199
c:\recycler\temp-64220
c:\recycler\temp-6426931
c:\recycler\temp-6434790
c:\recycler\temp-6452439
c:\recycler\temp-6620201
c:\recycler\temp-6662051
c:\recycler\temp-668304
c:\recycler\temp-6692914
c:\recycler\temp-6696057
c:\recycler\temp-6724331
c:\recycler\temp-672817
c:\recycler\temp-6775184
c:\recycler\temp-6777344
c:\recycler\temp-6811630
c:\recycler\temp-6843684
c:\recycler\temp-6847028
c:\recycler\temp-6859811
c:\recycler\temp-6867463
c:\recycler\temp-6870747
c:\recycler\temp-6882589
c:\recycler\temp-6897172
c:\recycler\temp-6906089
c:\recycler\temp-6939571
c:\recycler\temp-6965829
c:\recycler\temp-6968304
c:\recycler\temp-6973320
c:\recycler\temp-6985200
c:\recycler\temp-7012764
c:\recycler\temp-7015850
c:\recycler\temp-7048683
c:\recycler\temp-7059154
c:\recycler\temp-707540
c:\recycler\temp-7090744
c:\recycler\temp-7112122
c:\recycler\temp-7157768
c:\recycler\temp-7160850
c:\recycler\temp-7167172
c:\recycler\temp-7167437
c:\recycler\temp-7207594
c:\recycler\temp-7214500
c:\recycler\temp-7231935
c:\recycler\temp-7257936
c:\recycler\temp-7303858
c:\recycler\temp-7351109
c:\recycler\temp-7359280
c:\recycler\temp-7363271
c:\recycler\temp-7380855
c:\recycler\temp-7386581
c:\recycler\temp-7388030
c:\recycler\temp-7411964
c:\recycler\temp-7420227
c:\recycler\temp-7451479
c:\recycler\temp-7462141
c:\recycler\temp-7469884
c:\recycler\temp-7473158
c:\recycler\temp-7480579
c:\recycler\temp-7504863
c:\recycler\temp-7507955
c:\recycler\temp-7553219
c:\recycler\temp-756689
c:\recycler\temp-7578089
c:\recycler\temp-7587977
c:\recycler\temp-7612156
c:\recycler\temp-7617820
c:\recycler\temp-7635362
c:\recycler\temp-7658829
c:\recycler\temp-7674548
c:\recycler\temp-7683508
c:\recycler\temp-7685348
c:\recycler\temp-770805
c:\recycler\temp-772431
c:\recycler\temp-7726469
c:\recycler\temp-7728182
c:\recycler\temp-7740754
c:\recycler\temp-7780475
c:\recycler\temp-7813674
c:\recycler\temp-7821370
c:\recycler\temp-7835997
c:\recycler\temp-7839413
c:\recycler\temp-7881825
c:\recycler\temp-7962376
c:\recycler\temp-7963620
c:\recycler\temp-7971658
c:\recycler\temp-7987426
c:\recycler\temp-8055152
c:\recycler\temp-8065495
c:\recycler\temp-807145
c:\recycler\temp-8075681
c:\recycler\temp-8106475
c:\recycler\temp-811615
c:\recycler\temp-8121219
c:\recycler\temp-8149300
c:\recycler\temp-8156215
c:\recycler\temp-8160629
c:\recycler\temp-8165446
c:\recycler\temp-8204819
c:\recycler\temp-8215321
c:\recycler\temp-8247103
c:\recycler\temp-8258437
c:\recycler\temp-8289006
c:\recycler\temp-8313735
c:\recycler\temp-8327124
c:\recycler\temp-8359874
c:\recycler\temp-8363082
c:\recycler\temp-8363742
c:\recycler\temp-8371454
c:\recycler\temp-8378581
c:\recycler\temp-8396836
c:\recycler\temp-841571
c:\recycler\temp-843366
c:\recycler\temp-8463004
c:\recycler\temp-8538836
c:\recycler\temp-8543340
c:\recycler\temp-8543520
c:\recycler\temp-8591579
c:\recycler\temp-864005
c:\recycler\temp-8646138
c:\recycler\temp-8658187
c:\recycler\temp-8674479
c:\recycler\temp-8688080
c:\recycler\temp-8727129
c:\recycler\temp-8752939
c:\recycler\temp-8793846
c:\recycler\temp-8801969
c:\recycler\temp-8809232
c:\recycler\temp-8821501
c:\recycler\temp-8835734
c:\recycler\temp-8847171
c:\recycler\temp-8856283
c:\recycler\temp-8926628
c:\recycler\temp-8954294
c:\recycler\temp-8973666
c:\recycler\temp-8997878
c:\recycler\temp-9050430
c:\recycler\temp-9053259
c:\recycler\temp-9056363
c:\recycler\temp-9066944
c:\recycler\temp-909307
c:\recycler\temp-9104043
c:\recycler\temp-9114568
c:\recycler\temp-9120040
c:\recycler\temp-9129256
c:\recycler\temp-9134575
c:\recycler\temp-9137038
c:\recycler\temp-9153004
c:\recycler\temp-9155067
c:\recycler\temp-9195206
c:\recycler\temp-9216331
c:\recycler\temp-9216885
c:\recycler\temp-9248781
c:\recycler\temp-9254195
c:\recycler\temp-927159
c:\recycler\temp-9278885
c:\recycler\temp-9286126
c:\recycler\temp-9287392
c:\recycler\temp-9346328
c:\recycler\temp-9363206
c:\recycler\temp-9385052
c:\recycler\temp-9388248
c:\recycler\temp-9389208
c:\recycler\temp-9399849
c:\recycler\temp-9414629
c:\recycler\temp-9432438
c:\recycler\temp-9501145
c:\recycler\temp-9505114
c:\recycler\temp-9543932
c:\recycler\temp-9549088
c:\recycler\temp-9554114
c:\recycler\temp-9594145
c:\recycler\temp-9625188
c:\recycler\temp-9627924
c:\recycler\temp-9666584
c:\recycler\temp-9669844
c:\recycler\temp-9669936
c:\recycler\temp-9702952
c:\recycler\temp-9729895
c:\recycler\temp-9760675
c:\recycler\temp-9763856
c:\recycler\temp-9795039
c:\recycler\temp-9815880
c:\recycler\temp-9827646
c:\recycler\temp-9833531
c:\recycler\temp-9877557
c:\recycler\temp-9936439
c:\recycler\temp-9937156
c:\recycler\temp-999917
c:\windows\ahepogicab.dll
c:\windows\system32\ctfmon .exe
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\tpshocks .exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-14 to 2010-04-14 )))))))))))))))))))))))))))))))
.

2010-04-14 18:34 . 2008-08-08 20:04 17968 ----a-r- c:\windows\system32\drivers\vmscsi_2.sys
2010-04-14 00:10 . 2010-04-14 03:01 -------- d-----w- c:\documents and settings\100350691\Local Settings\Application Data\pdobdqtja
2010-04-12 23:41 . 2010-04-12 23:38 77312 ----a-w- C:\mbr.exe
2010-04-10 02:00 . 2010-04-14 03:01 -------- d-----w- c:\documents and settings\100350691\Local Settings\Application Data\atscmkbxv
2010-04-08 01:27 . 2010-04-08 01:27 -------- d-----w- c:\program files\Trend Micro
2010-04-06 19:43 . 2010-04-06 19:43 96704 ----a-w- c:\windows\system32\601928f8.exe
2010-04-06 17:29 . 2010-04-10 04:16 2972 ----a-w- c:\windows\Vcepu.dat
2010-04-06 17:29 . 2010-04-07 12:55 0 ----a-w- c:\windows\Shacaniqeri.bin
2010-04-06 17:24 . 2008-04-13 17:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-06 17:24 . 2008-04-13 17:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-03-16 00:33 . 2010-03-16 00:44 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-03-16 00:32 . 2010-03-16 00:32 -------- d-----w- c:\documents and settings\100350691\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-14 18:24 . 2010-02-28 03:04 -------- d-----w- c:\program files\Songbird
2010-04-14 18:21 . 2009-06-02 17:40 -------- d-----w- c:\program files\F-Secure
2010-04-14 18:18 . 2010-01-05 03:12 -------- d-----w- c:\documents and settings\100350691\Application Data\uTorrent
2010-04-14 18:05 . 2009-04-22 16:04 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-12 16:06 . 2009-12-17 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\vulScan
2010-04-08 18:10 . 2010-01-31 04:47 -------- d-----w- c:\documents and settings\100350691\Application Data\Skype
2010-04-08 17:47 . 2010-01-18 07:02 -------- d-----w- c:\documents and settings\100350691\Application Data\skypePM
2010-04-06 18:21 . 2010-01-05 03:13 -------- d-----w- c:\program files\uTorrent
2010-04-06 17:45 . 2010-01-05 02:53 -------- d-----w- c:\program files\Zune
2010-04-06 17:45 . 2010-01-19 14:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-06 17:24 . 2008-06-06 22:21 37376 ----a-w- c:\windows\system32\tpshocks.exe
2010-04-03 06:20 . 2009-06-03 18:32 646808 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-30 04:46 . 2010-02-07 05:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-02-07 05:31 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-07 22:12 . 2010-03-07 22:12 -------- d-----w- c:\program files\SopCast
2010-03-03 02:47 . 2010-03-03 02:42 -------- d-----w- c:\documents and settings\100350691\Application Data\Azureus
2010-03-03 02:42 . 2010-03-03 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2010-03-03 02:42 . 2010-03-03 02:42 -------- d-----w- c:\program files\Conduit
2010-02-28 02:36 . 2010-01-18 03:52 -------- d-----w- c:\program files\Winamp
2010-02-28 02:28 . 2010-02-28 02:28 -------- d-----w- c:\documents and settings\100350691\Application Data\Songbird2
2010-02-23 05:20 . 2010-01-09 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SoftwareSecure
2010-02-17 19:57 . 2009-01-16 17:34 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-12 19:37 . 2009-07-06 14:20 104023 ----a-w- c:\windows\system32\nvModes.dat
2010-01-18 07:02 . 2010-01-18 07:02 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-16 18:38 . 2010-01-04 20:31 48040 ----a-w- c:\documents and settings\100350691\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Analog Devices\Core\smax4pnp .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\F-Secure\common\fsm32 .exe
c:\program files\F-Secure\FSGUI\tnbutil .exe
c:\program files\Lenovo\HOTKEY\tposdsvc .exe
c:\program files\Lenovo\NPDIRECT\tpfnf7sp .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\ThinkPad\Utilities\ezejmnap .exe
c:\program files\ThinkVantage\PrdCtr\lpmgr .exe
c:\program files\ThinkVantage\PrdCtr\lpmlchk .exe
c:\program files\uTorrent\utorrent .exe
c:\program files\Zune\zunelauncher .exe
</pre>


------- Sigcheck -------

[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

c:\windows\System32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"indrerrm"="c:\windows\system32\$.indrerrm\indrerrm" [X]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-11-21 385024]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-03-17 208896]
"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [N/A]
"TpShocks"="TpShocks.exe" [2010-04-06 37376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-05 13549568]
"nwiz"="nwiz.exe" [2008-12-05 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-05 86016]
"Jqumepetiyogo"="c:\windows\ahepogicab.dll" [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableStatusMessages"= 1 (0x1)
"LogonType"= 0 (0x0)
"AllowMultipleTSSessions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"NoSecurityTab"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 20:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 23:14 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
2008-08-08 20:04 364544 ----a-r- c:\windows\system32\TPSvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-182271\Scripts\Logon\0\0]
"Script"=\\oncampus.local\NETLOGON\AcademicIntegrity\stu\icon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-182271\Scripts\Logon\1\0]
"Script"=\\oncampus.local\NETLOGON\IE6SiteAddition.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Audiosrv]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HDAudBus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96C-E325-11CE-BFC1-08002BE10318}]
@="[6cFgE][S??d, ?de ??d g? o?tr?l?? !!! !!! !]"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{640167b4-59b0-47a6-b335-a6b3c0695aea}]
@="Portable Media Devices"

[HKLM\~\startupfolder\C:^Documents and Settings^100350691^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\100350691\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
c:\program files\Lenovo Fingerprint Software\fpapp.exe \s [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\QTTask.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-21 19:44 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-03-11 19:57 319792 ----a-w- c:\program files\uTorrent\utorrent .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware Tools]
2008-08-08 20:04 92720 ----a-w- c:\program files\VMware\VMware Tools\VMwareTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware User Process]
2008-08-08 20:04 268848 ----a-w- c:\program files\VMware\VMware Tools\VMwareUser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"F-Secure Network Request Broker"=3 (0x3)
"FSORSPClient"=3 (0x3)
"FSMA"=2 (0x2)
"FSDFWD"=3 (0x3)
"FSAUA"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 atiide;ATI SATA Controller IDE mode;c:\windows\system32\drivers\atiide.sys [03/06/2009 2:17 PM 3456]
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [02/06/2009 1:41 PM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [02/06/2009 1:41 PM 79936]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [14/05/2008 4:21 PM 19496]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [05/05/2008 11:50 AM 17968]
R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [23/03/2009 11:03 AM 155648]
R2 hgfs;hgfs;c:\windows\system32\drivers\hgfs.sys [11/12/2008 12:38 PM 92592]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [17/12/2009 5:58 PM 139264]
R2 LANDesk® Out-of-Band Monitor Service;LANDesk® Out-of-Band Monitor Service;c:\program files\LANDesk\LDClient\amtmon.exe [17/12/2009 5:58 PM 1044480]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [02/06/2009 1:48 PM 53248]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [17/12/2009 5:58 PM 372736]
R2 VMMEMCTL;VMware server memory controller;c:\program files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys [08/08/2008 4:04 PM 15408]
R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [18/05/2007 12:57 PM 229856]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [02/06/2009 1:40 PM 111296]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [17/12/2009 5:58 PM 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [17/12/2009 5:58 PM 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [17/12/2009 5:58 PM 3712]
R4 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [02/06/2009 1:41 PM 55904]
S2 SSIRuntimeService;SSIRuntimeService;c:\program files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe [11/09/2007 9:41 AM 45056]
S2 VMTools;VMware Tools Service;c:\program files\VMware\VMware Tools\VMwareService.exe [08/08/2008 4:04 PM 264752]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys --> c:\windows\system32\Drivers\ATSwpWDF.sys [?]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [03/06/2009 2:26 PM 243856]
S3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\VMware\VMware Tools\TPAutoConnSvc.exe [08/08/2008 4:04 PM 294912]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [05/05/2008 11:50 AM 11696]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [05/05/2008 11:50 AM 62768]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [05/05/2008 11:50 AM 34992]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [02/06/2009 1:40 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [02/06/2009 1:40 PM 25184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-14 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-06-02 14:56]

2010-03-15 c:\windows\Tasks\Scheduled task.job
- c:\progra~1\F-Secure\ANTI-V~1\fsav.exe [2009-06-02 10:51]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\100350691\Application Data\Mozilla\Firefox\Profiles\n62ky86u.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{2824987f-69fb-3f4e-8e1d-ddd9ee0c1173}\components\8244af0a.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-drmkaud
SafeBoot-WudfPf
SafeBoot-WudfRd
SafeBoot-AudioEndpointBuilder
SafeBoot-HdAudAddService
SafeBoot-MMCSS
AddRemove-UIU - c:\program files\UIU\uninstallnet.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1188)
c:\windows\system32\Ati2evxx.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\System32\hgfs.dll
.
Completion time: 2010-04-14 14:48:43
ComboFix-quarantined-files.txt 2010-04-14 18:48

Pre-Run: 35,307,438,080 bytes free
Post-Run: 35,447,959,552 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3E3E9F2F0742C264DADA2D85B9C7B0DD


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:15 AM

Posted 14 April 2010 - 02:36 PM

Hi,

this isn't a business PC, is it? How is your PC currently doing?

Do you know this folder: c:\windows\system32\$.indrerrm?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 DiCanio

DiCanio
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 14 April 2010 - 02:38 PM

QUOTE(myrti @ Apr 14 2010, 03:36 PM) View Post
Hi,

this isn't a business PC, is it? How is your PC currently doing?

Do you know this folder: c:\windows\system32\$.indrerrm?

regards myrti

this is a school issued laptop..

not sure what that folder is though..

also the pc is running much better.. i don't see any problems at the moment. thanks so much.

Edited by DiCanio, 14 April 2010 - 02:48 PM.


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:15 AM

Posted 14 April 2010 - 03:11 PM

Hi,

there are a couple of leftovers in your log I'd like to remove:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
File::
c:\windows\ahepogicab.dll
c:\windows\system32\601928f8.exe
c:\windows\Vcepu.dat
c:\windows\Shacaniqeri.bin
Folder::
c:\documents and settings\100350691\Local Settings\Application Data\pdobdqtja
c:\documents and settings\100350691\Local Settings\Application Data\atscmkbxv
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jqumepetiyogo"=-
RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Analog Devices\Core\smax4pnp .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\F-Secure\common\fsm32 .exe
c:\program files\F-Secure\FSGUI\tnbutil .exe
c:\program files\Lenovo\HOTKEY\tposdsvc .exe
c:\program files\Lenovo\NPDIRECT\tpfnf7sp .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\ThinkPad\Utilities\ezejmnap .exe
c:\program files\ThinkVantage\PrdCtr\lpmgr .exe
c:\program files\ThinkVantage\PrdCtr\lpmlchk .exe
c:\program files\uTorrent\utorrent .exe
c:\program files\Zune\zunelauncher .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

Edited by myrti, 14 April 2010 - 03:11 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 DiCanio

DiCanio
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 14 April 2010 - 04:03 PM

I had to do it twice since my computer shut down in the middle of the first one for whatever reason.


ComboFix 10-04-14.01 - 100350691 14/04/2010 16:46:14.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.1359 [GMT -4:00]
Running from: d:\my documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\100350691\Desktop\CFscript.txt
AV: F-Secure Client Security 8.01 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
* Resident AV is active


FILE ::
"c:\windows\ahepogicab.dll"
"c:\windows\Shacaniqeri.bin"
"c:\windows\system32\601928f8.exe"
"c:\windows\Vcepu.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\Shacaniqeri.bin
c:\windows\system32\601928f8.exe
c:\windows\Vcepu.dat

.
((((((((((((((((((((((((( Files Created from 2010-03-14 to 2010-04-14 )))))))))))))))))))))))))))))))
.

2010-04-14 18:34 . 2008-08-08 20:04 17968 ----a-r- c:\windows\system32\drivers\vmscsi_2.sys
2010-04-12 23:41 . 2010-04-12 23:38 77312 ----a-w- C:\mbr.exe
2010-04-08 01:27 . 2010-04-08 01:27 -------- d-----w- c:\program files\Trend Micro
2010-04-06 17:24 . 2008-04-13 17:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-06 17:24 . 2008-04-13 17:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-03-16 00:33 . 2010-03-16 00:44 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-03-16 00:32 . 2010-03-16 00:32 -------- d-----w- c:\documents and settings\100350691\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-14 20:31 . 2009-06-02 17:40 -------- d-----w- c:\program files\F-Secure
2010-04-14 20:28 . 2010-01-19 14:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-14 20:20 . 2010-01-05 03:13 -------- d-----w- c:\program files\uTorrent
2010-04-14 20:20 . 2010-01-05 02:53 -------- d-----w- c:\program files\Zune
2010-04-14 19:16 . 2009-12-17 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\vulScan
2010-04-14 18:24 . 2010-02-28 03:04 -------- d-----w- c:\program files\Songbird
2010-04-14 18:18 . 2010-01-05 03:12 -------- d-----w- c:\documents and settings\100350691\Application Data\uTorrent
2010-04-14 18:05 . 2009-04-22 16:04 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-08 18:10 . 2010-01-31 04:47 -------- d-----w- c:\documents and settings\100350691\Application Data\Skype
2010-04-08 17:47 . 2010-01-18 07:02 -------- d-----w- c:\documents and settings\100350691\Application Data\skypePM
2010-04-06 17:24 . 2008-06-06 22:21 37376 ----a-w- c:\windows\system32\tpshocks.exe
2010-04-03 06:20 . 2009-06-03 18:32 646808 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-30 04:46 . 2010-02-07 05:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-02-07 05:31 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-07 22:12 . 2010-03-07 22:12 -------- d-----w- c:\program files\SopCast
2010-03-03 02:47 . 2010-03-03 02:42 -------- d-----w- c:\documents and settings\100350691\Application Data\Azureus
2010-03-03 02:42 . 2010-03-03 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2010-03-03 02:42 . 2010-03-03 02:42 -------- d-----w- c:\program files\Conduit
2010-02-28 02:36 . 2010-01-18 03:52 -------- d-----w- c:\program files\Winamp
2010-02-28 02:28 . 2010-02-28 02:28 -------- d-----w- c:\documents and settings\100350691\Application Data\Songbird2
2010-02-23 05:20 . 2010-01-09 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SoftwareSecure
2010-02-17 19:57 . 2009-01-16 17:34 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-12 19:37 . 2009-07-06 14:20 104023 ----a-w- c:\windows\system32\nvModes.dat
2010-01-18 07:02 . 2010-01-18 07:02 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-16 18:38 . 2010-01-04 20:31 48040 ----a-w- c:\documents and settings\100350691\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

c:\windows\System32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-04-14_18.45.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-14 20:46 . 2010-04-14 20:46 16384 c:\windows\Temp\Perflib_Perfdata_824.dat
+ 2010-04-14 20:30 . 2010-04-14 20:30 16384 c:\windows\Temp\Perflib_Perfdata_820.dat
+ 2004-08-04 12:00 . 2010-04-14 20:35 75152 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-04-14 18:22 75152 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-04-14 20:35 450302 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-04-14 18:22 450302 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"indrerrm"="c:\windows\system32\$.indrerrm\indrerrm" [X]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-11-21 385024]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-03-17 208896]
"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-01-07 60704]
"TpShocks"="TpShocks.exe" [2010-04-06 37376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-05 13549568]
"nwiz"="nwiz.exe" [2008-12-05 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-05 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableStatusMessages"= 1 (0x1)
"LogonType"= 0 (0x0)
"AllowMultipleTSSessions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"NoSecurityTab"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 20:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 23:14 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
2008-08-08 20:04 364544 ----a-r- c:\windows\system32\TPSvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-182271\Scripts\Logon\0\0]
"Script"=\\oncampus.local\NETLOGON\AcademicIntegrity\stu\icon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-182271\Scripts\Logon\1\0]
"Script"=\\oncampus.local\NETLOGON\IE6SiteAddition.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Audiosrv]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HDAudBus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96C-E325-11CE-BFC1-08002BE10318}]
@="[6cFgE][S??d, ?de ??d g? o?tr?l?? !!! !!! !]"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{640167b4-59b0-47a6-b335-a6b3c0695aea}]
@="Portable Media Devices"

[HKLM\~\startupfolder\C:^Documents and Settings^100350691^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\100350691\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
c:\program files\Lenovo Fingerprint Software\fpapp.exe \s [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-21 19:44 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware Tools]
2008-08-08 20:04 92720 ----a-w- c:\program files\VMware\VMware Tools\VMwareTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware User Process]
2008-08-08 20:04 268848 ----a-w- c:\program files\VMware\VMware Tools\VMwareUser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FSORSPClient"=3 (0x3)
"FSMA"=2 (0x2)
"FSDFWD"=3 (0x3)
"FSAUA"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

R0 atiide;ATI SATA Controller IDE mode;c:\windows\system32\drivers\atiide.sys [03/06/2009 2:17 PM 3456]
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [02/06/2009 1:41 PM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [02/06/2009 1:41 PM 79936]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [14/05/2008 4:21 PM 19496]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [05/05/2008 11:50 AM 17968]
R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [23/03/2009 11:03 AM 155648]
R2 hgfs;hgfs;c:\windows\system32\drivers\hgfs.sys [11/12/2008 12:38 PM 92592]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [17/12/2009 5:58 PM 139264]
R2 LANDesk® Out-of-Band Monitor Service;LANDesk® Out-of-Band Monitor Service;c:\program files\LANDesk\LDClient\amtmon.exe [17/12/2009 5:58 PM 1044480]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [02/06/2009 1:48 PM 53248]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [17/12/2009 5:58 PM 372736]
R2 VMMEMCTL;VMware server memory controller;c:\program files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys [08/08/2008 4:04 PM 15408]
R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [18/05/2007 12:57 PM 229856]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [02/06/2009 1:40 PM 111296]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [17/12/2009 5:58 PM 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [17/12/2009 5:58 PM 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [17/12/2009 5:58 PM 3712]
R4 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [02/06/2009 1:41 PM 55904]
S2 SSIRuntimeService;SSIRuntimeService;c:\program files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe [11/09/2007 9:41 AM 45056]
S2 VMTools;VMware Tools Service;c:\program files\VMware\VMware Tools\VMwareService.exe [08/08/2008 4:04 PM 264752]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys --> c:\windows\system32\Drivers\ATSwpWDF.sys [?]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [03/06/2009 2:26 PM 243856]
S3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\VMware\VMware Tools\TPAutoConnSvc.exe [08/08/2008 4:04 PM 294912]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [05/05/2008 11:50 AM 11696]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [05/05/2008 11:50 AM 62768]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [05/05/2008 11:50 AM 34992]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [02/06/2009 1:40 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [02/06/2009 1:40 PM 25184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-14 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-06-02 14:56]

2010-03-15 c:\windows\Tasks\Scheduled task.job
- c:\progra~1\F-Secure\ANTI-V~1\fsav.exe [2009-06-02 10:51]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\100350691\Application Data\Mozilla\Firefox\Profiles\n62ky86u.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{2824987f-69fb-3f4e-8e1d-ddd9ee0c1173}\components\8244af0a.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-uTorrent - c:\program files\uTorrent\utorrent .exe
AddRemove-601928f8 - c:\windows\system32\601928f8.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1176)
c:\windows\system32\Ati2evxx.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\System32\hgfs.dll

- - - - - - - > 'explorer.exe'(1268)
c:\windows\system32\nview.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Spybot - Search & Destroy\SDHelper.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\System32\hgfs.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2010-04-14 16:54:53
ComboFix-quarantined-files.txt 2010-04-14 20:54
ComboFix2.txt 2010-04-14 18:48

Pre-Run: 35,459,387,392 bytes free
Post-Run: 35,444,408,320 bytes free

- - End Of File - - EB2359E9C99ECC18CEBF547B9820673C



thanks again.


#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:15 AM

Posted 14 April 2010 - 04:33 PM

Hi,

I'm assuming you don't have the windows install media for this PC?

Please run a scan with Eset so that we can check for leftovers:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Please also provide a new log from OTL.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users