Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dsfatrov.dll


  • This topic is locked This topic is locked
36 replies to this topic

#1 paramedic233

paramedic233

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 18 January 2011 - 09:59 AM

I keep getting a windows popup when restarting my system.

It directly relates to the following hijackthis entry:
O4 - HKCU\..\Run: [Ufujiyo] rundll32.exe "C:\WINDOWS\dsfatrov.dll",Startup

Can't find this entry anywhere on this site,or on the web, or in the startup entries.

Am I infected with something?

If I delete the entry, it goes away for a bit, and then reappears.
I even shut down system restore, and deleted all of the old points, but it continually reappears.

Any ideas folks?

I use Symantec Endpoint Protection, MBAM, and SAS, and they don't hit on the dsfatrov.dll file, so that must have been deleted.

Thank you in advance for the help.

Medic

Well then, lets figure this puppy out.

Attached Files


Edited by hamluis, 18 January 2011 - 10:54 AM.
Merged log with initial post, moved from XP to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 18 January 2011 - 11:55 PM

Have you tried fixing that entry with HijackThis? If yes, does it still re-appears? :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 paramedic233

paramedic233
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 19 January 2011 - 07:35 AM

Yes, it still reappears.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 19 January 2011 - 08:29 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 paramedic233

paramedic233
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 19 January 2011 - 10:51 AM

ComboFix 11-01-18.04 - KB 01/19/2011 10:21:24.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.2157 [GMT -5:00]
Running from: c:\documents and settings\KB\Desktop\Combo-Fix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\KB\Application Data\PriceGong
c:\documents and settings\KB\Application Data\PriceGong\Data\1.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\a.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\b.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\c.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\d.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\e.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\f.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\g.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\h.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\i.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\J.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\k.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\l.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\m.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\n.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\o.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\p.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\q.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\r.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\s.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\t.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\u.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\v.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\w.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\x.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\y.xml
c:\documents and settings\KB\Application Data\PriceGong\Data\z.xml
c:\program files\PC-Doctor\Downloads\09ce0ed7-58db-4be9-b311-80b4fd9fd9bc.dll
c:\program files\PC-Doctor\Downloads\d8f6ce81-7397-4052-8f39-49948ab7dab1.dll
c:\program files\PC-Doctor\Downloads\fba070bc-3f13-4168-ac07-944c741939f2.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-19 to 2011-01-19 )))))))))))))))))))))))))))))))
.

2011-01-19 13:14 . 2011-01-19 13:14 -------- d-----w- c:\program files\New Folder
2011-01-18 23:46 . 2011-01-18 23:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-01-18 15:18 . 2002-12-29 06:14 81920 ----a-w- c:\windows\system32\Startup.cpl
2011-01-18 15:07 . 2011-01-18 15:08 -------- d-----w- c:\documents and settings\KB\Local Settings\Application Data\Software_Master
2011-01-18 15:07 . 2011-01-18 15:08 -------- d-----w- c:\documents and settings\KB\Local Settings\Application Data\ConduitEngine
2011-01-16 13:54 . 2010-11-05 06:29 196608 ------w- c:\windows\PWMBTHLP.EXE
2011-01-16 13:54 . 2011-01-16 13:54 -------- d-----w- c:\program files\ThinkPad
2011-01-16 13:54 . 2010-11-05 06:29 4442 ------w- c:\windows\system32\drivers\TPPWRIF.SYS
2011-01-16 13:54 . 2010-11-05 06:29 251240 ------w- c:\windows\system32\PWMCPl.cpl
2011-01-16 13:54 . 2010-11-05 06:29 24304 ------w- c:\windows\system32\drivers\DOZEHDD.SYS
2010-12-30 21:05 . 2010-12-30 21:05 -------- d-----w- c:\program files\iPod
2010-12-30 21:05 . 2010-12-30 21:05 -------- d-----w- c:\program files\iTunes
2010-12-30 20:58 . 2010-12-30 20:58 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2010-12-30 20:58 . 2010-12-30 20:58 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2010-12-30 20:58 . 2010-12-30 20:58 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2010-12-30 20:58 . 2010-12-30 20:58 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2010-12-30 20:58 . 2010-12-30 20:58 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2010-12-30 20:58 . 2010-12-30 20:58 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2010-12-30 20:58 . 2010-12-30 20:58 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2010-12-30 20:57 . 2010-12-30 20:58 -------- d-----w- c:\program files\QuickTime
2010-12-27 13:07 . 2010-12-27 13:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\Flip Video
2010-12-27 13:06 . 2010-12-27 13:06 -------- d-----w- c:\program files\Flip Video
2010-12-27 03:16 . 2010-12-27 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2010-12-27 02:05 . 2010-12-27 13:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2010-12-27 02:03 . 2010-12-27 02:03 -------- d-----w- c:\program files\WinPcap
2010-12-26 21:42 . 2010-12-26 21:42 -------- d-----w- c:\documents and settings\KB\Local Settings\Application Data\cache
2010-12-26 21:41 . 2010-12-26 21:41 -------- d-----w- c:\program files\VTech
2010-12-26 20:55 . 2010-12-26 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\VTech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-04-26 21:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-04-26 21:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-07 17:46 . 2010-12-07 17:46 388096 ----a-r- c:\documents and settings\KB\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2008-07-21 22:00 81920 ------w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2008-07-21 22:49 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2008-07-21 22:50 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2008-07-21 22:49 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2008-07-21 22:49 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-04 14:30 . 2010-11-04 14:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-04 14:30 . 2010-11-04 14:30 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-03 12:25 . 2008-07-21 22:49 385024 ------w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-07-21 22:49 40960 ------w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-07-21 22:49 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-07-21 22:50 1853312 ------w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2010-01-29 04:09 241752 ------w- c:\windows\system32\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2010-08-26 1779512]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-15 2424560]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PMHandler"="c:\progra~1\Lenovo\PMDriver\PMHandler.exe" [2009-04-03 247080]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-26 163840]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-07-30 60192]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2008-03-11 54560]
"SmartAudio"="c:\program files\CONEXANT\SMARTAUDIO\SMAUDIO.EXE" [2008-07-21 2701880]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-10-17 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-10-17 1191936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-15 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-15 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-15 150040]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-11-24 487424]
"VeriFaceManager"="c:\program files\Lenovo\VeriFaceIII\PManage.exe" [2010-01-29 323584]
"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2007-04-26 120368]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-04-25 244208]
"RoxioDragToDisc"="c:\program files\Lenovo\Drag-to-Disc\DrgToDsc.exe" [2007-03-13 1116920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2008-08-12 114688]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-11-13 1122304]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-08-12 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AgentMonitor"="c:\program files\VTech\DownloadManager\System\AgentMonitor.exe" [2010-12-21 326048]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-11-05 517480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PicNotify]
2010-01-29 04:09 1167360 ------w- c:\windows\system32\PicNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 10:14 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe"=
"c:\\Program Files\\Brother\\Brmfl08i\\FAXRX.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype1.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\VTech\\DownloadManager\\System\\AgentMonitor.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:Brother Network Scanner
"24726:TCP"= 24726:TCP:FlipShareServer
"24727:TCP"= 24727:TCP:FlipShareServer

R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [1/16/2011 8:54 AM 24304]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [5/24/2006 2:48 PM 10240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 8:50 PM 46144]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [1/16/2011 8:54 AM 132456]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 1:22 PM 1085440]
R2 FNF5SVC;Fn+F5 Service;c:\program files\Lenovo\HOTKEY\FnF5svc.exe [9/11/2008 1:49 AM 54560]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/26/2010 4:55 PM 363344]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [1/16/2011 8:54 AM 53248]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [12/26/2010 9:03 PM 439632]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [11/24/2008 6:34 PM 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 8:50 PM 360448]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [1/28/2010 11:04 PM 110080]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [1/28/2010 10:59 PM 97536]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/26/2010 4:55 PM 20952]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 6:54 PM 37312]
S2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\Brother\BRAdmin Professional 3\bratimer.exe [12/7/2010 1:01 PM 65536]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [4/25/2008 11:18 AM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [4/25/2008 11:16 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [4/25/2008 11:15 AM 166384]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 9:05 AM 14904]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [4/25/2008 11:18 AM 313840]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/25/2008 11:15 AM 1120752]
S4 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ERASERUTILDRVI10
*Deregistered* - EraserUtilDrvI10
*Deregistered* - fgxoaaow
.
Contents of the 'Scheduled Tasks' folder

2011-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2011-01-19 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 23:54]

2011-01-19 c:\windows\Tasks\MyDefrag v4.3.1 Daily.job
- c:\program files\MyDefrag v4.3.1\Scripts\AutomaticDaily.MyD [2010-11-04 16:03]

2010-11-04 c:\windows\Tasks\MyDefrag v4.3.1 Monthly.job
- c:\program files\MyDefrag v4.3.1\Scripts\AutomaticMonthly.MyD [2010-11-04 16:03]

2010-12-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2010-05-07 19:46]

2011-01-18 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2011-01-16 06:29]

2011-01-19 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdrcui.exe [2010-05-08 21:08]

2011-01-19 c:\windows\Tasks\User_Feed_Synchronization-{2CD09A51-A74E-4B06-8BAC-58A100C3DA9B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Copy to &Lightning Note - c:\program files\Corel\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X5\Programs\WPLauncher.hta
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eroom3.newyorklife.com/eRoomSetup/client.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{00725d68-069b-4095-9ff1-e7469c0e95df} - c:\program files\Software_Master\prxtbSoft.dll
BHO-{00725d68-069b-4095-9ff1-e7469c0e95df} - c:\program files\Software_Master\prxtbSoft.dll
BHO-{30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\ConduitEngine\prxConduitEngine.dll
Toolbar-{00725d68-069b-4095-9ff1-e7469c0e95df} - c:\program files\Software_Master\prxtbSoft.dll
Toolbar-{30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\ConduitEngine\prxConduitEngine.dll
WebBrowser-{00725D68-069B-4095-9FF1-E7469C0E95DF} - c:\program files\Software_Master\prxtbSoft.dll
HKCU-Run-Ufujiyo - c:\windows\dsfatrov.dll
SafeBoot-Symantec Antvirus
MSConfigStartUp-File Helper - c:\program files\File Helper\2.3.0.2\FileHelper.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
AddRemove-conduitEngine - c:\progra~1\CONDUI~1\ConduitEngineUninstall.exe
AddRemove-Software_Master Toolbar - c:\progra~1\SOFTWA~1\UNINST~1.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-19 10:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Toolbar\QuickComplete]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\PicNotify.dll
c:\windows\system32\FaceVerify.dll
c:\windows\system32\MainOp.dll
c:\windows\system32\VideoOp.dll
c:\windows\system32\Image.dll
c:\windows\system32\Momo.dll
c:\windows\system32\Apblend.dll
c:\windows\system32\SetDev.dll
c:\windows\system32\FunFrm.dll
c:\windows\system32\facev.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2011-01-19 10:34:17
ComboFix-quarantined-files.txt 2011-01-19 15:34

Pre-Run: 207,930,355,712 bytes free
Post-Run: 207,934,529,536 bytes free

- - End Of File - - D2115DD80B19FFD54FFB7FD6A0D55D7B




#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 19 January 2011 - 06:11 PM

Please update and do a quick scan with your Malwarebytes'.. Then tell me how's the computer :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 paramedic233

paramedic233
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 20 January 2011 - 11:07 AM

Away from that particular machine until Friday, January 21 at 0800.
Thank you for the response.
Medic

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 20 January 2011 - 09:07 PM

Welcome.. Don't worry, we can wait :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 paramedic233

paramedic233
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 22 January 2011 - 07:48 AM

Well, it is now Saturday, and I just restarted the computer, and the windows error popup of dsfatrov.dll still shows.
I'm running a MBAM scan to see what shows.
Thanks for the patience.

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 22 January 2011 - 08:13 AM

Ok, delete your version of ComboFix and redownload a fresh one.. Then re-run ComboFix and post a fresh log here :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 paramedic233

paramedic233
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 22 January 2011 - 08:16 AM

Here's the logfile from MBAM:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5568

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/22/2011 8:15:33 AM
mbam-log-2011-01-22 (08-15-33).txt

Scan type: Full scan (C:\|)
Objects scanned: 222876
Time elapsed: 33 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Nothing found.



#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 22 January 2011 - 08:19 AM

Its okay. can you redownload and rerun ComboFix please? I need to see its fresh log :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 paramedic233

paramedic233
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 22 January 2011 - 08:41 AM

Just so you are aware, Combofix actually created a directory this time.
And the machine rebooted during the scan, and dsfatrov.dll was again there in a windows error popup.


ComboFix 11-01-21.03 - KB 01/22/2011 8:20:23.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.2065 [GMT -5:00]
Running from: C:\Documents and Settings\KB\Desktop\Combo-Fix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\PC-Doctor\Downloads\fba070bc-3f13-4168-ac07-944c741939f2\fba070bc-3f13-4168-ac07-944c741939f2.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-12-22 to 2011-01-22 )))))))))))))))))))))))))))))))
.

2011-01-19 17:33:37 . 2011-01-19 17:33:37 388096 ----a-r- C:\Documents and Settings\KB\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-19 17:33:36 . 2011-01-19 17:33:36 -------- d-----w- C:\Program Files\Trend Micro
2011-01-19 16:17:57 . 2011-01-19 16:17:57 25992 ----a-w- C:\WINDOWS\system32\pgdfgsvc.exe
2011-01-18 23:46:51 . 2011-01-18 23:46:51 -------- d-sh--w- C:\Documents and Settings\Administrator\IETldCache
2011-01-18 15:18:01 . 2002-12-29 06:14:38 81920 ----a-w- C:\WINDOWS\system32\Startup.cpl
2011-01-18 15:07:48 . 2011-01-18 15:08:02 -------- d-----w- C:\Documents and Settings\KB\Local Settings\Application Data\Software_Master
2011-01-18 15:07:35 . 2011-01-18 15:08:07 -------- d-----w- C:\Documents and Settings\KB\Local Settings\Application Data\ConduitEngine
2011-01-16 13:54:41 . 2010-11-05 06:29:00 196608 ------w- C:\WINDOWS\PWMBTHLP.EXE
2011-01-16 13:54:40 . 2011-01-16 13:54:40 -------- d-----w- C:\Program Files\ThinkPad
2011-01-16 13:54:40 . 2010-11-05 06:29:00 4442 ------w- C:\WINDOWS\system32\drivers\TPPWRIF.SYS
2011-01-16 13:54:40 . 2010-11-05 06:29:00 251240 ------w- C:\WINDOWS\system32\PWMCPl.cpl
2011-01-16 13:54:40 . 2010-11-05 06:29:00 24304 ------w- C:\WINDOWS\system32\drivers\DOZEHDD.SYS
2010-12-30 21:05:06 . 2010-12-30 21:05:06 -------- d-----w- C:\Program Files\iPod
2010-12-30 21:05:04 . 2010-12-30 21:05:35 -------- d-----w- C:\Program Files\iTunes
2010-12-30 20:58:03 . 2010-12-30 20:58:03 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin7.dll
2010-12-30 20:58:03 . 2010-12-30 20:58:03 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin6.dll
2010-12-30 20:58:03 . 2010-12-30 20:58:03 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin5.dll
2010-12-30 20:58:03 . 2010-12-30 20:58:03 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin4.dll
2010-12-30 20:58:03 . 2010-12-30 20:58:03 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin3.dll
2010-12-30 20:58:03 . 2010-12-30 20:58:03 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin2.dll
2010-12-30 20:58:03 . 2010-12-30 20:58:03 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin.dll
2010-12-30 20:57:44 . 2010-12-30 20:58:02 -------- d-----w- C:\Program Files\QuickTime
2010-12-27 13:07:13 . 2010-12-27 13:07:13 -------- d-----w- C:\Documents and Settings\LocalService\Application Data\Flip Video
2010-12-27 13:06:47 . 2010-12-27 13:06:48 -------- d-----w- C:\Program Files\Flip Video
2010-12-27 02:05:31 . 2010-12-27 13:07:01 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Flip Video
2010-12-26 21:42:28 . 2010-12-26 21:42:29 -------- d-----w- C:\Documents and Settings\KB\Local Settings\Application Data\cache
2010-12-26 21:41:32 . 2010-12-26 21:41:32 -------- d-----w- C:\Program Files\VTech
2010-12-26 20:55:18 . 2010-12-26 20:55:18 -------- d-----w- C:\Documents and Settings\All Users\Application Data\VTech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09:00 . 2010-04-26 21:55:44 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08:40 . 2010-04-26 21:55:43 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2010-11-29 22:38:30 . 2010-11-29 22:38:30 94208 ----a-w- C:\WINDOWS\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 . 2010-11-29 22:38:30 69632 ----a-w- C:\WINDOWS\system32\QuickTime.qts
2010-11-18 18:12:44 . 2008-07-21 22:00:56 81920 ------w- C:\WINDOWS\system32\isign32.dll
2010-11-09 14:52:35 . 2008-07-21 22:49:59 249856 ----a-w- C:\WINDOWS\system32\odbc32.dll
2010-11-06 00:26:58 . 2008-07-21 22:50:07 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
2010-11-06 00:26:58 . 2008-07-21 22:49:54 43520 ------w- C:\WINDOWS\system32\licmgr10.dll
2010-11-06 00:26:58 . 2008-07-21 22:49:54 1469440 ------w- C:\WINDOWS\system32\inetcpl.cpl
2010-11-04 14:30:02 . 2010-11-04 14:30:19 73728 ----a-w- C:\WINDOWS\system32\javacpl.cpl
2010-11-04 14:30:02 . 2010-11-04 14:30:19 472808 ----a-w- C:\WINDOWS\system32\deployJava1.dll
2010-11-03 12:25:54 . 2008-07-21 22:49:53 385024 ------w- C:\WINDOWS\system32\html.iec
2010-11-02 15:17:02 . 2008-07-21 22:49:58 40960 ------w- C:\WINDOWS\system32\drivers\ndproxy.sys
2010-10-28 13:13:22 . 2008-07-21 22:49:47 290048 ----a-w- C:\WINDOWS\system32\atmfd.dll
2010-10-26 13:25:00 . 2008-07-21 22:50:07 1853312 ------w- C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2010-01-29 04:09:22 241752 ------w- C:\WINDOWS\system32\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2010-12-21 21:42:08 2162488]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 01:05:26 204288]
"Ufujiyo"="C:\WINDOWS\dsfatrov.dll" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PMHandler"="C:\PROGRA~1\Lenovo\PMDriver\PMHandler.exe" [2009-04-03 06:33:28 247080]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2008-03-26 12:58:40 163840]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-07-30 19:00:00 60192]
"TPWAUDAP"="C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe" [2008-03-11 04:33:02 54560]
"SmartAudio"="C:\Program Files\CONEXANT\SMARTAUDIO\SMAUDIO.EXE" [2008-07-21 03:19:50 2701880]
"IntelZeroConfig"="C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-10-17 01:14:56 1368064]
"IntelWireless"="C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-10-17 00:55:42 1191936]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-08-15 07:06:16 150040]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-08-15 07:06:02 178712]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-08-15 07:06:10 150040]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-11-24 23:42:48 487424]
"VeriFaceManager"="C:\Program Files\Lenovo\VeriFaceIII\PManage.exe" [2010-01-29 04:09:20 323584]
"LPManager"="C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe" [2007-04-26 17:10:00 120368]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-04-25 16:15:44 244208]
"RoxioDragToDisc"="C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe" [2007-03-13 17:05:00 1116920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 01:14:40 115560]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2008-08-12 16:24:46 114688]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 14:03:38 210472]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 04:07:00 29984]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 04:05:10 46368]
"PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 14:01:58 328992]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-11-13 00:59:30 1122304]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2008-08-12 16:24:46 114688]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 08:47:04 35760]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 03:07:44 932288]
"Message Center Plus"="C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 02:09:36 49976]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 15:44:46 248552]
"AgentMonitor"="C:\Program Files\VTech\DownloadManager\System\AgentMonitor.exe" [2010-12-21 08:53:23 326048]
"Malwarebytes' Anti-Malware"="C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 23:08:56 443728]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2010-11-29 22:38:18 421888]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2010-12-13 22:16:18 421160]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-11-05 06:29:00 517480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 03:41:34 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PicNotify]
2010-01-29 04:09:21 1167360 ------w- C:\WINDOWS\system32\PicNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 10:14:00 28672 ------w- C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42:30 1695232 ------w- C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe"=
"C:\\Program Files\\Brother\\Brmfl08i\\FAXRX.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype1.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\VTech\\DownloadManager\\System\\AgentMonitor.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:Brother Network Scanner
"24726:TCP"= 24726:TCP:FlipShareServer
"24727:TCP"= 24727:TCP:FlipShareServer

R0 DozeHDD;DozeHDD;C:\WINDOWS\system32\drivers\DOZEHDD.SYS [1/16/2011 8:54:40 AM 24304]
R1 PMHler;PMHler;C:\WINDOWS\system32\drivers\PMHler.sys [5/24/2006 2:48:14 PM 10240]
R1 tvtumon;tvtumon;C:\WINDOWS\system32\drivers\tvtumon.sys [5/9/2008 8:50:48 PM 46144]
R2 BRA_Scheduler;Brother BRAdminPro Scheduler;C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe [12/7/2010 1:01:30 PM 65536]
R2 DozeSvc;Lenovo Doze Mode Service;C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE [1/16/2011 8:54:40 AM 132456]
R2 FlipShareServer;FlipShare Server;C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 1:22:42 PM 1085440]
R2 FNF5SVC;Fn+F5 Service;C:\Program Files\Lenovo\HOTKEY\FnF5svc.exe [9/11/2008 1:49:12 AM 54560]
R2 MBAMService;MBAMService;C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [4/26/2010 4:55:46 PM 363344]
R2 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe [1/16/2011 8:54:41 AM 53248]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [11/24/2008 6:34:02 PM 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 8:50:46 PM 360448]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/18/2011 6:59:18 PM 102448]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;C:\WINDOWS\system32\drivers\IntcHdmi.sys [1/28/2010 11:04:08 PM 110080]
R3 JMCR;JMCR;C:\WINDOWS\system32\drivers\jmcr.sys [1/28/2010 10:59:37 PM 97536]
R3 MBAMProtector;MBAMProtector;C:\WINDOWS\system32\drivers\mbam.sys [4/26/2010 4:55:43 PM 20952]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\drivers\tvti2c.sys [2/22/2008 6:54:40 PM 37312]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe [4/25/2008 11:18:10 AM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [4/25/2008 11:16:04 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [4/25/2008 11:15:58 AM 166384]
S3 PSI;PSI;C:\WINDOWS\system32\drivers\psi_mf.sys [7/7/2010 9:05:32 AM 14904]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [4/25/2008 11:18:02 AM 313840]
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/25/2008 11:15:24 AM 1120752]
S4 SessionLauncher;SessionLauncher;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2011-01-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50:20 . 2009-10-22 15:50:20]

2011-01-22 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 23:54:46 . 2007-02-12 23:54:46]

2010-12-22 C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job
- C:\Program Files\PC-Doctor\uaclauncher.exe [2010-05-07 19:46:16 . 2010-05-07 19:46:16]

2011-01-22 C:\WINDOWS\Tasks\PMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2011-01-16 13:54:41 . 2010-11-05 06:29:00]

2011-01-21 C:\WINDOWS\Tasks\SystemToolsDailyTest.job
- C:\Program Files\PC-Doctor\pcdrcui.exe [2010-05-08 00:50:12 . 2010-06-08 21:08:22]

2011-01-21 C:\WINDOWS\Tasks\User_Feed_Synchronization-{2CD09A51-A74E-4B06-8BAC-58A100C3DA9B}.job
- C:\WINDOWS\system32\msfeedssync.exe [2007-08-14 02:36:40 . 2009-03-08 09:31:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
IE: Copy to &Lightning Note - C:\Program Files\Corel\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X5\Programs\WPLauncher.hta
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eroom3.newyorklife.com/eRoomSetup/client.cab
.




#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 22 January 2011 - 09:02 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Rootkit::
C:\WINDOWS\dsfatrov.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ufujiyo"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • Simply follow the instructions to copy/paste/send the requested file.

Note::
If Combofix fails to upload the file, please find C:\Qoobox\Quarantined Files\Submit(Time and date here).zip and upload it at this site

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 paramedic233

paramedic233
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 22 January 2011 - 09:34 AM

Okay, no .zip file found at the above location.
Combofix also had alot of problems rebooting the machine.

ComboFix 11-01-21.03 - KB 01/22/2011 9:08.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.2053 [GMT -5:00]
Running from: c:\documents and settings\KB\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\KB\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\PC-Doctor\Downloads\fba070bc-3f13-4168-ac07-944c741939f2\fba070bc-3f13-4168-ac07-944c741939f2.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-12-22 to 2011-01-22 )))))))))))))))))))))))))))))))
.

2011-01-19 17:33 . 2011-01-19 17:33 388096 ----a-r- c:\documents and settings\KB\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-19 17:33 . 2011-01-19 17:33 -------- d-----w- c:\program files\Trend Micro
2011-01-19 16:17 . 2011-01-19 16:17 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2011-01-18 23:46 . 2011-01-18 23:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-01-18 15:18 . 2002-12-29 06:14 81920 ----a-w- c:\windows\system32\Startup.cpl
2011-01-18 15:07 . 2011-01-18 15:08 -------- d-----w- c:\documents and settings\KB\Local Settings\Application Data\Software_Master
2011-01-18 15:07 . 2011-01-18 15:08 -------- d-----w- c:\documents and settings\KB\Local Settings\Application Data\ConduitEngine
2011-01-16 13:54 . 2010-11-05 06:29 196608 ------w- c:\windows\PWMBTHLP.EXE
2011-01-16 13:54 . 2011-01-16 13:54 -------- d-----w- c:\program files\ThinkPad
2011-01-16 13:54 . 2010-11-05 06:29 4442 ------w- c:\windows\system32\drivers\TPPWRIF.SYS
2011-01-16 13:54 . 2010-11-05 06:29 251240 ------w- c:\windows\system32\PWMCPl.cpl
2011-01-16 13:54 . 2010-11-05 06:29 24304 ------w- c:\windows\system32\drivers\DOZEHDD.SYS
2010-12-30 21:05 . 2010-12-30 21:05 -------- d-----w- c:\program files\iPod
2010-12-30 21:05 . 2010-12-30 21:05 -------- d-----w- c:\program files\iTunes
2010-12-30 20:58 . 2010-12-30 20:58 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2010-12-30 20:58 . 2010-12-30 20:58 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2010-12-30 20:58 . 2010-12-30 20:58 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2010-12-30 20:58 . 2010-12-30 20:58 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2010-12-30 20:58 . 2010-12-30 20:58 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2010-12-30 20:58 . 2010-12-30 20:58 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2010-12-30 20:58 . 2010-12-30 20:58 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2010-12-30 20:57 . 2010-12-30 20:58 -------- d-----w- c:\program files\QuickTime
2010-12-27 13:07 . 2010-12-27 13:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\Flip Video
2010-12-27 13:06 . 2010-12-27 13:06 -------- d-----w- c:\program files\Flip Video
2010-12-27 02:05 . 2010-12-27 13:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2010-12-26 21:42 . 2010-12-26 21:42 -------- d-----w- c:\documents and settings\KB\Local Settings\Application Data\cache
2010-12-26 21:41 . 2010-12-26 21:41 -------- d-----w- c:\program files\VTech
2010-12-26 20:55 . 2010-12-26 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\VTech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-04-26 21:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-04-26 21:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2008-07-21 22:00 81920 ------w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2008-07-21 22:49 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2008-07-21 22:50 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2008-07-21 22:49 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2008-07-21 22:49 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-04 14:30 . 2010-11-04 14:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-04 14:30 . 2010-11-04 14:30 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-03 12:25 . 2008-07-21 22:49 385024 ------w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-07-21 22:49 40960 ------w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-07-21 22:49 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-07-21 22:50 1853312 ------w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2010-01-29 04:09 241752 ------w- c:\windows\system32\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2010-12-21 2162488]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PMHandler"="c:\progra~1\Lenovo\PMDriver\PMHandler.exe" [2009-04-03 247080]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-26 163840]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-07-30 60192]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2008-03-11 54560]
"SmartAudio"="c:\program files\CONEXANT\SMARTAUDIO\SMAUDIO.EXE" [2008-07-21 2701880]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-10-17 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-10-17 1191936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-15 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-15 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-15 150040]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-11-24 487424]
"VeriFaceManager"="c:\program files\Lenovo\VeriFaceIII\PManage.exe" [2010-01-29 323584]
"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2007-04-26 120368]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-04-25 244208]
"RoxioDragToDisc"="c:\program files\Lenovo\Drag-to-Disc\DrgToDsc.exe" [2007-03-13 1116920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2008-08-12 114688]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-11-13 1122304]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-08-12 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AgentMonitor"="c:\program files\VTech\DownloadManager\System\AgentMonitor.exe" [2010-12-21 326048]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-11-05 517480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PicNotify]
2010-01-29 04:09 1167360 ------w- c:\windows\system32\PicNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 10:14 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe"=
"c:\\Program Files\\Brother\\Brmfl08i\\FAXRX.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype1.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\VTech\\DownloadManager\\System\\AgentMonitor.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:Brother Network Scanner
"24726:TCP"= 24726:TCP:FlipShareServer
"24727:TCP"= 24727:TCP:FlipShareServer

R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [1/16/2011 8:54 AM 24304]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [5/24/2006 2:48 PM 10240]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 8:50 PM 46144]
R2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\Brother\BRAdmin Professional 3\bratimer.exe [12/7/2010 1:01 PM 65536]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [1/16/2011 8:54 AM 132456]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 1:22 PM 1085440]
R2 FNF5SVC;Fn+F5 Service;c:\program files\Lenovo\HOTKEY\FnF5svc.exe [9/11/2008 1:49 AM 54560]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/26/2010 4:55 PM 363344]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [1/16/2011 8:54 AM 53248]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [11/24/2008 6:34 PM 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 8:50 PM 360448]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/18/2011 6:59 PM 102448]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [1/28/2010 11:04 PM 110080]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [1/28/2010 10:59 PM 97536]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/26/2010 4:55 PM 20952]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 6:54 PM 37312]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [4/25/2008 11:18 AM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [4/25/2008 11:16 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [4/25/2008 11:15 AM 166384]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 9:05 AM 14904]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [4/25/2008 11:18 AM 313840]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/25/2008 11:15 AM 1120752]
S4 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Copy to &Lightning Note - c:\program files\Corel\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X5\Programs\WPLauncher.hta
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eroom3.newyorklife.com/eRoomSetup/client.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-22 09:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Toolbar\QuickComplete]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\system32\PicNotify.dll
c:\windows\system32\FaceVerify.dll
c:\windows\system32\MainOp.dll
c:\windows\system32\VideoOp.dll
c:\windows\system32\Image.dll
c:\windows\system32\Momo.dll
c:\windows\system32\Apblend.dll
c:\windows\system32\SetDev.dll
c:\windows\system32\FunFrm.dll
c:\windows\system32\facev.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(3980)
c:\windows\system32\WININET.dll
c:\windows\system32\IcnOvrly.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Lenovo\PMDriver\PMSveH.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Symantec\Symantec Endpoint Protection\DoScan.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxext.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Symantec\Symantec Endpoint Protection\SavUI.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
c:\program files\Trend Micro\HiJackThis\HiJackThis.exe
.
**************************************************************************
.
Completion time: 2011-01-22 09:28:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-22 14:28

Pre-Run: 207,778,754,560 bytes free
Post-Run: 207,760,412,672 bytes free

- - End Of File - - 12D056FED0513EB6A52DA53FA881161F


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:28:50 AM, on 1/22/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Lenovo\PMDriver\PMSveH.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Combo-Fix\CF27006.cfxxe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\DoScan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\Lenovo\PMDriver\PMHandler.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\CONEXANT\SMARTAUDIO\SMAUDIO.EXE
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lenovo\VeriFaceIII\PManage.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\VTech\DownloadManager\System\AgentMonitor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\explorer.exe
C:\Combo-Fix\CF27006.cfxxe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Combo-Fix\sed.cfxxe
C:\Combo-Fix\CF27006.cfxxe
C:\Combo-Fix\sed.cfxxe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDriver\PMHandler.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [SmartAudio] C:\Program Files\CONEXANT\SMARTAUDIO\SMAUDIO.EXE /c
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [VeriFaceManager] C:\Program Files\Lenovo\VeriFaceIII\PManage.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AgentMonitor] C:\Program Files\VTech\DownloadManager\System\AgentMonitor.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Copy to &Lightning Note - C:\Program Files\Corel\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X5\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - https://eroom3.newyorklife.com/eRoomSetup/client.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264817836906
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: PicNotify - PicNotify.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother BRAdminPro Scheduler (BRA_Scheduler) - Unknown owner - C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Lenovo Doze Mode Service (DozeSvc) - Lenovo. - C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: FlipShare Server (FlipShareServer) - Unknown owner - C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PMDriver\PMSveH.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

--
End of file - 14405 bytes







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users