Yet another Virtumonde issue.

[saltedfish]

Here's the scoop: While running some checks, Spybot kept pinging back this little bug. I have:

1) Run Spybot, deleted issues
2) Ran again, deleted issues
3) Restarted
4) Ran Spybot, Virtumonde came up again

In addition to this issue, when I start my machine, only hte desktop shows, I have to use ctrl-alt-del and hit "start process" and enter "Explorer" to see anything.

At the moment, the machine in question is not connected to the internet. If you feel it is okay to connect, I can (to speed things along). The HJT log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:24:55 PM, on 1/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
c:\program files\lenovo\system update\suservice.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll sphtdi.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 6147 bytes

Thanks muchly, any advice you can give is appreciated.

[Blade81]

Hi

Go to C:\Program Files\Trend Micro\HijackThis folder and rename HijackThis.exe file there to something.exe. Post a fresh hjt log after renaming is done

[saltedfish]

Hi

Go to C:\Program Files\Trend Micro\HijackThis folder and rename HijackThis.exe file there to something.exe. Post a fresh hjt log after renaming is done

Thanks muchly for your response. I am away from the infected machine, but as soon as I get home, I'll look into it.

[Blade81]

Ok. Shall wait for your input

[saltedfish]

I HAVE RETURNED. With a log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:20 PM, on 1/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\somethingelse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {6782359D-C18A-4AB3-AED2-18D811C3AD3A} - C:\WINDOWS\system32\awttqPif.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\hgGxXNHB.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {aa2770d6-8a52-c5ab-7464-f6c2a7640e2a} - {a2e0467a-2c6f-4647-ba5c-25a86d0772aa} - C:\WINDOWS\system32\serjij.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll serjij.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: hgGxXNHB - C:\WINDOWS\SYSTEM32\hgGxXNHB.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 7206 bytes

[Blade81]

Hi again


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[saltedfish]

Alright: I return with information. Sorry about the delay.

ComboFix:

ComboFix 09-01-21.04 - User 2009-01-24 14:08:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.311 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\documents and settings\User\Local Settings\Temporary Internet Files\qd5e504q.zvx
c:\windows\system32\awttqPif.dll
c:\windows\system32\etmdkbye.dll
c:\windows\system32\fiPqttwa.ini
c:\windows\system32\fiPqttwa.ini2
c:\windows\system32\gtyuhume.dll
c:\windows\system32\hgGxXNHB.dll
c:\windows\system32\nsncxjar.dll
c:\windows\system32\qbvstk.dll
c:\windows\system32\serjij.dll
c:\windows\system32\sphtdi.dll
c:\windows\system32\wpv471232083525.cpx
c:\windows\system32\wpv751232083597.cpx
c:\windows\system32\xapsuvak.dll
c:\windows\system32\yqqjaywb.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))
.

2009-01-23 21:10 . 2009-01-23 21:10 1,434,061 --ahs---- c:\windows\system32\emuhuytg.ini
2009-01-22 21:10 . 2009-01-22 21:10 1,434,061 --ahs---- c:\windows\system32\kavuspax.ini
2009-01-18 10:02 . 2009-01-18 10:02 120 --ahs---- c:\windows\system32\bgcdcobp.ini
2009-01-17 22:28 . 2009-01-17 22:28 <DIR> d-------- C:\VundoFix Backups
2009-01-17 17:24 . 2009-01-17 17:24 <DIR> d-------- c:\program files\Trend Micro
2009-01-17 14:53 . 2009-01-17 15:35 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-17 14:53 . 2009-01-24 14:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-11 14:58 . 2009-01-11 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Marginal Team
2009-01-05 18:53 . 2009-01-05 18:55 <DIR> d-------- c:\program files\VentSrv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 22:12 --------- d-----w c:\documents and settings\User\Application Data\.purple
2009-01-21 03:05 --------- d-----w c:\program files\World of Warcraft
2009-01-17 22:55 --------- d-----w c:\documents and settings\User\Application Data\gtk-2.0
2009-01-10 08:51 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-10 08:37 --------- d-----w c:\program files\vixy.net
2009-01-06 02:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-24 02:02 --------- d-----w c:\program files\Lenovo
2008-12-24 02:02 --------- d-----w c:\program files\Common Files\Lenovo
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-06 23:10 --------- d-----w c:\program files\Midway Games
2008-12-06 23:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 23:04 --------- d-----w c:\program files\Bethesda Softworks
2008-12-03 00:52 --------- d-----w c:\documents and settings\User\Application Data\uTorrent
2008-03-07 08:43 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2008-08-20 02:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Pidgin"="c:\program files\Pidgin\pidgin.exe" [2008-03-31 44658]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-05 23:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-13 18:06 28672 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 14:52 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Pidgin (2).lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\Pidgin (2).lnk
backup=c:\windows\pss\Pidgin (2).lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
--------- 2007-07-05 14:51 126976 c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-22 19:42 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-11-27 09:46 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch]
--------- 2006-11-07 02:51 91688 c:\program files\Lenovo\AwayTask\AwaySch.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
--------- 2007-09-05 08:18 208896 c:\progra~1\ThinkPad\UTILIT~1\BATLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--------- 2007-03-28 09:32 243248 c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-11-08 11:00 133104 c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-09-06 17:27 162328 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2002-12-09 16:19 188416 c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-09-06 17:27 141848 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
--------- 2007-07-12 09:11 124256 c:\progra~1\Lenovo\LENOVO~2\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-09-06 17:27 137752 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRMGRTR]
--------- 2007-09-05 08:18 200704 c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
--------- 2007-03-08 21:49 66176 c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
--a------ 2008-03-04 10:34 487424 c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 19:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
--a------ 2007-09-28 13:28 181544 c:\windows\system32\TpShocks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrackPointSrv]
--a------ 2007-04-26 04:14 91184 c:\windows\system32\tp4serv.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\WengoPhone\\qtwengophone.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\@Last Software\\SketchUp 5\\SketchUp.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-09-28 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-09-28 19504]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-03-07 11520]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-08-15 97928]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-03-07 4224]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2008-03-07 4442]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2008-11-12 40576]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-05-10 22832]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-05-22 30336]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-15 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-15 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-08-15 76040]
R4 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-07-11 569344]
.
Contents of the 'Scheduled Tasks' folder

2009-01-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-469144626-623380448-2399388087-1005.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-08 11:00]

2008-12-20 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-09-05 08:18]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6782359D-C18A-4AB3-AED2-18D811C3AD3A} - c:\windows\system32\awttqPif.dll
BHO-{c685e87d-9e29-4b56-bbc6-41068f60043e} - c:\windows\system32\qbvstk.dll
MSConfigStartUp-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
MSConfigStartUp-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\kxq904wo.default\
FF - prefs.js: browser.startup.homepage - 4chan.org
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\kxq904wo.default\extensions\flashplugin@idm\platform\WINNT\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPinfotl.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.01.01); user_pref(general.useragent.extra.zencast, Creative ZENcast v2.01.01);user_pref(general.useragent.extra.zencast, .

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-24 14:19:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1340)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'lsass.exe'(1396)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\windows\system32\WININET.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\program files\VentSrv\ventrilo_svc.exe
c:\program files\VentSrv\ventrilo_srv.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-24 14:23:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-24 22:23:29

Pre-Run: 42,747,576,320 bytes free
Post-Run: 43,560,325,120 bytes free

236 --- E O F --- 2009-01-14 04:48:35


HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:23 PM, on 1/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pidgin\pidgin.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\somethingelse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 7095 bytes

note that I was not prompted to install the recovery console. The Combofix process took about 10-15 minutes, with no hiccups. AVG and S&D and Teatimer have all been re-enabled.

[Blade81]

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent


I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

c:\documents and settings\User\Application Data\uTorrent
c:\Program Files\uTorrent

Empty Recycle Bin.

After that:


Start hjt, do a system scan, check (if found):
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

Close browsers and fix checked.



Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
c:\windows\system32\emuhuytg.ini
c:\windows\system32\kavuspax.ini
c:\windows\system32\bgcdcobp.ini

Folder::
c:\documents and settings\User\Application Data\uTorrent
c:\Program Files\uTorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
• Click the
  Download
  button to the right.
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

[saltedfish]

Follow all your steps to the letter. Only issue was Kaspersky, it has taken me about 20 minutes to download 577 Kb, as of writing this, the program download is stalled at 421 Kb. In the meantime, I'll just post the HJT and ComboFix logs:

HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:05 PM, on 1/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\Program Files\Trend Micro\HijackThis\somethingelse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 6519 bytes


ComboFix:

ComboFix 09-01-21.04 - User 2009-01-25 11:10:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.545 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\bgcdcobp.ini
c:\windows\system32\emuhuytg.ini
c:\windows\system32\kavuspax.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bgcdcobp.ini
c:\windows\system32\emuhuytg.ini
c:\windows\system32\kavuspax.ini

.
((((((((((((((((((((((((( Files Created from 2008-12-25 to 2009-01-25 )))))))))))))))))))))))))))))))
.

2009-01-17 22:28 . 2009-01-17 22:28 <DIR> d-------- C:\VundoFix Backups
2009-01-17 17:24 . 2009-01-17 17:24 <DIR> d-------- c:\program files\Trend Micro
2009-01-17 14:53 . 2009-01-17 15:35 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-17 14:53 . 2009-01-24 14:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-11 14:58 . 2009-01-11 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Marginal Team
2009-01-05 18:53 . 2009-01-05 18:55 <DIR> d-------- c:\program files\VentSrv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-25 19:07 --------- d-----w c:\documents and settings\User\Application Data\.purple
2009-01-21 03:05 --------- d-----w c:\program files\World of Warcraft
2009-01-17 22:55 --------- d-----w c:\documents and settings\User\Application Data\gtk-2.0
2009-01-10 08:51 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-10 08:37 --------- d-----w c:\program files\vixy.net
2009-01-06 02:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-24 02:02 --------- d-----w c:\program files\Lenovo
2008-12-24 02:02 --------- d-----w c:\program files\Common Files\Lenovo
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-06 23:10 --------- d-----w c:\program files\Midway Games
2008-12-06 23:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 23:04 --------- d-----w c:\program files\Bethesda Softworks
2008-03-07 08:43 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2008-08-20 02:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Pidgin"="c:\program files\Pidgin\pidgin.exe" [2008-03-31 44658]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-05 23:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-13 18:06 28672 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 14:52 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Pidgin (2).lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\Pidgin (2).lnk
backup=c:\windows\pss\Pidgin (2).lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
--------- 2007-07-05 14:51 126976 c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-22 19:42 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-11-27 09:46 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch]
--------- 2006-11-07 02:51 91688 c:\program files\Lenovo\AwayTask\AwaySch.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
--------- 2007-09-05 08:18 208896 c:\progra~1\ThinkPad\UTILIT~1\BATLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--------- 2007-03-28 09:32 243248 c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-11-08 11:00 133104 c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-09-06 17:27 162328 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2002-12-09 16:19 188416 c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-09-06 17:27 141848 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
--------- 2007-07-12 09:11 124256 c:\progra~1\Lenovo\LENOVO~2\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-09-06 17:27 137752 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRMGRTR]
--------- 2007-09-05 08:18 200704 c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
--------- 2007-03-08 21:49 66176 c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
--a------ 2008-03-04 10:34 487424 c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 19:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
--a------ 2007-09-28 13:28 181544 c:\windows\system32\TpShocks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrackPointSrv]
--a------ 2007-04-26 04:14 91184 c:\windows\system32\tp4serv.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\WengoPhone\\qtwengophone.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\@Last Software\\SketchUp 5\\SketchUp.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-09-28 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-09-28 19504]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-03-07 11520]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-08-15 97928]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-03-07 4224]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2008-03-07 4442]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2008-11-12 40576]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-05-10 22832]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-05-22 30336]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-15 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-15 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-08-15 76040]
R4 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-07-11 569344]
.
Contents of the 'Scheduled Tasks' folder

2009-01-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-469144626-623380448-2399388087-1005.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-08 11:00]

2008-12-20 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-09-05 08:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\kxq904wo.default\
FF - prefs.js: browser.startup.homepage - 4chan.org
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\kxq904wo.default\extensions\flashplugin@idm\platform\WINNT\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPinfotl.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.01.01); user_pref(general.useragent.extra.zencast, Creative ZENcast v2.01.01);user_pref(general.useragent.extra.zencast, .

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-25 11:28:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1340)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'lsass.exe'(1396)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\program files\VentSrv\ventrilo_svc.exe
c:\program files\VentSrv\ventrilo_srv.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-25 11:32:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-25 19:32:04
ComboFix2.txt 2009-01-24 22:23:43

Pre-Run: 43,547,176,960 bytes free
Post-Run: 43,538,821,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

223 --- E O F --- 2009-01-14 04:48:35

update: the Kaspersky online scanner wuit because the programn could not start (so important, apparently, it told me twice). Closing and reopening the window seems to get me back to the same, slow, unresponsive window.

[Blade81]

Hi,

Let's use alternative option instead

* Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic.