Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Security Tool, Forced Shut Downs, and Much Much More


  • This topic is locked This topic is locked
31 replies to this topic

#1 ordak

ordak

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 26 April 2010 - 05:48 PM

XP Security Tool suddenly appeared on my computer out of no where and I can’t get rid of it. I had removed a different rogue anti-spyware program (I can’t remember which one) about a month ago, using rkill and malwarebytes, but I’ve had the following problems ever since:

-Computer freezes during shutdown (a blank blue screen) after “windows is shutting down” message
-All web searches are redirected
-Programs frequently freeze/crash, forcing me to do a manual shut down
-Can’t perform system restore
-Computer doesn’t recognize external hard drive (which means I cannot backup)
-Computer audio doesn’t work (speakers and headphones)

*when I tried to enable the Windows Firewall I got the following error message:
Error in SHELL32.DLL
Missing entry:CONTROL_RUNDLL

**error messages at startup:
Error in BTHPROPS.CPL
Missing entry:BLUETOOTHAUTHENTICATIONAGENT
And
Error in C:\PROGRA~1\THINKPAD\UTILIT~1\PWRMGRTR.DLL
Missing entry:PWRMGRBKGNDMONITOR

_________________________________________________________________________________________

DDS (Ver_10-03-17.01) - NTFSx86
Run by t_heman at 13:41:35.45 on Mon 04/26/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.692 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Proventia Desktop *enabled* {D5FF068F-88CF-439C-B39B-43862474514E}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
svchost.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\PROGRA~1\altiris\CARBON~1\client.exe
C:\WINDOWS\SYSTEM32\TPSCRLK.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\THINKPAD\CONNECTUTILITIES\ACWLICON.EXE
C:\PROGRAM FILES\ALTIRIS\ACLIENT\ACLNTUSR.EXE
C:\PROGRA~1\THINKPAD\UTILIT~1\EZEJMNAP.EXE
C:\PROGRAM FILES\ANALOG DEVICES\CORE\SMAX4PNP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRA~1\LENOVO\PKGMGR\HOTKEY\TPHKMGR.EXE
C:\PROGRAM FILES\DNA\BTDNA.EXE
C:\PROGRA~1\SYMANT~1\VPTRAY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\ISS\PROVENTIA DESKTOP\BLACKICE.EXE
C:\PROGRAM FILES\LENOVO\PKGMGR\HOTKEY\TPONSCR.EXE
C:\PROGRAM FILES\LENOVO\PKGMGR\HOTKEY_1\TPSCREX.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\t_heman\Local Settings\Application Data\ave.exe
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\t_heman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by IT Service Centers
uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://infosys.autodesk.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
uRun: [BitTorrent DNA] "c:\program files\dna\BTDNA.EXE"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AClntUsr] c:\program files\altiris\aclient\AClntUsr.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKBDLED] c:\windows\system32\TpScrLk.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTASK.EXE" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\PROVEN~1.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\Icon3E5562ED7.ico
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: autodesk.ca
Trusted Zone: autodesk.co.jp
Trusted Zone: autodesk.co.kr
Trusted Zone: autodesk.co.nz
Trusted Zone: autodesk.co.uk
Trusted Zone: autodesk.com
Trusted Zone: autodesk.com\*.ads
Trusted Zone: autodesk.com\petaim-vip
Trusted Zone: autodesk.cz
Trusted Zone: autodesk.de
Trusted Zone: autodesk.dk
Trusted Zone: autodesk.es
Trusted Zone: autodesk.fr
Trusted Zone: autodesk.hu
Trusted Zone: autodesk.it
Trusted Zone: autodesk.nl
Trusted Zone: autodesk.no
Trusted Zone: autodesk.pl
Trusted Zone: autodesk.pt
Trusted Zone: autodesk.ru
Trusted Zone: autodesk.se
Trusted Zone: com.au\*.autodesk
Trusted Zone: com.br\*.autodesk
Trusted Zone: com.cn\*.autodesk
Trusted Zone: com.hk\*.autodesk
Trusted Zone: com.my\*.autodesk
Trusted Zone: com.sg\*.autodesk
Trusted Zone: com.tw\*.autodesk
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233699911921
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163772695560
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ddcDuRkI
LSA: Notification Packages = scecli ACGina c:\windows\system32\zibuyubo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\t_heman\applic~1\mozilla\firefox\profiles\2r6uystp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ytbm&p=
FF - plugin: c:\program files\java\j2re1.4.2_06\bin\NPJPI142_06.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [2007-1-10 251578]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [2007-1-10 48140]
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [2007-1-10 241815]
R0 AFAMgt;AFAMgt;c:\windows\system32\drivers\afamgt.sys [2007-1-10 92411]
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2005-3-23 9216]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 BlackICE;BlackICE;c:\program files\iss\proventia desktop\blackd.exe [2007-3-28 2007382]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\iss\proventia desktop\vpatch.exe [2007-3-28 426333]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-3-27 102712]
R3 MakoNT;MakoNT;c:\windows\system32\drivers\MakoNT.sys [2007-3-28 76849]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20070327.019\naveng.sys [2007-3-27 80472]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20070327.019\navex15.sys [2007-3-27 852600]
R3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2007-3-28 47697]
R4 black;black;c:\windows\system32\drivers\Blackcat.sys [2007-3-28 196978]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-2-29 16512]
S3 cpuz132;cpuz132;\??\c:\docume~1\t_heman\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\t_heman\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-21 38224]

============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2010-04-26 20:37:07 0 ----a-w- c:\documents and settings\t_heman\defogger_reenable
2010-04-26 19:39:35 0 d-----w- c:\windows\system32\drivers\down
2010-04-20 07:14:47 0 d-----w- c:\windows\system32\NtmsData
2010-04-20 07:05:38 266360 ----a-w- c:\windows\system32\TweakUI.exe
2010-04-20 07:05:38 160217 ----a-w- c:\windows\system32\PowerToysLicense.rtf

==================== Find3M ====================

2008-10-24 06:03:31 1305088 ----a-w- c:\program files\NF_Movie_Player_211.msi
2005-11-15 22:32:22 3638 ----a-r- c:\program files\common files\Altiris_Icon.ico

============= FINISH: 13:41:59.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:10 PM

Posted 30 April 2010 - 08:09 PM

Hello, ordak.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 ordak

ordak
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 01 May 2010 - 12:21 AM

Hey aommaster,

Thank you so much for taking me on!

Here are the logs you requested:

______________________________________________________________________________________

log.txt:

Logfile of random's system information tool 1.06 (written by random/random)
Run by t_heman at 2010-04-30 20:59:49
Microsoft Windows XP Professional Service Pack 2
System drive C: has 303 MB (0%) free of 95 GB
Total RAM: 1534 MB (49% free)


======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Automatic troubleshooting.job
C:\WINDOWS\tasks\PMTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-04 59392]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2005-05-20 925696]
"BluetoothAuthenticationAgent"=bthprops.cpl,,BluetoothAuthenticationAgent []
"AClntUsr"=C:\Program Files\Altiris\AClient\AClntUsr.EXE [2010-04-30 184320]
"PWRMGRTR"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor []
"BLOG"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog []
"EZEJMNAP"=C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [2006-11-29 243248]
"TPKMAPHELPER"=C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe [2006-06-02 856064]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2006-02-14 110592]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-02-14 512000]
"TPKBDLED"=C:\WINDOWS\system32\TpScrLk.exe [2002-10-08 40960]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-03-24 53408]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2006-06-15 124656]
"ACWLIcon"=C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [2006-12-25 110592]
"TPHOTKEY"=C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe [2006-10-02 94208]
"AeXAgentLogon"=C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe [2006-09-13 139264]
"QuickTime Task"=C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE [2008-05-27 413696]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"=C:\PROGRAM FILES\DNA\BTDNA.EXE [2009-11-07 323392]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Proventia Desktop Agent.lnk -
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACNotify]
C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll [2006-12-25 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-09-13 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2006-06-15 43760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tpfnf2]
C:\WINDOWS\system32\notifyf2.dll [2005-07-05 28672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
C:\WINDOWS\system32\tphklock.dll [2005-11-30 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\ddcDuRkI
"notification packages"=scecli
ACGina
C:\WINDOWS\system32\zibuyubo.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDrives"=00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoSMConfigurePrograms"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\altiris\aclient\AClntUsr.EXE"="C:\Program Files\altiris\aclient\AClntUsr.EXE:*:Enabled:AClntUsr - AClient Interactive User Service"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\altiris\aclient\AClntUsr.EXE"="C:\Program Files\altiris\aclient\AClntUsr.EXE:*:Enabled:AClntUsr - AClient Interactive User Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d97eabf0-2baa-11dd-b2f1-0016cfdad2d2}]
shell\AutoRun\command - E:\LaunchU3.exe -a


======File associations======

.exe - open - "C:\Documents and Settings\t_heman\Local Settings\Application Data\ave.exe" /START "%1" %*

======List of files/folders created in the last 3 months======

2010-04-30 20:59:50 ----D---- C:\Program Files\trend micro
2010-04-30 20:59:49 ----D---- C:\rsit
2010-04-20 00:14:47 ----D---- C:\WINDOWS\system32\NtmsData
2010-04-20 00:05:38 ----A---- C:\WINDOWS\system32\TweakUI.exe
2010-04-04 01:43:59 ----SHD---- C:\Config.Msi
2010-03-11 22:51:43 ----A---- C:\WINDOWS\system32\TURegOpt.exe
2010-03-11 22:51:41 ----A---- C:\WINDOWS\system32\uxtuneup.dll
2010-03-11 22:51:27 ----D---- C:\Documents and Settings\t_heman\Application Data\TuneUp Software
2010-03-11 22:51:13 ----D---- C:\Program Files\TuneUp Utilities 2010
2010-03-11 22:50:43 ----D---- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2010-03-11 22:50:28 ----SHD---- C:\Documents and Settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-03-11 22:30:32 ----A---- C:\WINDOWS\reimage.ini
2010-03-11 22:29:56 ----D---- C:\Program Files\Reimage
2010-02-25 21:23:49 ----A---- C:\WINDOWS\ntbtlog.txt

======List of files/folders modified in the last 3 months======

2010-04-30 20:59:50 ----RD---- C:\Program Files
2010-04-30 20:57:13 ----D---- C:\WINDOWS\Temp
2010-04-30 20:52:33 ----D---- C:\Program Files\DNA
2010-04-30 20:52:33 ----D---- C:\Documents and Settings\t_heman\Application Data\DNA
2010-04-30 20:50:17 ----D---- C:\Program Files\Symantec AntiVirus
2010-04-30 20:50:10 ----D---- C:\WINDOWS\system32\CatRoot2
2010-04-30 20:49:59 ----SHD---- C:\WINDOWS\CSC
2010-04-30 14:09:18 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-04-30 10:23:14 ----D---- C:\WINDOWS\system32
2010-04-27 16:54:20 ----D---- C:\WINDOWS
2010-04-26 15:42:10 ----RAD---- C:\My Documents
2010-04-26 13:41:35 ----D---- C:\WINDOWS\Prefetch
2010-04-26 13:37:07 ----D---- C:\Program Files\Mozilla Firefox
2010-04-26 12:39:34 ----HD---- C:\WINDOWS\system32\drivers
2010-04-04 01:43:58 ----SHD---- C:\WINDOWS\Installer
2010-04-04 00:45:02 ----D---- C:\WINDOWS\system32\config
2010-03-31 23:59:24 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-03-30 20:41:28 ----D---- C:\Program Files\EphPod
2010-03-30 20:40:49 ----D---- C:\Documents and Settings\t_heman\Application Data\iPod Copy Expert
2010-03-11 22:51:49 ----SD---- C:\WINDOWS\Tasks
2010-03-11 22:05:48 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-03-03 22:59:59 ----HDC---- C:\WINDOWS\$NtUninstallKB910437$
2010-02-25 23:09:14 ----HDC---- C:\WINDOWS\$NtUninstallKB914388$
2010-02-25 21:36:33 ----D---- C:\Documents and Settings
2010-02-25 21:35:48 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-02-23 22:43:02 ----D---- C:\Documents and Settings\t_heman\Application Data\BitTorrent

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ANC;ANC; C:\WINDOWS\System32\drivers\ANC.SYS [2005-11-08 11520]
R1 CCDevice;CCDevice; C:\WINDOWS\system32\drivers\CCDevice.sys [2005-03-23 9216]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 IBMTPCHK;IBMTPCHK; \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 Smapint;Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [2006-10-01 14848]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2006-01-24 195776]
R1 TDSMAPI;TDSMAPI; C:\WINDOWS\System32\drivers\TDSMAPI.SYS [2006-10-01 9343]
R1 TPHKDRV;TPHKDRV; C:\WINDOWS\system32\drivers\TPHKDRV.sys [2005-07-05 17699]
R1 TPPWRIF;TPPWRIF; C:\WINDOWS\System32\drivers\Tppwrif.sys [2006-12-19 4442]
R1 TSMAPIP;TSMAPIP; C:\WINDOWS\System32\drivers\TSMAPIP.SYS [2006-08-18 7168]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.6.0.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2007-03-28 21425]
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver; \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys []
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2004-08-03 87424]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-18 12672]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2006-10-19 12544]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2006-06-20 178688]
R3 AEAudioService;AEAudio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2006-08-07 93952]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-09-13 1724416]
R3 atmeltpm;atmeltpm; C:\WINDOWS\system32\DRIVERS\atmeltpm.sys [2005-05-17 15872]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2005-05-17 5315]
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2005-08-18 110080]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2006-11-02 181760]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2006-08-28 990592]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2006-08-28 208384]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2006-09-22 19888]
R3 MakoNT;MakoNT; C:\WINDOWS\system32\drivers\MakoNT.sys [2006-06-09 76849]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070327.019\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070327.019\navex15.sys []
R3 NETw3x32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw3x32.sys [2006-10-17 1711104]
R3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2004-08-03 28672]
R3 rap;rap; C:\WINDOWS\System32\drivers\RapDrv.sys [2006-06-09 47697]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2006-02-14 177664]
R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2006-04-25 28800]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2006-08-28 728576]
R4 black;black; C:\WINDOWS\System32\drivers\BlackCat.sys [2006-06-09 196978]
S3 AlKernel;Altiris Kernel Driver; C:\WINDOWS\System32\Drivers\AlKernel.sys [2007-03-27 2401]
S3 ASPI;Advanced SCSI Programming Interface Driver; \??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys []
S3 BthEnum;Bluetooth Request Block Driver; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2004-08-03 17024]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2004-08-03 100992]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2004-08-03 274304]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2004-08-03 18944]
S3 cpuz132;cpuz132; \??\C:\DOCUME~1\t_heman\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys []
S3 es1371;Creative AudioPCI (ES1371,ES1373) (WDM); C:\WINDOWS\system32\drivers\es1371mp.sys [2001-08-17 40704]
S3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
S3 PCnet;AMD PCNET Compatable Adapter Driver; C:\WINDOWS\system32\DRIVERS\pcntpci5.sys [2001-08-17 35328]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2004-08-03 59648]
S3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2006-01-24 24768]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AClient;Altiris Client Service; C:\Program Files\Altiris\AClient\AClient.exe [2007-02-09 5308492]
R2 AcPrfMgrSvc;Ac Profile Manager Service; C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe [2006-12-25 53248]
R2 AcSvc;Access Connections Main Service; C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe [2006-12-25 172032]
R2 AeXNSClient;Altiris Agent; C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe [2006-09-13 1257472]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-09-13 413696]
R2 BlackICE;BlackICE; C:\Program Files\ISS\Proventia Desktop\blackd.exe [2006-06-09 2007382]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-03-24 192160]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-03-24 169632]
R2 CVPND;Cisco Systems, Inc. VPN Service; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [2006-04-20 1520688]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-06-15 31472]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2006-10-18 434176]
R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2006-09-22 37680]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 RapApp;RapApp; C:\Program Files\ISS\Proventia Desktop\RapApp.exe [2006-06-09 844126]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2006-10-18 327680]
R2 S24EventMonitor;Intel® PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2006-10-18 946176]
R2 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-06-15 115952]
R2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2006-04-11 1160848]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-06-15 1805552]
R2 TpKmpSVC;IBM KCU Service; C:\WINDOWS\system32\TpKmpSVC.exe [2005-06-06 32768]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 VPatch;ISS Buffer Overflow Exploit Prevention; C:\Program Files\ISS\Proventia Desktop\vpatch.exe [2006-06-09 426333]
S2 CarbonCopy32;Altiris Carbon Copy; C:\WINDOWS\system32\ccsrvc.exe [2005-03-23 65536]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-14 32768]
S3 CarbonCopyScheduler;Carbon Copy Scheduler; C:\WINDOWS\system32\schdsrvc.exe [2005-03-23 274432]
S3 ICDSPTSV;Sony SPTI Service for DVE; C:\WINDOWS\system32\IcdSptSv.exe [2008-11-22 94208]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-06-02 504104]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-02-23 2045632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2006-01-24 214720]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service; C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe [2010-03-11 435016]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]

-----------------EOF-----------------

__________________________________________________________________________________________

info.txt:

info.txt logfile of random's system information tool 1.06 2010-04-30 20:59:58

======Uninstall list======

-->C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe /uninstall
-->C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe /uninstall
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
-->MsiExec.exe /I{0CDCA5CD-C404-41FD-9216-9B4B3D24A7AA}
-->MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.5-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Adobe® Photoshop® Album Starter Edition 3.2-->MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
Altiris Carbon Copy Solution Agent -->MsiExec.exe /X{BC13AD87-65E7-4963-A2DA-1ED419D3DC34}
Altiris Carbon Copy Solution Agent 6.1-->MsiExec.exe /x {BC13AD87-65E7-4963-A2DA-1ED419D3DC34} /qf
Altiris Patch Management Agent-->MsiExec.exe /I{A847BFFB-A77E-4D71-A22F-6268EAF1B1AB}
Altiris Software Delivery Solution Agent-->MsiExec.exe /X{A0A1EB01-A6FD-423A-8480-364055A7C961}
Altiris Task Synchronization Agent-->MsiExec.exe /X{2851123E-5786-41BE-A3F1-A9B21E499EEB}
Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Autodesk DWF Viewer 7-->MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}
Cisco Systems VPN Client 4.8.01.0300-->MsiExec.exe /X{D25122BC-A60E-4663-B602-B01718F12044}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
dBpowerAMP FLAC Codec-->"C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP FLAC Codec.dat
deskPDF 2.5 Professional Edition-->"C:\Program Files\Docudesk\deskPDF\unins000.exe"
deskUNPDF 2-->"C:\Program Files\Docudesk\deskUNPDF\unins000.exe"
Digital Voice Editor 3-->C:\Program Files\InstallShield Installation Information\{6CCC133E-9A2F-4CAA-8866-75D029CD3AB3}\setup.exe -runfromtemp -l0x0009 UNINSTALL /z -removeonly
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Final Draft 7-->MsiExec.exe /I{78D62D17-D970-42DA-B8CF-5E5576293B33}
FLV Player 2.0 (build 25)-->C:\Program Files\FLV Player\uninst.exe
FLV Player-->"C:\WINDOWS\FLV Player\uninstall.exe" "/U:C:\Program Files\FLV Player\Uninstall\uninstall.xml"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
IBM RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Intel® PRO Network Connections Drivers-->Prounstl.exe
Intel® PROSet/Wireless Software-->C:\WINDOWS\Installer\iProInst.exe
InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes-->MsiExec.exe /I{9F70BF98-003C-491D-81FC-FF9792206AF0}
Java 2 Runtime Environment, SE v1.4.2_06-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142060}
LiveUpdate 3.0 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
mCore-->MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver-->MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
Microsoft .NET Framework 1.1 Hotfix (KB886903)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (3.6.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML-->MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
Netflix Movie Viewer-->MsiExec.exe /X{BCE72AED-3332-4863-9567-C5DCB9052CA2}
PC-Doctor 5 for Windows-->C:\Program Files\PCDR5\uninst.exe
QuickTime-->MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Scroll Lock Indicator Utility-->RunDll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\system32\TpScrLk.inf
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901190)-->"C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929969)-->"C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec AntiVirus-->MsiExec.exe /I{78D891EF-9E2D-4FC8-A71F-E6F897BA1B21}
ThinkPad Configuration-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC081D4D-DF1B-4CF1-B530-027E4118D846}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad EasyEject Utility -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1297C681-92D7-40EF-93BF-03F66EC5105C}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad FullScreen Magnifier-->RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.inf
ThinkPad Keyboard Customizer Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2111B23F-7FDA-4A41-8309-E5A1663CA296}\SETUP.EXE" -l0x9 anything
ThinkPad Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588\HXFSETUP.EXE -U -ITkp0588k.inf
ThinkPad Power Management Driver-->RunDll32.exe tpinspm.dll,Uninstall
ThinkPad Power Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad Presentation Director-->C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNNPDR.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll"
ThinkPad UltraNav Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
ThinkPad UltraNav Wizard-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}\SETUP.EXE" -l0x9 UNINSTALL
ThinkVantage Access Connections-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7EB114D8-207F-45AE-BABD-1669715F2630}\setup.exe" -l0x9 anything
Time Zone Data Update Tool for Microsoft Office Outlook-->MsiExec.exe /X{95120000-0038-0409-0000-0000000FF1CE}
TuneUp Utilities-->C:\Program Files\TuneUp Utilities 2010\TUInstallHelper.exe --Trigger-Uninstall
Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Vodei Multimedia Processor 2.10-->C:\Program Files\Vodei\uninst.exe
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Support Tools-->MsiExec.exe /I{89B078C4-50B0-453E-BF53-3A7E6A0D85FA}
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip 9.0 SR-1-->MsiExec.exe /I{345A4F96-3451-4622-B9CE-20ADDFDBFC80}

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: Symantec AntiVirus Corporate Edition (outdated)
FW: Proventia Desktop

======System event log======

Computer Name: SFO12357186
Event Code: 51
Message: An error was detected on device \Device\Harddisk0\D during a paging operation.

Record Number: 155
Source Name: Disk
Time Written: 20100422132420.000000-420
Event Type: warning
User:

Computer Name: SFO12357186
Event Code: 51
Message: An error was detected on device \Device\Harddisk0\D during a paging operation.

Record Number: 154
Source Name: Disk
Time Written: 20100422132420.000000-420
Event Type: warning
User:

Computer Name: SFO12357186
Event Code: 51
Message: An error was detected on device \Device\Harddisk0\D during a paging operation.

Record Number: 153
Source Name: Disk
Time Written: 20100422132420.000000-420
Event Type: warning
User:

Computer Name: SFO12357186
Event Code: 51
Message: An error was detected on device \Device\Harddisk0\D during a paging operation.

Record Number: 152
Source Name: Disk
Time Written: 20100422132420.000000-420
Event Type: warning
User:

Computer Name: SFO12357186
Event Code: 51
Message: An error was detected on device \Device\Harddisk0\D during a paging operation.

Record Number: 151
Source Name: Disk
Time Written: 20100422132420.000000-420
Event Type: warning
User:

=====Application event log=====

Computer Name: SFO12357186
Event Code: 0
Message:
Record Number: 14373
Source Name: TuneUp.UtilitiesSvc
Time Written: 20100404002743.000000-420
Event Type:
User:

Computer Name: SFO12357186
Event Code: 1000
Message: Could not execute the following script \\ads.autodesk.com\SysVol\ads.autodesk.com\scripts\Altiris\AeXInstall.bat. The network location cannot be reached. For information about network troubleshooting, see Windows Help.
.

Record Number: 14369
Source Name: UserInit
Time Written: 20100404002738.000000-420
Event Type: error
User:

Computer Name: SFO12357186
Event Code: 1000
Message: Could not execute the following script \\ads.autodesk.com\SYSVOL\ads.autodesk.com\scripts\KIXTART\kix32.exe. The network location cannot be reached. For information about network troubleshooting, see Windows Help.
.

Record Number: 14368
Source Name: UserInit
Time Written: 20100404002737.000000-420
Event Type: error
User:

Computer Name: SFO12357186
Event Code: 1054
Message: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Record Number: 14367
Source Name: Userenv
Time Written: 20100404002737.000000-420
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: SFO12357186
Event Code: 8
Message: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved


Record Number: 14360
Source Name: crypt32
Time Written: 20100403235412.000000-420
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\ThinkPad\Utilities;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Support Tools\;C:\Program Files\Intel\Wireless\Bin\;C:\Program Files\ThinkPad\ConnectUtilities;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\DivX Shared\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0f06
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\j2re1.4.2_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\j2re1.4.2_06\lib\ext\QTJava.zip

-----------------EOF-----------------

______________________________________________________________________________________

gmer.log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-30 21:24:31
Windows 5.1.2600 Service Pack 2
Running: US4V4JBV.EXE; Driver: C:\DOCUME~1\t_heman\LOCALS~1\Temp\kwdyipog.sys


---- System - GMER 1.0.15 ----

SSDT 8971AA78 ZwAlertResumeThread
SSDT 8970DA88 ZwAlertThread
SSDT 898CBFC0 ZwAllocateVirtualMemory
SSDT 895C5698 ZwConnectPort
SSDT \SystemRoot\System32\drivers\RapDrv.sys (Rap Protection System/Internet Security Systems, Inc.) ZwCreateKey [0x9D2118D0]
SSDT 89725A88 ZwCreateMutant
SSDT 8984BD10 ZwCreateThread
SSDT \SystemRoot\System32\drivers\RapDrv.sys (Rap Protection System/Internet Security Systems, Inc.) ZwDebugActiveProcess [0x9D211272]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA1D93CC0]
SSDT 8970AE90 ZwFreeVirtualMemory
SSDT 89722A78 ZwImpersonateAnonymousToken
SSDT 8971CDB8 ZwImpersonateThread
SSDT 898E0BD8 ZwMapViewOfSection
SSDT 89829BE8 ZwOpenEvent
SSDT \SystemRoot\System32\drivers\RapDrv.sys (Rap Protection System/Internet Security Systems, Inc.) ZwOpenKey [0x9D211A1A]
SSDT \SystemRoot\System32\drivers\RapDrv.sys (Rap Protection System/Internet Security Systems, Inc.) ZwOpenProcess [0x9D211284]
SSDT 8970AD18 ZwOpenProcessToken
SSDT 8970CA90 ZwOpenThreadToken
SSDT 8993AE58 ZwQueryValueKey
SSDT 89708F30 ZwResumeThread
SSDT 8970CAC8 ZwSetContextThread
SSDT 8970BC10 ZwSetInformationProcess
SSDT 8970CB00 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA1D93F20]
SSDT 8987DB58 ZwSuspendProcess
SSDT 8970CDF0 ZwSuspendThread
SSDT \SystemRoot\System32\drivers\RapDrv.sys (Rap Protection System/Internet Security Systems, Inc.) ZwTerminateProcess [0x9D211114]
SSDT 8970CC78 ZwTerminateThread
SSDT 8970BA98 ZwUnmapViewOfSection
SSDT 898C2FC0 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs RapDrv.sys (Rap Protection System/Internet Security Systems, Inc.)

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \Driver\Tcpip \Device\Ip RapDrv.sys (Rap Protection System/Internet Security Systems, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)

Device \Driver\ACPI \Device\0000009e 89789A98

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\ACPI \Device\000000a0 89789A98
Device \Driver\Tcpip \Device\Tcp RapDrv.sys (Rap Protection System/Internet Security Systems, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\ACPI \Device\000000a1 89789A98
Device \Driver\IpFilterDriver \Device\IPFILTERDRIVER BlackCat.sys (Network Packet Driver/Internet Security Systems, Inc.)
Device \Driver\ACPI \Device\000000a2 89789A98
Device \Driver\ACPI \Device\000000a3 89789A98
Device \Driver\ACPI \Device\000000b0 89789A98
Device \Driver\ACPI \Device\000000a4 89789A98
Device \Driver\ACPI \Device\000000b1 89789A98
Device \Driver\ACPI \Device\000000a5 89789A98
Device \Driver\ACPI \Device\000000b2 89789A98
Device \Driver\ACPI \Device\000000a6 89789A98
Device \Driver\ACPI \Device\000000b3 89789A98
Device \Driver\ACPI \Device\000000a7 89789A98
Device \Driver\ACPI \Device\000000b4 89789A98
Device \Driver\ACPI \Device\000000b5 89789A98
Device \Driver\ACPI \Device\00000090 89789A98
Device \Driver\ACPI \Device\000000b6 89789A98
Device \Driver\ACPI \Device\00000091 89789A98
Device \Driver\ACPI \Device\00000093 89789A98
Device \Driver\ACPI \Device\00000094 89789A98
Device \Driver\ACPI \Device\000000d3 89789A98
Device \Driver\ACPI \Device\00000095 89789A98
Device \Driver\Tcpip \Device\Udp RapDrv.sys (Rap Protection System/Internet Security Systems, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\ACPI \Device\000000c8 89789A98
Device \Driver\ACPI \Device\00000096 89789A98
Device \Driver\Tcpip \Device\RawIp RapDrv.sys (Rap Protection System/Internet Security Systems, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\ACPI \Device\000000d5 89789A98
Device \Driver\ACPI \Device\000000c9 89789A98
Device \Driver\ACPI \Device\000000d8 89789A98
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver RapDrv.sys (Rap Protection System/Internet Security Systems, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST RapDrv.sys (Rap Protection System/Internet Security Systems, Inc.)
Device \FileSystem\MRxSmb \Device\LanmanRedirector RapDrv.sys (Rap Protection System/Internet Security Systems, Inc.)
Device \Driver\ACPI \Device\000000ca 89789A98
Device \Driver\ACPI \Device\000000cb 89789A98
Device \Driver\ACPI \Device\000000cc 89789A98

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0016cfdad2d2 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cfdad2d2
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\0016cfdad2d2 (not active ControlSet)


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:10 PM

Posted 01 May 2010 - 03:56 AM

Hello, ordak.
Glad to be of help smile.gif

Doesn't look like HJT was able to download and run, so let's use another scanner.
We need to run a DDS scan
  1. Please download DDS by sUBs from one of the following links. Save it to your desktop.
    Download 1
    Download 2
  2. Double click on the DDS icon, allow it to run
  3. A small box will open, with an explanation about the tool. No input is needed, the scan is running
  4. Notepad will open with the results, click no to the Optional Scan
  5. Follow the instructions that pop up for posting the results
  6. Close the program window
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

In your next reply, please include the following:
  • DDS Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 ordak

ordak
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 01 May 2010 - 04:16 AM

aommaster,

two notepad documents opened up:

DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by t_heman at 2:18:49.64 on Sat 05/01/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.739 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Proventia Desktop *enabled* {D5FF068F-88CF-439C-B39B-43862474514E}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
svchost.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\altiris\CARBON~1\client.exe
C:\PROGRAM FILES\ANALOG DEVICES\CORE\SMAX4PNP.EXE
C:\PROGRAM FILES\ALTIRIS\ACLIENT\ACLNTUSR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRA~1\LENOVO\PKGMGR\HOTKEY\TPHKMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM32\TPSCRLK.EXE
C:\PROGRAM FILES\THINKPAD\CONNECTUTILITIES\ACWLICON.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\DNA\BTDNA.EXE
C:\PROGRA~1\THINKPAD\UTILIT~1\EZEJMNAP.EXE
C:\PROGRA~1\SYMANT~1\VPTRAY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\ISS\PROVENTIA DESKTOP\BLACKICE.EXE
C:\PROGRAM FILES\LENOVO\PKGMGR\HOTKEY\TPONSCR.EXE
C:\PROGRAM FILES\LENOVO\PKGMGR\HOTKEY_1\TPSCREX.EXE
C:\Documents and Settings\t_heman\Local Settings\Application Data\ave.exe
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\t_heman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by IT Service Centers
uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://infosys.autodesk.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
uRun: [BitTorrent DNA] "c:\program files\dna\BTDNA.EXE"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AClntUsr] c:\program files\altiris\aclient\AClntUsr.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKBDLED] c:\windows\system32\TpScrLk.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTASK.EXE" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\PROVEN~1.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\Icon3E5562ED7.ico
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: autodesk.ca
Trusted Zone: autodesk.co.jp
Trusted Zone: autodesk.co.kr
Trusted Zone: autodesk.co.nz
Trusted Zone: autodesk.co.uk
Trusted Zone: autodesk.com
Trusted Zone: autodesk.com\*.ads
Trusted Zone: autodesk.com\petaim-vip
Trusted Zone: autodesk.cz
Trusted Zone: autodesk.de
Trusted Zone: autodesk.dk
Trusted Zone: autodesk.es
Trusted Zone: autodesk.fr
Trusted Zone: autodesk.hu
Trusted Zone: autodesk.it
Trusted Zone: autodesk.nl
Trusted Zone: autodesk.no
Trusted Zone: autodesk.pl
Trusted Zone: autodesk.pt
Trusted Zone: autodesk.ru
Trusted Zone: autodesk.se
Trusted Zone: com.au\*.autodesk
Trusted Zone: com.br\*.autodesk
Trusted Zone: com.cn\*.autodesk
Trusted Zone: com.hk\*.autodesk
Trusted Zone: com.my\*.autodesk
Trusted Zone: com.sg\*.autodesk
Trusted Zone: com.tw\*.autodesk
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233699911921
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163772695560
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ddcDuRkI
LSA: Notification Packages = scecli ACGina c:\windows\system32\zibuyubo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\t_heman\applic~1\mozilla\firefox\profiles\2r6uystp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ytbm&p=
FF - plugin: c:\program files\java\j2re1.4.2_06\bin\NPJPI142_06.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [2007-1-10 251578]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [2007-1-10 48140]
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [2007-1-10 241815]
R0 AFAMgt;AFAMgt;c:\windows\system32\drivers\afamgt.sys [2007-1-10 92411]
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2005-3-23 9216]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 BlackICE;BlackICE;c:\program files\iss\proventia desktop\blackd.exe [2007-3-28 2007382]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\iss\proventia desktop\vpatch.exe [2007-3-28 426333]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-3-27 102712]
R3 MakoNT;MakoNT;c:\windows\system32\drivers\MakoNT.sys [2007-3-28 76849]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20070327.019\naveng.sys [2007-3-27 80472]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20070327.019\navex15.sys [2007-3-27 852600]
R3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2007-3-28 47697]
R4 black;black;c:\windows\system32\drivers\Blackcat.sys [2007-3-28 196978]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-2-29 16512]
S3 cpuz132;cpuz132;\??\c:\docume~1\t_heman\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\t_heman\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-21 38224]

============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2010-05-01 03:59:50 0 d-----w- c:\program files\trend micro
2010-04-26 20:37:07 0 ----a-w- c:\documents and settings\t_heman\defogger_reenable
2010-04-26 19:39:35 0 d-----w- c:\windows\system32\drivers\down
2010-04-20 07:14:47 0 d-----w- c:\windows\system32\NtmsData
2010-04-20 07:05:38 266360 ----a-w- c:\windows\system32\TweakUI.exe
2010-04-20 07:05:38 160217 ----a-w- c:\windows\system32\PowerToysLicense.rtf

==================== Find3M ====================

2008-10-24 06:03:31 1305088 ----a-w- c:\program files\NF_Movie_Player_211.msi
2005-11-15 22:32:22 3638 ----a-r- c:\program files\common files\Altiris_Icon.ico

============= FINISH: 2:19:47.40 ===============


and Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/28/2007 4:37:02 AM
System Uptime: 5/1/2010 2:10:23 AM (0 hours ago)

Motherboard: LENOVO | | 20078JU
Processor: Intel® Core™2 CPU T7600 @ 2.33GHz | None | 977/167mhz
Processor: Intel® Core™2 CPU T7600 @ 2.33GHz | None | 977/167mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 93 GiB total, 0.291 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP262: 4/19/2010 7:38:28 PM - System Checkpoint
RP263: 4/21/2010 11:37:57 AM - System Checkpoint
RP264: 4/26/2010 12:37:56 PM - Restore Operation
RP265: 4/26/2010 12:43:14 PM - Restore Operation

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.5
Adobe® Photoshop® Album Starter Edition 3.2
Altiris Carbon Copy Solution Agent
Altiris Carbon Copy Solution Agent 6.1
Altiris Patch Management Agent
Altiris Software Delivery Solution Agent
Altiris Task Synchronization Agent
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
Autodesk DWF Viewer 7
BitTorrent
Cisco Systems VPN Client 4.8.01.0300
Compatibility Pack for the 2007 Office system
dBpowerAMP FLAC Codec
deskPDF 2.5 Professional Edition
deskUNPDF 2
Digital Voice Editor 3
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DNA
Final Draft 7
FLV Player
FLV Player 2.0 (build 25)
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB926239)
IBM RecordNow!
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
InterActual Player
InterVideo WinDVD
iTunes
Java 2 Runtime Environment, SE v1.4.2_06
KB408682
LiveUpdate 3.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
mCore
mDriver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mMHouse
Mozilla Firefox (3.6.3)
mPfMgr
mProSafe
mWlsSafe
mXML
Netflix Movie Viewer
PC-Doctor 5 for Windows
QuickTime
Scroll Lock Indicator Utility
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB929969)
Spybot - Search & Destroy
Symantec AntiVirus
ThinkPad Configuration
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Keyboard Customizer Utility
ThinkPad Modem
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad Presentation Director
ThinkPad UltraNav Driver
ThinkPad UltraNav Wizard
ThinkVantage Access Connections
Time Zone Data Update Tool for Microsoft Office Outlook
TuneUp Utilities
TuneUp Utilities Language Pack (en-US)
Tweak UI
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
VC80CRTRedist - 8.0.50727.762
Vodei Multimedia Processor 2.10
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Support Tools
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip 9.0 SR-1

==== Event Viewer Messages From Past Week ========

4/28/2010 6:29:16 PM, error: Service Control Manager [7034] - The Cisco Systems, Inc. VPN Service service terminated unexpectedly. It has done this 1 time(s).
4/28/2010 2:18:20 PM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 0019D2762DB9 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
4/27/2010 4:56:56 PM, error: System Error [1003] - Error code 10000050, parameter1 ffffff60, parameter2 00000000, parameter3 804eddd0, parameter4 00000000.
4/27/2010 3:49:38 PM, error: NETLOGON [5719] - No Domain Controller is available for domain ADS due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
4/26/2010 12:43:07 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
4/26/2010 12:43:07 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================


is this what you were looking for?

#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:10 PM

Posted 01 May 2010 - 01:08 PM

Hello, ordak.
That's spot on smile.gif I just needed a more detailed bit of registry information to ensure that I know what we're removing.

P2P Program Warning!

BitTorrent

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
Here

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall the programs listed above, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.




We need to disable TeaTimer
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. ClickMode and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press yes
  5. Click on Tools
  6. Click on Resident
  7. Uncheck the following checkboxes:
    • Resident "SDHelper" (Internet Explorer bad download blocker) active.
    • Resident "TeaTimer" (Protection for over-all system settings) active.
  8. Close/Exit Spybot Search and Destroy


NEXT:

We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  6. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  7. Click on Yes, to continue scanning for malware.
  8. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 ordak

ordak
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 03 May 2010 - 01:36 AM

Hi aommaster,

I followed your instructions all the way through running ComboFix. When the whole process was over a log.txt file opened up, but somehow closed before I got a chance to save it. I don't want to run ComboFix again because of the warning that I should only run it when you instruct me to do so.

I don't believe I've done a HijackThis log yet (as far as I can tell) so I'm not sure about how to do that.

On the bright side, however, my computer is running almost as well as it did before this whole fiasco. It shuts down properly, XP Security Tool seems to be gone, web searches work, sound works, and it is reading the external hard drive.

I cannot thank you enough for getting me this far. What do we do next, to make sure everything is clean and safe?

Thanks

Ordak

#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:10 PM

Posted 03 May 2010 - 02:40 AM

Hi!

Firstly, it's possible that the infection is not gone yet, the Combofix log will tell us more. You can find this log at C:\combofix.txt

Also, instead of Hijackthis, you can simply run DDS again.

Glad to hear things are looking up smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 ordak

ordak
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 03 May 2010 - 01:09 PM

aommaster,

Thanks for clarifying.

One problem has surfaced. Whenever I try to start up the computer normally it ends up directing me to a blue screen that says "A problem has been detected and windows has been shut down to prevent damage" leading to a data dump. After 20 seconds the screen goes away and the computer restarts, only leading to the same blue screen. This loop continues unless I choose to run in Safe Mode (which is what I am in right now). After running safe mode, it allows me to restart in normal mode without the blue screen...

Here are the logs you requested:

ComboFix.txt:

ComboFix 10-05-02.01 - t_heman 05/02/2010 19:46:00.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.899 [GMT -7:00]
Running from: c:\documents and settings\t_heman\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\t_heman\LOCALS~1\Temp\_is15D.exe
c:\docume~1\t_heman\LOCALS~1\Temp\1.tmp\nircmd.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\1.tmp\nircmdc.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\1.tmp\pev.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\1.tmp\sed.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\186.tmp\nircmd.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\186.tmp\nircmdc.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\186.tmp\pev.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\186.tmp\sed.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\18F.tmp\nircmd.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\18F.tmp\nircmdc.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\18F.tmp\pev.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\18F.tmp\sed.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\1E2.tmp\nircmd.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\1E2.tmp\nircmdc.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\1E2.tmp\pev.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\1E2.tmp\sed.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\2EB.tmp\nircmd.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\2EB.tmp\nircmdc.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\2EB.tmp\pev.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\2EB.tmp\sed.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\2FC.tmp\nircmd.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\2FC.tmp\nircmdc.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\2FC.tmp\pev.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\2FC.tmp\sed.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\3.tmp\nircmd.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\3.tmp\nircmdc.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\3.tmp\pev.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\3.tmp\sed.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\306.tmp\nircmd.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\306.tmp\nircmdc.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\306.tmp\pev.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\306.tmp\sed.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\30D.tmp\nircmd.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\30D.tmp\nircmdc.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\30D.tmp\pev.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\30D.tmp\sed.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\4.tmp\nircmd.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\4.tmp\nircmdc.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\4.tmp\pev.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\4.tmp\sed.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\5.tmp\nircmd.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\5.tmp\nircmdc.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\5.tmp\pev.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\5.tmp\sed.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\89.tmp\nircmd.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\89.tmp\nircmdc.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\89.tmp\pev.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\89.tmp\sed.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\Adobe Reader 8\Setup.exe
c:\docume~1\t_heman\LOCALS~1\Temp\Adobe Reader 8_\Setup.exe
c:\docume~1\t_heman\LOCALS~1\Temp\Adobe_Downloads\pase320_en_US.exe
c:\docume~1\t_heman\LOCALS~1\Temp\Div1F6.tmp\DivXInstaller.exe
c:\docume~1\t_heman\LOCALS~1\Temp\Div391.tmp\DivXInstaller.exe
c:\docume~1\t_heman\LOCALS~1\Temp\Div9AB.tmp\DivXInstaller.exe
c:\docume~1\t_heman\LOCALS~1\Temp\DivA48.tmp\DivXInstaller.exe
c:\docume~1\t_heman\LOCALS~1\Temp\DivD9.tmp\DivXInstaller.exe
c:\docume~1\t_heman\LOCALS~1\Temp\EdRegAcd.dll
c:\docume~1\t_heman\LOCALS~1\Temp\FD.tmp\nircmd.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\FD.tmp\nircmdc.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\FD.tmp\pev.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\FD.tmp\sed.rkexe
c:\docume~1\t_heman\LOCALS~1\Temp\GLF607.tmp
c:\docume~1\t_heman\LOCALS~1\Temp\IMS.dll
c:\docume~1\t_heman\LOCALS~1\Temp\is-3B5IB.tmp\_isetup\_RegDLL.tmp
c:\docume~1\t_heman\LOCALS~1\Temp\is-3B5IB.tmp\_isetup\_shfoldr.dll
c:\docume~1\t_heman\LOCALS~1\Temp\is-3B5IB.tmp\mbam.dll
c:\docume~1\t_heman\LOCALS~1\Temp\is-5M92T.tmp\mbam-setup.tmp
c:\docume~1\t_heman\LOCALS~1\Temp\mProjector957005698\File.3.1.1hj.mfx
c:\docume~1\t_heman\LOCALS~1\Temp\mProjector957005698\Flash6MovieV2.3.0.9k.mvx
c:\docume~1\t_heman\LOCALS~1\Temp\mProjector957005698\Flash6MovieV2.3.1.1hj.mvx
c:\docume~1\t_heman\LOCALS~1\Temp\mProjector957005698\FlashPlayer.3.1.0b.ocx
c:\docume~1\t_heman\LOCALS~1\Temp\mProjector957005698\FlashPlayer.3.1.1k.ocx
c:\docume~1\t_heman\LOCALS~1\Temp\mProjector957005698\mPlayer.3.1.0b.dll
c:\docume~1\t_heman\LOCALS~1\Temp\mProjector957005698\mPlayer.3.1.1k.dll
c:\docume~1\t_heman\LOCALS~1\Temp\mProjector957005698\System.3.0.9k.mfx
c:\docume~1\t_heman\LOCALS~1\Temp\mProjector957005698\System.3.1.1hj.mfx
c:\docume~1\t_heman\LOCALS~1\Temp\nsy3C9.tmp\DivXComponentInstaller.exe
c:\docume~1\t_heman\LOCALS~1\Temp\nsy3C9.tmp\PCloser.dll
c:\docume~1\t_heman\LOCALS~1\Temp\nsy3C9.tmp\System.dll
c:\docume~1\t_heman\LOCALS~1\Temp\ReimagePackage.exe
c:\docume~1\t_heman\LOCALS~1\Temp\TUUUninstallHelper.exe
c:\docume~1\t_heman\LOCALS~1\Temp\utt1CE.tmp.exe
c:\docume~1\t_heman\LOCALS~1\Temp\uttB7F.tmp.exe
c:\documents and settings\t_heman\Local Settings\Application Data\tdxjwt
c:\documents and settings\t_heman\Local Settings\Application Data\tdxjwt\gmplsftav.exe
c:\documents and settings\t_heman\Local Settings\Temp\_is15D.exe
c:\documents and settings\t_heman\Local Settings\Temp\1.tmp\nircmd.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\1.tmp\nircmdc.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\1.tmp\pev.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\1.tmp\sed.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\186.tmp\nircmd.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\186.tmp\nircmdc.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\186.tmp\pev.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\186.tmp\sed.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\18F.tmp\nircmd.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\18F.tmp\nircmdc.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\18F.tmp\pev.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\18F.tmp\sed.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\1E2.tmp\nircmd.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\1E2.tmp\nircmdc.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\1E2.tmp\pev.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\1E2.tmp\sed.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\2EB.tmp\nircmd.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\2EB.tmp\nircmdc.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\2EB.tmp\pev.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\2EB.tmp\sed.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\2FC.tmp\nircmd.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\2FC.tmp\nircmdc.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\2FC.tmp\pev.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\2FC.tmp\sed.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\3.tmp\nircmd.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\3.tmp\nircmdc.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\3.tmp\pev.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\3.tmp\sed.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\306.tmp\nircmd.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\306.tmp\nircmdc.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\306.tmp\pev.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\306.tmp\sed.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\30D.tmp\nircmd.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\30D.tmp\nircmdc.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\30D.tmp\pev.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\30D.tmp\sed.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\4.tmp\nircmd.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\4.tmp\nircmdc.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\4.tmp\pev.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\4.tmp\sed.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\5.tmp\nircmd.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\5.tmp\nircmdc.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\5.tmp\pev.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\5.tmp\sed.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\89.tmp\nircmd.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\89.tmp\nircmdc.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\89.tmp\pev.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\89.tmp\sed.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\Adobe Reader 8\Setup.exe
c:\documents and settings\t_heman\Local Settings\Temp\Adobe Reader 8_\Setup.exe
c:\documents and settings\t_heman\Local Settings\Temp\Adobe_Downloads\pase320_en_US.exe
c:\documents and settings\t_heman\Local Settings\Temp\Div1F6.tmp\DivXInstaller.exe
c:\documents and settings\t_heman\Local Settings\Temp\Div391.tmp\DivXInstaller.exe
c:\documents and settings\t_heman\Local Settings\Temp\Div9AB.tmp\DivXInstaller.exe
c:\documents and settings\t_heman\Local Settings\Temp\DivA48.tmp\DivXInstaller.exe
c:\documents and settings\t_heman\Local Settings\Temp\DivD9.tmp\DivXInstaller.exe
c:\documents and settings\t_heman\Local Settings\Temp\EdRegAcd.dll
c:\documents and settings\t_heman\Local Settings\Temp\FD.tmp\nircmd.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\FD.tmp\nircmdc.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\FD.tmp\pev.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\FD.tmp\sed.rkexe
c:\documents and settings\t_heman\Local Settings\Temp\GLF607.tmp
c:\documents and settings\t_heman\Local Settings\Temp\IMS.dll
c:\documents and settings\t_heman\Local Settings\Temp\is-3B5IB.tmp\_isetup\_RegDLL.tmp
c:\documents and settings\t_heman\Local Settings\Temp\is-3B5IB.tmp\_isetup\_shfoldr.dll
c:\documents and settings\t_heman\Local Settings\Temp\is-3B5IB.tmp\mbam.dll
c:\documents and settings\t_heman\Local Settings\Temp\is-5M92T.tmp\mbam-setup.tmp
c:\documents and settings\t_heman\Local Settings\Temp\mProjector957005698\File.3.1.1hj.mfx
c:\documents and settings\t_heman\Local Settings\Temp\mProjector957005698\Flash6MovieV2.3.0.9k.mvx
c:\documents and settings\t_heman\Local Settings\Temp\mProjector957005698\Flash6MovieV2.3.1.1hj.mvx
c:\documents and settings\t_heman\Local Settings\Temp\mProjector957005698\FlashPlayer.3.1.0b.ocx
c:\documents and settings\t_heman\Local Settings\Temp\mProjector957005698\FlashPlayer.3.1.1k.ocx
c:\documents and settings\t_heman\Local Settings\Temp\mProjector957005698\mPlayer.3.1.0b.dll
c:\documents and settings\t_heman\Local Settings\Temp\mProjector957005698\mPlayer.3.1.1k.dll
c:\documents and settings\t_heman\Local Settings\Temp\mProjector957005698\System.3.0.9k.mfx
c:\documents and settings\t_heman\Local Settings\Temp\mProjector957005698\System.3.1.1hj.mfx
c:\documents and settings\t_heman\Local Settings\Temp\nsy3C9.tmp\DivXComponentInstaller.exe
c:\documents and settings\t_heman\Local Settings\Temp\nsy3C9.tmp\PCloser.dll
c:\documents and settings\t_heman\Local Settings\Temp\nsy3C9.tmp\System.dll
c:\documents and settings\t_heman\Local Settings\Temp\ReimagePackage.exe
c:\documents and settings\t_heman\Local Settings\Temp\TUUUninstallHelper.exe
c:\documents and settings\t_heman\Local Settings\Temp\utt1CE.tmp.exe
c:\documents and settings\t_heman\Local Settings\Temp\uttB7F.tmp.exe
c:\documents and settings\t_heman\Local Settings\Temporary Internet Files\082724.jpg
c:\documents and settings\t_heman\Local Settings\Temporary Internet Files\8hEaVHUYL.jpg
c:\documents and settings\t_heman\Local Settings\Temporary Internet Files\CvtCvb3.jpg
c:\documents and settings\t_heman\Local Settings\Temporary Internet Files\TU31CM4K8.jpg
c:\program files\driver
c:\program files\WindowsUpdate
c:\recycler\S-1-5-21-1004336348-1935655697-854245398-500
c:\windows\system32\aadkgily.ini
c:\windows\system32\adhkewkf.ini
c:\windows\system32\aesyckkn.ini
c:\windows\system32\aguceyrw.ini
c:\windows\system32\alhsjrhk.ini
c:\windows\system32\ammeahqv.ini
c:\windows\system32\apdvgcnt.ini
c:\windows\system32\ashgrhlg.ini
c:\windows\system32\ataailqu.ini
c:\windows\system32\ayefygav.ini
c:\windows\system32\aynbwhva.ini
c:\windows\system32\bchsvsxc.ini
c:\windows\system32\bhaswoaj.ini
c:\windows\system32\bhatjskj.ini
c:\windows\system32\bhrrrsrf.ini
c:\windows\system32\bictxuof.ini
c:\windows\system32\bjrmadtt.ini
c:\windows\system32\blrfmgxf.ini
c:\windows\system32\bnjgarfi.ini
c:\windows\system32\bnspkjbt.ini
c:\windows\system32\brdambam.ini
c:\windows\system32\buoepuii.ini
c:\windows\system32\bvljvlib.ini
c:\windows\system32\bwebcmmx.ini
c:\windows\system32\bxwvthwx.ini
c:\windows\system32\cahhbeqk.ini
c:\windows\system32\ccehdaqy.ini
c:\windows\system32\cefevcei.ini
c:\windows\system32\ceuahtqa.ini
c:\windows\system32\chjsgrqn.ini
c:\windows\system32\cjhclhfl.ini
c:\windows\system32\clmsalpb.ini
c:\windows\system32\crnqnqek.ini
c:\windows\system32\cubjidhd.ini
c:\windows\system32\cyxajxpa.ini
c:\windows\system32\dcqxfxgj.ini
c:\windows\system32\ddppbakn.ini
c:\windows\system32\dhpnvguh.ini
c:\windows\system32\dhwfabaq.ini
c:\windows\system32\dhxhvodh.ini
c:\windows\system32\djmmkalv.ini
c:\windows\system32\dmobrvai.ini
c:\windows\system32\dmoxvfhe.ini
c:\windows\system32\dpytpmxk.ini
c:\windows\system32\drivers\down
c:\windows\system32\drivers\down\1112140.exe
c:\windows\system32\dsoqkwen.ini
c:\windows\system32\dtldrgop.ini
c:\windows\system32\duuapwtg.ini
c:\windows\system32\dvhcmbnk.ini
c:\windows\system32\dxaflhpa.ini
c:\windows\system32\dybgesob.ini
c:\windows\system32\edurhofi.ini
c:\windows\system32\eiwwjvdl.ini
c:\windows\system32\ekmyqlsn.ini
c:\windows\system32\elgeeygh.ini
c:\windows\system32\esecqtvq.ini
c:\windows\system32\eusdydkf.ini
c:\windows\system32\ewcweqys.ini
c:\windows\system32\exjfxkfu.ini
c:\windows\system32\faupbwkd.ini
c:\windows\system32\fbkxelrm.ini
c:\windows\system32\fbwlpvir.ini
c:\windows\system32\fclqjutc.ini
c:\windows\system32\fgsxetvu.ini
c:\windows\system32\fhtqplbq.ini
c:\windows\system32\fhvsqfbs.ini
c:\windows\system32\fiafgqwu.ini
c:\windows\system32\fkkbbkin.ini
c:\windows\system32\ftlioqld.ini
c:\windows\system32\ftqcbptq.ini
c:\windows\system32\fulcsoeo.ini
c:\windows\system32\fvgykqgr.ini
c:\windows\system32\gapceljk.ini
c:\windows\system32\ghholkpp.ini
c:\windows\system32\gimmoote.ini
c:\windows\system32\gmsyfkxn.ini
c:\windows\system32\gnltmpom.ini
c:\windows\system32\gpylwfea.ini
c:\windows\system32\hftdkfvn.ini
c:\windows\system32\hihbxexp.ini
c:\windows\system32\hitrpaqa.ini
c:\windows\system32\hkdeseys.ini
c:\windows\system32\hlpnhdky.ini
c:\windows\system32\hofwqfbg.ini
c:\windows\system32\honfcwrm.ini
c:\windows\system32\hqhavmul.ini
c:\windows\system32\hrvsdyde.ini
c:\windows\system32\hsopfthb.ini
c:\windows\system32\htcqgbqa.ini
c:\windows\system32\hxvuqdpq.ini
c:\windows\system32\hylphqys.ini
c:\windows\system32\icjdtcbc.ini
c:\windows\system32\icpspqrr.ini
c:\windows\system32\idacholq.ini
c:\windows\system32\iegliffy.ini
c:\windows\system32\iejmfyqv.ini
c:\windows\system32\ifluxnkf.ini
c:\windows\system32\ijdsduwl.ini
c:\windows\system32\ijnfuaop.ini
c:\windows\system32\ijsjjuhk.ini
c:\windows\system32\ikokkepq.ini
c:\windows\system32\imguedlt.ini
c:\windows\system32\iodsycra.ini
c:\windows\system32\ipfbkwkp.ini
c:\windows\system32\iqammnrh.ini
c:\windows\system32\itxedirr.ini
c:\windows\system32\iuslvnpw.ini
c:\windows\system32\jaxlddrm.ini
c:\windows\system32\jcjyqsig.ini
c:\windows\system32\jdixkkux.ini
c:\windows\system32\jdoccled.ini
c:\windows\system32\jdvcgeow.ini
c:\windows\system32\jfxknmqd.ini
c:\windows\system32\jhkbrclg.ini
c:\windows\system32\jmxpeksb.ini
c:\windows\system32\jocvbtxo.ini
c:\windows\system32\jqpqnanj.ini
c:\windows\system32\jtegahes.ini
c:\windows\system32\jurpfeeu.ini
c:\windows\system32\jvudtbcn.ini
c:\windows\system32\jwenbkmc.ini
c:\windows\system32\jwnmyhnb.ini
c:\windows\system32\jxbwohrf.ini
c:\windows\system32\kdkhhwvs.ini
c:\windows\system32\kfqibefl.ini
c:\windows\system32\khaopjgd.ini
c:\windows\system32\khrcqexy.ini
c:\windows\system32\kkdbimaq.ini
c:\windows\system32\kkoqfmmk.ini
c:\windows\system32\kkyjcjls.ini
c:\windows\system32\kmdtcafx.ini
c:\windows\system32\kmhrqrbs.ini
c:\windows\system32\kmsxofaf.ini
c:\windows\system32\krfynkcx.ini
c:\windows\system32\ktinuhsg.ini
c:\windows\system32\kvjqjtul.ini
c:\windows\system32\kvsdtrol.ini
c:\windows\system32\kwtcnopi.ini
c:\windows\system32\lanowvsp.ini
c:\windows\system32\lbuwlfao.ini
c:\windows\system32\ldupfnbx.ini
c:\windows\system32\ldvbhjxu.ini
c:\windows\system32\lfswhxhe.ini
c:\windows\system32\lhsjtyfv.ini
c:\windows\system32\lhxarrqw.ini
c:\windows\system32\llfnxwhs.ini
c:\windows\system32\lrbuftrh.ini
c:\windows\system32\lwjximhj.ini
c:\windows\system32\lxexvkdr.ini
c:\windows\system32\lyksxmph.ini
c:\windows\system32\mbthbjgv.ini
c:\windows\system32\megnipxb.ini
c:\windows\system32\mfcprmys.ini
c:\windows\system32\mgwpkpav.ini
c:\windows\system32\mmytqbhc.ini
c:\windows\system32\mowvplqm.ini
c:\windows\system32\mpkraxbu.ini
c:\windows\system32\mrmmgghf.ini
c:\windows\system32\mroybykf.ini
c:\windows\system32\mrxreglb.ini
c:\windows\system32\mxikasmx.ini
c:\windows\system32\najylhgb.ini
c:\windows\system32\nosqbyvy.ini
c:\windows\system32\noxwwxvy.ini
c:\windows\system32\npeirens.ini
c:\windows\system32\nrbhohnw.ini
c:\windows\system32\nriapimk.ini
c:\windows\system32\nriilpun.ini
c:\windows\system32\nrrlubsa.ini
c:\windows\system32\nrtpsoaq.ini
c:\windows\system32\nsupktvf.ini
c:\windows\system32\obngrmdh.ini
c:\windows\system32\ockbrlug.ini
c:\windows\system32\oeshotme.ini
c:\windows\system32\ofrofkjp.ini
c:\windows\system32\oiiccimt.ini
c:\windows\system32\omqjaplu.ini
c:\windows\system32\oolpnmky.ini
c:\windows\system32\osuuvdjj.ini
c:\windows\system32\ounjbaen.ini
c:\windows\system32\ovivxhea.ini
c:\windows\system32\ovladfif.ini
c:\windows\system32\padypugf.ini
c:\windows\system32\payyftiy.ini
c:\windows\system32\pbeovvrs.ini
c:\windows\system32\pdahllau.ini
c:\windows\system32\pdvvgnkm.ini
c:\windows\system32\peujuedn.ini
c:\windows\system32\pjknlydt.ini
c:\windows\system32\pogrjofd.ini
c:\windows\system32\prxnybfi.ini
c:\windows\system32\ptfmiswr.ini
c:\windows\system32\ptwniexu.ini
c:\windows\system32\pvbogmya.ini
c:\windows\system32\pwjwlcgn.ini
c:\windows\system32\qgoxullr.ini
c:\windows\system32\qjjakvow.ini
c:\windows\system32\qjtqltbt.ini
c:\windows\system32\qkdcfvbr.ini
c:\windows\system32\qlvaimpd.ini
c:\windows\system32\qmaptwrx.ini
c:\windows\system32\qmpdankm.ini
c:\windows\system32\qnioupuc.ini
c:\windows\system32\qpjqqmkv.ini
c:\windows\system32\qpmaiavc.ini
c:\windows\system32\qprmshpc.ini
c:\windows\system32\qpvjblof.ini
c:\windows\system32\qrpjodgf.ini
c:\windows\system32\qsoaeefg.ini
c:\windows\system32\qstycfau.ini
c:\windows\system32\qumtroxi.ini
c:\windows\system32\qwnywbmw.ini
c:\windows\system32\raoomdlt.ini
c:\windows\system32\ritgynyv.ini
c:\windows\system32\rmmduyap.ini
c:\windows\system32\rmuiyksm.ini
c:\windows\system32\rnfgfftl.ini
c:\windows\system32\rnkjjqfm.ini
c:\windows\system32\rnpxscdu.ini
c:\windows\system32\robgqykx.ini
c:\windows\system32\roljtluh.ini
c:\windows\system32\roquexah.ini
c:\windows\system32\royjwrqh.ini
c:\windows\system32\rtanmukb.ini
c:\windows\system32\rugvpbti.ini
c:\windows\system32\rulckmrv.ini
c:\windows\system32\rumfyrrw.ini
c:\windows\system32\rusrhves.ini
c:\windows\system32\rvsbhrda.ini
c:\windows\system32\rwaahrij.ini
c:\windows\system32\rwowvwss.ini
c:\windows\system32\ryuyjaff.ini
c:\windows\system32\sbmtebae.ini
c:\windows\system32\sipwsdge.ini
c:\windows\system32\sjljmors.ini
c:\windows\system32\skepiatw.ini
c:\windows\system32\skinboxer43.dll
c:\windows\system32\somfjqml.ini
c:\windows\system32\soqjktop.ini
c:\windows\system32\spwjquut.ini
c:\windows\system32\sswrpxpa.ini
c:\windows\system32\stsymcgb.ini
c:\windows\system32\svhqweer.ini
c:\windows\system32\svowidtl.ini
c:\windows\system32\swfftvlk.ini
c:\windows\system32\tcwxigjr.ini
c:\windows\system32\teofxnpr.ini
c:\windows\system32\tfdqomht.ini
c:\windows\system32\tfnhpkdf.ini
c:\windows\system32\tgoujcwh.ini
c:\windows\system32\tjxnvcpw.ini
c:\windows\system32\tklahksl.ini
c:\windows\system32\tkyoasnk.ini
c:\windows\system32\tnvltwtv.ini
c:\windows\system32\tpkhwdoj.ini
c:\windows\system32\tqffweed.ini
c:\windows\system32\trvuiqlm.ini
c:\windows\system32\tryuvrou.ini
c:\windows\system32\ttpfolgk.ini
c:\windows\system32\tuxniytj.ini
c:\windows\system32\uagxijvx.ini
c:\windows\system32\uassrkkw.ini
c:\windows\system32\ubomwkwl.ini
c:\windows\system32\ufvqwuuk.ini
c:\windows\system32\uilosvhu.ini
c:\windows\system32\ujflqsda.ini
c:\windows\system32\ujrxsefa.ini
c:\windows\system32\umrywasj.ini
c:\windows\system32\unbncavy.ini
c:\windows\system32\upfgbcpt.ini
c:\windows\system32\uriwrjlo.ini
c:\windows\system32\usjbmhbi.ini
c:\windows\system32\usscrbul.ini
c:\windows\system32\usymvhwi.ini
c:\windows\system32\utobamor.ini
c:\windows\system32\uvyniyth.ini
c:\windows\system32\vaoxoccf.ini
c:\windows\system32\vfqckddv.ini
c:\windows\system32\vipsuluy.ini
c:\windows\system32\vjnymdug.ini
c:\windows\system32\vjuicqyi.ini
c:\windows\system32\vkkfkixc.ini
c:\windows\system32\vkttcjid.ini
c:\windows\system32\vpiypivl.ini
c:\windows\system32\vpwuxvul.ini
c:\windows\system32\vqjcsxmm.ini
c:\windows\system32\vsbewmxd.ini
c:\windows\system32\vsdfkumb.ini
c:\windows\system32\vtmdqafd.ini
c:\windows\system32\vtwtmhyd.ini
c:\windows\system32\vyrmkpgt.ini
c:\windows\system32\werirsxw.ini
c:\windows\system32\wgdbulej.ini
c:\windows\system32\wglfggtd.ini
c:\windows\system32\wgodcjwe.ini
c:\windows\system32\wgrjskkm.ini
c:\windows\system32\wiprxkst.ini
c:\windows\system32\wnugqpsa.ini
c:\windows\system32\wpaatrku.ini
c:\windows\system32\wropyebu.ini
c:\windows\system32\wrosmyea.ini
c:\windows\system32\wruqblab.ini
c:\windows\system32\wwdigmrd.ini
c:\windows\system32\wxixxmjs.ini
c:\windows\system32\xbuvmgbl.ini
c:\windows\system32\xexnhcuy.ini
c:\windows\system32\xfngfdyu.ini
c:\windows\system32\xglblbah.ini
c:\windows\system32\xikqghgq.ini
c:\windows\system32\xiqoyjxg.ini
c:\windows\system32\xloucaxg.ini
c:\windows\system32\xugfocuw.ini
c:\windows\system32\xuhwstcp.ini
c:\windows\system32\xvrpxxob.ini
c:\windows\system32\yapovcjv.ini
c:\windows\system32\ybuaapjx.ini
c:\windows\system32\yeiqdhft.ini
c:\windows\system32\yeuipdgi.ini
c:\windows\system32\ygntaccv.ini
c:\windows\system32\yioojdma.ini
c:\windows\system32\ylltdpex.ini
c:\windows\system32\ylyejyav.ini
c:\windows\system32\yocoujsx.ini
c:\windows\system32\ypuvscxn.ini
c:\windows\system32\ypypmxia.ini
c:\windows\system32\yqgvejqn.ini
c:\windows\system32\yrjfdelm.ini
c:\windows\system32\ysxcbwhj.ini
c:\windows\system32\ywlhymnp.ini
c:\windows\system32\yxaqhqcn.ini
c:\windows\system32\yxnkwbix.ini
c:\windows\wiaserviv.log

.
original MBR restored successfully !
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRIVER
-------\Legacy_DRIVERDRV


((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
.

2010-05-01 03:59 . 2010-05-01 03:59 -------- d-----w- c:\program files\trend micro
2010-05-01 03:59 . 2010-05-01 03:59 -------- d-----w- C:\rsit
2010-04-20 07:14 . 2010-04-20 07:14 -------- d-----w- c:\windows\system32\NtmsData
2010-04-20 07:05 . 2003-06-25 23:05 266360 ----a-w- c:\windows\system32\TweakUI.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 03:39 . 2008-02-21 04:59 -------- d-----w- c:\program files\DNA
2010-05-03 03:39 . 2008-02-21 04:59 -------- d-----w- c:\documents and settings\t_heman\Application Data\DNA
2010-05-03 03:23 . 2007-03-28 11:45 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-31 03:41 . 2008-06-20 07:57 -------- d-----w- c:\program files\EphPod
2010-03-31 03:40 . 2008-06-20 07:56 -------- d-----w- c:\documents and settings\t_heman\Application Data\iPod Copy Expert
2010-03-12 06:00 . 2010-03-12 06:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\TuneUp Software
2010-03-12 05:51 . 2010-03-12 05:51 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-03-12 05:51 . 2010-03-12 05:51 -------- d-----w- c:\documents and settings\t_heman\Application Data\TuneUp Software
2010-03-12 05:51 . 2010-03-12 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2010-03-12 05:50 . 2010-03-12 05:50 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-03-12 05:45 . 2010-03-12 05:29 -------- d-----w- c:\program files\Reimage
2010-03-12 05:05 . 2009-06-21 21:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-26 04:35 . 2010-02-26 04:35 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2008-10-24 06:03 . 2008-10-24 06:03 1305088 ----a-w- c:\program files\NF_Movie_Player_211.msi
2005-11-15 22:32 . 2005-11-15 22:32 3638 ----a-r- c:\program files\Common Files\Altiris_Icon.ico
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\BTDNA.EXE" [2009-11-07 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"AClntUsr"="c:\program files\Altiris\AClient\AClntUsr.EXE" [2010-05-03 184320]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-12-20 159744]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-12-20 208896]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-11-29 243248]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"TPKBDLED"="c:\windows\system32\TpScrLk.exe" [2002-10-09 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-25 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-12-25 110592]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2006-09-14 139264]
"QuickTime Task"="c:\program files\QUICKTIME\QTTASK.EXE" [2008-05-27 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\altiris\\aclient\\AClntUsr.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"6687:TCP"= 6687:TCP:Services
"6688:TCP"= 6688:TCP:Services

R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [1/10/2007 8:13 AM 251578]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [1/10/2007 8:13 AM 48140]
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [1/10/2007 8:13 AM 241815]
R0 AFAMgt;AFAMgt;c:\windows\system32\drivers\afamgt.sys [1/10/2007 8:13 AM 92411]
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [3/23/2005 8:14 PM 9216]
R2 BlackICE;BlackICE;c:\program files\ISS\Proventia Desktop\blackd.exe [3/28/2007 4:46 AM 2007382]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 1:40 AM 115952]
R2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\ISS\Proventia Desktop\vpatch.exe [3/28/2007 4:46 AM 426333]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [5/2/2010 7:26 PM 102448]
R3 MakoNT;MakoNT;c:\windows\system32\drivers\MakoNT.sys [3/28/2007 4:46 AM 76849]
R3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [3/28/2007 4:46 AM 47697]
R4 black;black;c:\windows\system32\drivers\Blackcat.sys [3/28/2007 4:46 AM 196978]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2/29/2008 12:55 PM 16512]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/21/2009 3:00 PM 38224]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2010-05-03 c:\windows\Tasks\Automatic troubleshooting.job
- c:\program files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe [2009-10-30 23:12]

2010-05-03 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-03-28 06:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: autodesk.ca
Trusted Zone: autodesk.co.jp
Trusted Zone: autodesk.co.kr
Trusted Zone: autodesk.co.nz
Trusted Zone: autodesk.co.uk
Trusted Zone: autodesk.com
Trusted Zone: autodesk.com\*.ads
Trusted Zone: autodesk.com\petaim-vip
Trusted Zone: autodesk.cz
Trusted Zone: autodesk.de
Trusted Zone: autodesk.dk
Trusted Zone: autodesk.es
Trusted Zone: autodesk.fr
Trusted Zone: autodesk.hu
Trusted Zone: autodesk.it
Trusted Zone: autodesk.nl
Trusted Zone: autodesk.no
Trusted Zone: autodesk.pl
Trusted Zone: autodesk.pt
Trusted Zone: autodesk.ru
Trusted Zone: autodesk.se
Trusted Zone: com.au\*.autodesk
Trusted Zone: com.br\*.autodesk
Trusted Zone: com.cn\*.autodesk
Trusted Zone: com.hk\*.autodesk
Trusted Zone: com.my\*.autodesk
Trusted Zone: com.sg\*.autodesk
Trusted Zone: com.tw\*.autodesk
FF - ProfilePath - c:\documents and settings\t_heman\Application Data\Mozilla\Firefox\Profiles\2r6uystp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ytbm&p=
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJPI142_06.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Notify-ACNotify - ACNotify.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-02 20:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\t_heman\LOCALS~1\Temp\375477377.jpeg 17701 bytes
c:\docume~1\t_heman\LOCALS~1\Temp\catchme.dll 53248 bytes executable
c:\docume~1\t_heman\LOCALS~1\Temp\TMP21F.tmp 0 bytes
c:\docume~1\t_heman\LOCALS~1\Temp\WPDNSE

scan completed successfully
hidden files: 4

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1324)
c:\windows\system32\tvt_gina.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\program files\ThinkPad\ConnectUtilities\Res\US\ACGinaRes.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'explorer.exe'(2180)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Altiris\AClient\AClient.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ccsrvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Altiris\Carbon Copy\shellker.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\ISS\Proventia Desktop\RapApp.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\progra~1\altiris\CARBON~1\client.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\ISS\Proventia Desktop\blackice.exe
.
**************************************************************************
.
Completion time: 2010-05-02 20:46:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-03 03:46

Pre-Run: 1,462,415,360 bytes free
Post-Run: 3,011,837,952 bytes free

- - End Of File - - CC0A548340876F78BFF397CAF6396151


DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by t_heman at 11:09:01.98 on Mon 05/03/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.1132 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\t_heman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
uRun: [BitTorrent DNA] "c:\program files\dna\BTDNA.EXE"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AClntUsr] c:\program files\altiris\aclient\AClntUsr.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKBDLED] c:\windows\system32\TpScrLk.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTASK.EXE" -atboottime
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\PROVEN~1.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\Icon3E5562ED7.ico
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: autodesk.ca
Trusted Zone: autodesk.co.jp
Trusted Zone: autodesk.co.kr
Trusted Zone: autodesk.co.nz
Trusted Zone: autodesk.co.uk
Trusted Zone: autodesk.com
Trusted Zone: autodesk.com\*.ads
Trusted Zone: autodesk.com\petaim-vip
Trusted Zone: autodesk.cz
Trusted Zone: autodesk.de
Trusted Zone: autodesk.dk
Trusted Zone: autodesk.es
Trusted Zone: autodesk.fr
Trusted Zone: autodesk.hu
Trusted Zone: autodesk.it
Trusted Zone: autodesk.nl
Trusted Zone: autodesk.no
Trusted Zone: autodesk.pl
Trusted Zone: autodesk.pt
Trusted Zone: autodesk.ru
Trusted Zone: autodesk.se
Trusted Zone: com.au\*.autodesk
Trusted Zone: com.br\*.autodesk
Trusted Zone: com.cn\*.autodesk
Trusted Zone: com.hk\*.autodesk
Trusted Zone: com.my\*.autodesk
Trusted Zone: com.sg\*.autodesk
Trusted Zone: com.tw\*.autodesk
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233699911921
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163772695560
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\t_heman\applic~1\mozilla\firefox\profiles\2r6uystp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ytbm&p=
FF - plugin: c:\program files\java\j2re1.4.2_06\bin\NPJPI142_06.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [2007-1-10 251578]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [2007-1-10 48140]
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [2007-1-10 241815]
R0 AFAMgt;AFAMgt;c:\windows\system32\drivers\afamgt.sys [2007-1-10 92411]
R4 black;black;c:\windows\system32\drivers\Blackcat.sys [2007-3-28 196978]
S1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2005-3-23 9216]
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
S2 BlackICE;BlackICE;c:\program files\iss\proventia desktop\blackd.exe [2007-3-28 2007382]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-12-18 189736]
S2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
S2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\iss\proventia desktop\vpatch.exe [2007-3-28 426333]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-2-29 16512]
S3 cpuz132;cpuz132;\??\c:\docume~1\t_heman\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\t_heman\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 EraserUtilDrvI9;EraserUtilDrvI9;\??\c:\program files\common files\symantec shared\eengine\eraserutildrvi9.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrvI9.sys [?]
S3 MakoNT;MakoNT;c:\windows\system32\drivers\MakoNT.sys [2007-3-28 76849]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-21 38224]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100502.005\naveng.sys [2010-5-2 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100502.005\navex15.sys [2010-5-2 1324720]
S3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2007-3-28 47697]

=============== Created Last 30 ================

2010-05-03 05:41:12 0 d-----w- c:\program files\Seagate
2010-05-03 05:41:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Seagate
2010-05-03 05:40:11 0 d-----w- c:\program files\MSXML 6.0
2010-05-03 05:40:03 0 d-----w- c:\program files\Carbonite
2010-05-03 05:40:02 0 d-sh--w- c:\windows\ftpcache
2010-05-03 02:38:46 77312 ----a-w- c:\windows\MBR.exe
2010-05-03 02:38:45 98816 ----a-w- c:\windows\sed.exe
2010-05-03 02:38:45 256512 ----a-w- c:\windows\PEV.exe
2010-05-03 02:38:45 161792 ----a-w- c:\windows\SWREG.exe
2010-05-01 03:59:50 0 d-----w- c:\program files\trend micro
2010-04-26 20:37:07 0 ----a-w- c:\documents and settings\t_heman\defogger_reenable
2010-04-20 07:14:47 0 d-----w- c:\windows\system32\NtmsData
2010-04-20 07:05:38 266360 ----a-w- c:\windows\system32\TweakUI.exe
2010-04-20 07:05:38 160217 ----a-w- c:\windows\system32\PowerToysLicense.rtf

==================== Find3M ====================

2010-05-03 05:26:23 94208 ----a-w- c:\windows\DUMP1f6a.tmp
2010-05-03 05:24:26 94208 ----a-w- c:\windows\DUMP2ae3.tmp
2008-10-24 06:03:31 1305088 ----a-w- c:\program files\NF_Movie_Player_211.msi
2005-11-15 22:32:22 3638 ----a-r- c:\program files\common files\Altiris_Icon.ico

============= FINISH: 11:09:24.31 ===============


Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/28/2007 4:37:02 AM
System Uptime: 5/3/2010 11:03:55 AM (0 hours ago)

Motherboard: LENOVO | | 20078JU
Processor: Intel® Core™2 CPU T7600 @ 2.33GHz | None | 2327/167mhz
Processor: Intel® Core™2 CPU T7600 @ 2.33GHz | None | 2327/167mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 93 GiB total, 12.544 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP266: 5/2/2010 10:40:43 PM - Installed Seagate Manager Installer
RP267: 5/3/2010 12:05:09 AM - Installed Seagate Manager Installer

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.5
Adobe® Photoshop® Album Starter Edition 3.2
Altiris Carbon Copy Solution Agent
Altiris Carbon Copy Solution Agent 6.1
Altiris Patch Management Agent
Altiris Software Delivery Solution Agent
Altiris Task Synchronization Agent
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
Autodesk DWF Viewer 7
BitTorrent
Carbonite Online Backup Setup
Cisco Systems VPN Client 4.8.01.0300
Compatibility Pack for the 2007 Office system
dBpowerAMP FLAC Codec
deskPDF 2.5 Professional Edition
deskUNPDF 2
Digital Voice Editor 3
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DNA
Final Draft 7
FLV Player
FLV Player 2.0 (build 25)
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB926239)
IBM RecordNow!
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
InterActual Player
InterVideo WinDVD
iTunes
Java 2 Runtime Environment, SE v1.4.2_06
KB408682
LiveUpdate 3.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
mCore
mDriver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mMHouse
Mozilla Firefox (3.6.3)
mPfMgr
mProSafe
MSXML 6.0 Parser
mWlsSafe
mXML
Netflix Movie Viewer
PC-Doctor 5 for Windows
QuickTime
Scroll Lock Indicator Utility
Seagate Manager Installer
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB929969)
Spybot - Search & Destroy
Symantec AntiVirus
ThinkPad Configuration
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Keyboard Customizer Utility
ThinkPad Modem
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad Presentation Director
ThinkPad UltraNav Driver
ThinkPad UltraNav Wizard
ThinkVantage Access Connections
Time Zone Data Update Tool for Microsoft Office Outlook
TuneUp Utilities
TuneUp Utilities Language Pack (en-US)
Tweak UI
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
VC80CRTRedist - 8.0.50727.762
Vodei Multimedia Processor 2.10
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Support Tools
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip 9.0 SR-1

==== Event Viewer Messages From Past Week ========

5/2/2010 7:39:30 PM, error: Service Control Manager [7034] - The IBM KCU Service service terminated unexpectedly. It has done this 1 time(s).
5/2/2010 7:39:30 PM, error: Service Control Manager [7031] - The Ac Profile Manager Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
5/2/2010 7:09:18 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'ECMSVR32.DLL' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
5/2/2010 10:29:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ANC CCDevice eeCtrl Fips IBMTPCHK intelppm SAVRT SAVRTPEL Smapint SPBBCDrv SYMTDI TDSMAPI TPHKDRV TPPWRIF TSMAPIP
5/2/2010 10:27:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/28/2010 6:29:16 PM, error: Service Control Manager [7034] - The Cisco Systems, Inc. VPN Service service terminated unexpectedly. It has done this 1 time(s).
4/28/2010 3:22:52 PM, error: NETLOGON [5719] - No Domain Controller is available for domain ADS due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
4/28/2010 2:18:20 PM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 0019D2762DB9 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
4/27/2010 4:56:56 PM, error: System Error [1003] - Error code 10000050, parameter1 ffffff60, parameter2 00000000, parameter3 804eddd0, parameter4 00000000.
4/26/2010 12:43:07 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
4/26/2010 12:43:07 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================


Thanks!

Ordak

#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:10 PM

Posted 03 May 2010 - 02:03 PM

Hi!

Doesn't look like combofix deleted anything from your system that would cause this. Let's take a look at some of the dump files created. Please attach the following files:
c:\windows\DUMP2ae3.tmp
c:\windows\DUMP1f6a.tmp

Also, try this and let me know if it fixes the rebooting problem.
  1. Click Start > Run
  2. Type: sfc /scannow
  3. Press Enter
  4. You will see a progress bar but you get no confirmation messages and it just ends. Insert your Windows installation CD when/if requested.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 ordak

ordak
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 04 May 2010 - 03:23 AM

aommaster,

After running sfc /scannow there was no request to insert my Windows installation CD.

Also, I am unable to attach the DUMP files. I keep getting the following message:

"Upload failed. You are not permitted to upload this type of file"

I will continue trying...

Ordak

#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:10 PM

Posted 04 May 2010 - 03:34 AM

Hi!

Okay, please zip the files up and then upload them to my malware channel here.

It's 4.30AM so I think I'll head to bed. I'll pick it up in the morning smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 ordak

ordak
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 04 May 2010 - 12:11 PM

Hey,

The zip files have been uploaded. Hopefully I did it right... smile.gif

#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:10 PM

Posted 04 May 2010 - 12:41 PM

Hi!

Yes I got them smile.gif I took a look at the dump files and unfortunately, I can't find any information leading to why you got the blue screens. If you are still experiencing them, could you note down the error code produced? It should point us in the right direction.

If you're not getting the blue screens after a few restarts, let me know and we can proceed with the fix smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 ordak

ordak
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 04 May 2010 - 08:22 PM

I've been able to restart my computer a handful of times without restarts, so I guess we're ready to continue...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users