View Full Version : Browser Hijacked
srogers8989
2009-01-09, 20:46
My browser is getting hijacked when I click the link on a Google search result.
I am using Windows xp sp 3. Here is the log file from Hijack This --
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:18 PM, on 1/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://owa.mse9.exchange.ms/exchweb/bin/auth/owalogon.asp?url=https://owa.mse9.exchange.ms/exchange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {C09B9BBC-9BC9-4034-BCE9-3889F503CB6C} - C:\WINDOWS\system32\yayaAtTl.dll (file missing)
O2 - BHO: (no name) - {C23BA0AD-A46E-43CB-98B7-A5A8BD470B6F} - C:\WINDOWS\system32\ljJYOfeD.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [Mediafour XPlay Tray Notification Icon] C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA8265] command /c del "C:\WINDOWS\system32\TDSSkkbi.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7031] cmd /c del "C:\WINDOWS\system32\TDSSkkbi.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9158] command /c del "C:\WINDOWS\system32\TDSSkkbi.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4650] cmd /c del "C:\WINDOWS\system32\TDSSkkbi.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3550] command /c del "C:\WINDOWS\system32\TDSSrhyp.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7392] cmd /c del "C:\WINDOWS\system32\TDSSrhyp.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3434] command /c del "C:\WINDOWS\system32\TDSSrhyp.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9618] cmd /c del "C:\WINDOWS\system32\TDSSrhyp.log"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\RunOnce: [SpybotDeletingB9525] command /c del "C:\WINDOWS\system32\TDSSkkbi.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD640] cmd /c del "C:\WINDOWS\system32\TDSSkkbi.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3667] command /c del "C:\WINDOWS\system32\TDSSkkbi.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8472] cmd /c del "C:\WINDOWS\system32\TDSSkkbi.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5796] command /c del "C:\WINDOWS\system32\TDSSrhyp.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6342] cmd /c del "C:\WINDOWS\system32\TDSSrhyp.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5531] command /c del "C:\WINDOWS\system32\TDSSrhyp.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2641] cmd /c del "C:\WINDOWS\system32\TDSSrhyp.log"
O4 - HKLM\..\Policies\Explorer\Run: [KOyKmYd1Oy] C:\DOCUME~1\Steve\LOCALS~1\Temp\9llCJ4amiU.exe
O4 - Global Startup: desktop.inisteve
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://jcgfiles/ConnectComputer/nshelp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://expresspay.webex.com/client/T25L/training/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://sremote1.duffandphelps.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = june.local
O17 - HKLM\Software\..\Telephony: DomainName = june.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = JCG.local
O20 - AppInit_DLLs: ejusqi.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
--
End of file - 15472 bytes
Hello srogers8989,
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Sorry for the delay but the forums are extremely busy.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {C09B9BBC-9BC9-4034-BCE9-3889F503CB6C} - C:\WINDOWS\system32\yayaAtTl.dll (file missing)
O2 - BHO: (no name) - {C23BA0AD-A46E-43CB-98B7-A5A8BD470B6F} - C:\WINDOWS\system32\ljJYOfeD.dll (file missing)
O4 - HKLM\..\RunOnce: [SpybotDeletingA8265] command /c del "C:\WINDOWS\system32\TDSSkkbi.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7031] cmd /c del "C:\WINDOWS\system32\TDSSkkbi.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9158] command /c del "C:\WINDOWS\system32\TDSSkkbi.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4650] cmd /c del "C:\WINDOWS\system32\TDSSkkbi.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3550] command /c del "C:\WINDOWS\system32\TDSSrhyp.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7392] cmd /c del "C:\WINDOWS\system32\TDSSrhyp.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3434] command /c del "C:\WINDOWS\system32\TDSSrhyp.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9618] cmd /c del "C:\WINDOWS\system32\TDSSrhyp.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9525] command /c del "C:\WINDOWS\system32\TDSSkkbi.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD640] cmd /c del "C:\WINDOWS\system32\TDSSkkbi.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3667] command /c del "C:\WINDOWS\system32\TDSSkkbi.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8472] cmd /c del "C:\WINDOWS\system32\TDSSkkbi.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5796] command /c del "C:\WINDOWS\system32\TDSSrhyp.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6342] cmd /c del "C:\WINDOWS\system32\TDSSrhyp.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5531] command /c del "C:\WINDOWS\system32\TDSSrhyp.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2641] cmd /c del "C:\WINDOWS\system32\TDSSrhyp.log"
O4 - HKLM\..\Policies\Explorer\Run: [KOyKmYd1Oy] C:\DOCUME~1\Steve\LOCALS~1\Temp\9llCJ4amiU.exe
O20 - AppInit_DLLs: ejusqi.dll
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
srogers8989
2009-01-14, 18:44
Thanks you so much for you help. You guys are doing a wonderful thing here.
I took all of the actions you suggested. What a nasty, nasty virus. I had to download the executables for ATF-Cleaner and Malarebytes on my mac, copy them to the infected computer, and rename them to run them. I followed your script exactly and then took the following additional steps -
1) re-ran Anti-Malware noting only 4 Trojan.Fakealert entries which the program removed.
2) Rebooted and checked to see if my browser was still hijacked (it wasn't)
3) Executed Windows Update which had a security tool update (before I could not navigate to the Windows Update site)
4) Rebooted and ran Spybot noting only a tracking cookie.
Please let me know what further steps I should take to insure I have a clean system. Also, this process has left me confused as to what anti-virus software I should be running. I have McAfee Antivirus, Ad-Aware, Spybot, now ATF-Cleaner and Malwarebytes. Of these, the last three were effective.
Here is the Malwarebytes log
Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.1.2600 Service Pack 3
1/14/2009 10:24:43 AM
mbam-log-2009-01-14 (10-24-43).txt
Scan type: Quick Scan
Objects scanned: 98604
Time elapsed: 1 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 6
Files Infected: 22
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{5d2631e5-8696-7543-50b2-f674cd4308eb} (Trojan.Fakealert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ljjyofed -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\AntispywareBot (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\ljJYOfeD.dllsteve (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\DefOYJjl.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSShrsr.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSoiqn.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSrtqp.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\yayaAtTl.dllsteve (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSmhct.sys (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\TDSS35e0.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS3860.tmp (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\TDSS3b5e.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS3e0d.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSc332.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSc3ce.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSc44b.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSc4c8.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Local Settings\Temp\TDSS94a2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSkkbi.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSrhyp.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSxfum.dll (Rootkit.Agent) -> Delete on reboot.
Hi,
You have signs in your Malwarebytes log for a Rootkit , that was what was preventing you from running the programs, it looks like Malwarebytes removed it but there may be more.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
srogers8989
2009-01-14, 22:15
I downloaded and ran Combo Fix, then Hijack this. Here are the log files -
ComboFix 09-01-13.04 - srogers 2009-01-14 14:36:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2483 [GMT -6:00]
Running from: c:\documents and settings\Steve\My Documents\Desktop\ComboFix.exe
AV: Total Protection Service *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Steve\Application Data\inst.exe
c:\windows\Downloaded Program Files\MyWebEx
c:\windows\Downloaded Program Files\MyWebEx\419\atarm.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atas32.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atasanot.exe
c:\windows\Downloaded Program Files\MyWebEx\419\atasctrl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atasnt40.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atcarmcl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atdl2006.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atjpeg60.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atkbctl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atlchat.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atmemmgr.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atnetext.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atpack.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\attp.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atwbxui6.dll
c:\windows\Downloaded Program Files\MyWebEx\419\h264dec.dll
c:\windows\Downloaded Program Files\MyWebEx\419\h264enc.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mmssl32.dll
c:\windows\Downloaded Program Files\MyWebEx\419\msess.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mticket.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mutiltpd.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mvc.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwm.ini
c:\windows\Downloaded Program Files\MyWebEx\419\mwmcliun.exe
c:\windows\Downloaded Program Files\MyWebEx\419\mwmproxy.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmupd.exe
c:\windows\Downloaded Program Files\MyWebEx\419\raurl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\uilibres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\wbxcrypt.dll
c:\windows\Downloaded Program Files\MyWebEx\419\webexmgr.dll
c:\windows\system32\bszip.dll
c:\windows\system32\Cache
c:\windows\system32\TDSSorvd.dat
c:\windows\wiaserviv.log
c:\windows\wiaservv.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.
2009-01-14 12:52 . 2009-01-14 12:52 <DIR> d-------- c:\program files\RealVNC
2009-01-14 10:11 . 2009-01-14 10:11 <DIR> d-------- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-01-14 10:06 . 2009-01-14 10:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 10:06 . 2009-01-14 10:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-14 10:06 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 10:06 . 2009-01-04 18:39 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-09 13:11 . 2009-01-09 13:11 <DIR> d-------- c:\program files\Trend Micro
2009-01-07 12:01 . 2008-07-07 08:42 4,891,472 --a------ C:\SpybotSD.exe
2009-01-07 09:09 . 2009-01-14 11:01 5,644 --a------ c:\windows\system32\PerfStringBackup.TMP
2009-01-07 09:05 . 2009-01-14 14:41 2,206 --a------ c:\windows\system32\wpa.dbl
2008-12-29 14:58 . 2008-12-29 14:58 <DIR> d-------- c:\windows\zfzu
2008-12-29 14:58 . 2009-01-05 13:51 <DIR> d-------- c:\program files\Common Files\zfzu
2008-12-21 22:59 . 2008-12-21 22:59 <DIR> d-------- c:\program files\Opera
2008-12-21 22:25 . 2008-12-22 10:38 <DIR> d--hs---- c:\windows\U3RldmU
2008-12-21 22:20 . 2008-12-30 09:25 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SpeedRunner
2008-12-21 22:04 . 2008-12-30 09:24 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\GetModule
2008-12-21 21:55 . 2008-12-21 21:55 <DIR> d-------- c:\documents and settings\Steve\Application Data\MSNInstaller
2008-12-21 21:00 . 2008-12-21 21:00 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor
2008-12-21 21:00 . 2008-12-21 21:00 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\SiteAdvisor
2008-12-21 12:17 . 2008-12-30 11:41 12 --a------ c:\windows\system32\47101b27-.txtsteve
2008-12-21 12:05 . 2008-12-21 12:05 0 --a------ c:\windows\system32\8G6Bph7b.exeSteve.a_a
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 17:00 --------- d-----w c:\documents and settings\Steve\Application Data\SiteAdvisor
2009-01-10 14:51 --------- d-----w c:\program files\PLSQL Developer
2009-01-08 23:03 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-08 21:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-07 20:51 --------- d-----w c:\program files\TVT SMBus
2009-01-06 19:28 --------- d-----w c:\program files\Cavaj Java Decompiler
2009-01-05 15:32 --------- d-----w c:\documents and settings\Steve\Application Data\Juniper Networks
2008-12-22 03:58 --------- d-----w c:\program files\Sony
2008-12-22 03:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-12 15:03 --------- d-----w c:\documents and settings\LocalService\Application Data\SiteAdvisor
2008-12-11 10:57 333,952 ------w c:\windows\system32\drivers\srv.sys
2008-12-05 17:19 --------- d-----w c:\documents and settings\Steve\Application Data\Sony
2008-12-05 17:19 --------- d-----w c:\documents and settings\All Users\Application Data\Sony
2008-11-19 16:19 --------- d-----w c:\documents and settings\Steve\Application Data\webex
2008-11-14 20:38 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks
2007-05-07 04:12 47,360 -c--a-w c:\documents and settings\Steve\Application Data\pcouffin.sys
2007-05-02 00:54 87,608 -c--a-w c:\documents and settings\Steve\Application Data\ezpinst.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 212992]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-01 40960]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"SiteAdvisor"="c:\program files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 36640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\Agent\Splash.exe" [2008-01-22 468288]
"McAfee Managed Services Tray"="c:\program files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2008-01-22 87360]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-01-25 106496]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568]
"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-21 1996336]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-11-11 864256]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2007-06-15 22528]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 487424]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"TpShocks"="TpShocks.exe" [2005-11-07 c:\windows\system32\TpShocks.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
desktop.inisteve [2004-08-09 84]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 14:01 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-08 15:59 39936 c:\windows\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 00:45 28672 c:\windows\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 21:16 24576 c:\windows\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd csspwntfy
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
-----c--- 2005-09-15 14:57 512000 c:\program files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
-----c--- 2005-09-15 14:57 110592 c:\program files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
--------- 2005-06-10 08:43 1095680 c:\program files\Webroot\Washer\wwDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
--a------ 2005-10-17 02:11 65536 c:\windows\system32\TP4EX.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BOBJCS"=3 (0x3)
"BOBJCentralMS"=2 (0x2)
"LiveUpdate"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"BOBJWIRS"=2 (0x2)
"BOBJWebiServer"=2 (0x2)
"BOBJTomcat"=2 (0x2)
"BOBJOutputFileServer"=2 (0x2)
"BOBJJobServer_Report"=2 (0x2)
"BOBJJobServer_DesktopIntelligence"=2 (0x2)
"BOBJInputFileServer"=2 (0x2)
"BOBJEventServer"=2 (0x2)
"BOBJDestinationServer"=2 (0x2)
"BOBJDesktopIntelligenceReportServer"=2 (0x2)
"BOBJDesktopIntelligenceCacheServer"=2 (0x2)
"BOBJCrystalReportspageserver"=2 (0x2)
"BOBJCrystalReportsCacheServer"=2 (0x2)
"BOBJCrystalReportApplicationServer"=2 (0x2)
"bmwebcfg"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AcPrfMgrSvc"=2 (0x2)
"cmdService"=2 (0x2)
"Bonjour Service"=2 (0x2)
"BOBJProgramServer"=2 (0x2)
"BOBJProcessServer"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\ma3platform.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"=
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2006-05-08 85760]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2006-05-08 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2006-05-08 6016]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2006-05-08 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2006-05-08 4442]
R4 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2008-07-14 14144]
R4 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-21 12544]
R4 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2008-07-14 169280]
R4 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [2005-11-15 46142]
R4 smi2;smi2;c:\program files\SMI2\smi2.sys [2005-12-21 3968]
R4 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2005-12-08 3328]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\drivers\avpnnic.sys [2007-10-18 13952]
S3 SE31bus;Sony Ericsson Device 049 Driver driver (WDM);c:\windows\system32\drivers\SE31bus.sys [2007-07-24 61600]
S3 SE31mdfl;Sony Ericsson Device 049 USB WMC Modem Filter;c:\windows\system32\drivers\SE31mdfl.sys [2007-07-24 9360]
S3 SE31mdm;Sony Ericsson Device 049 USB WMC Modem Driver;c:\windows\system32\drivers\SE31mdm.sys [2007-07-24 97184]
S3 SE31mgmt;Sony Ericsson Device 049 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE31mgmt.sys [2007-07-24 88688]
S3 se31nd5;Sony Ericsson Device 049 USB Ethernet Emulation SEMC49 (NDIS);c:\windows\system32\drivers\se31nd5.sys [2007-07-24 18704]
S3 SE31obex;Sony Ericsson Device 049 USB WMC OBEX Interface;c:\windows\system32\drivers\SE31obex.sys [2007-07-24 86560]
S3 se31unic;Sony Ericsson Device 049 USB Ethernet Emulation SEMC49 (WDM);c:\windows\system32\drivers\se31unic.sys [2007-07-24 90800]
S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [2008-06-21 82432]
S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [2008-06-21 66304]
S4 BOBJCentralMS;Central Management Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe [2005-11-15 2613248]
S4 BOBJCrystalReportApplicationServer;Report Application Server;c:\program files\Business Objects\common\3.5\bin\crystalras.exe [2005-11-15 454656]
S4 BOBJCrystalReportsCacheServer;Crystal Reports Cache Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe [2005-11-15 3207168]
S4 BOBJCrystalReportspageserver;Crystal Reports Page Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe [2005-11-15 3207168]
S4 BOBJCS;Connection Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe [2005-11-15 1421312]
S4 BOBJDesktopIntelligenceCacheServer;Desktop Intelligence Cache Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe [2005-11-15 5189632]
S4 BOBJDesktopIntelligenceReportServer;Desktop Intelligence Report Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe [2005-11-15 5189632]
S4 BOBJDestinationServer;Destination Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe [2005-11-15 942080]
S4 BOBJEventServer;Event Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe [2005-11-15 888832]
S4 BOBJInputFileServer;Input File Repository Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe [2005-11-15 626688]
S4 BOBJJobServer_DesktopIntelligence;Desktop Intelligence Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe [2005-11-15 942080]
S4 BOBJJobServer_Report;Crystal Reports Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe [2005-11-15 942080]
S4 BOBJOutputFileServer;Output File Repository Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe [2005-11-15 626688]
S4 BOBJProcessServer;List of Values Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe [2005-11-15 942080]
S4 BOBJProgramServer;Program Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe [2005-11-15 942080]
S4 BOBJTomcat;Apache Tomcat 5.0.27;c:\program files\Business Objects\Tomcat\bin\tomcat5.exe [2004-06-17 94208]
S4 BOBJWebiServer;Web Intelligence Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe [2005-11-15 942080]
S4 BOBJWIRS;Web Intelligence Report Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe [2005-11-15 974848]
.
Contents of the 'Scheduled Tasks' folder
2009-01-14 c:\windows\Tasks\arintpiz.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
2008-12-21 c:\windows\Tasks\At1.job
- c:\windows\system32\8G6Bph7b.exe []
2009-01-10 c:\windows\Tasks\At10.job
- c:\windows\system32\8G6Bph7b.exe []
2009-01-14 c:\windows\Tasks\At11.job
- c:\windows\system32\8G6Bph7b.exe []
2009-01-14 c:\windows\Tasks\At12.job
- c:\windows\system32\8G6Bph7b.exe []
2009-01-13 c:\windows\Tasks\At13.job
- c:\windows\system32\8G6Bph7b.exe []
2009-01-14 c:\windows\Tasks\At14.job
- c:\windows\system32\8G6Bph7b.exe []
2009-01-14 c:\windows\Tasks\At15.job
- c:\windows\system32\8G6Bph7b.exe []
2009-01-13 c:\windows\Tasks\At16.job
- c:\windows\system32\8G6Bph7b.exe []
2009-01-13 c:\windows\Tasks\At17.job
- c:\windows\system32\8G6Bph7b.exe []
2009-01-13 c:\windows\Tasks\At18.job
- c:\windows\system32\8G6Bph7b.exe []
2009-01-11 c:\windows\Tasks\At19.job
- c:\windows\system32\8G6Bph7b.exe []
2008-12-21 c:\windows\Tasks\At2.job
- c:\windows\system32\8G6Bph7b.exe []
2009-01-11 c:\windows\Tasks\At20.job
- c:\windows\system32\8G6Bph7b.exe []
2009-01-11 c:\windows\Tasks\At21.job
- c:\windows\system32\8G6Bph7b.exe []
2009-01-11 c:\windows\Tasks\At22.job
- c:\windows\system32\8G6Bph7b.exe []
2008-12-21 c:\windows\Tasks\At23.job
- c:\windows\system32\8G6Bph7b.exe []
2008-12-22 c:\windows\Tasks\At24.job
- c:\windows\system32\8G6Bph7b.exe []
2008-12-21 c:\windows\Tasks\At3.job
- c:\windows\system32\8G6Bph7b.exe []
2008-12-21 c:\windows\Tasks\At4.job
- c:\windows\system32\8G6Bph7b.exe []
2008-12-21 c:\windows\Tasks\At5.job
- c:\windows\system32\8G6Bph7b.exe []
2008-12-21 c:\windows\Tasks\At6.job
- c:\windows\system32\8G6Bph7b.exe []
2008-12-21 c:\windows\Tasks\At7.job
- c:\windows\system32\8G6Bph7b.exe []
2008-12-21 c:\windows\Tasks\At8.job
- c:\windows\system32\8G6Bph7b.exe []
2008-12-21 c:\windows\Tasks\At9.job
- c:\windows\system32\8G6Bph7b.exe []
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-PRISMSVR.EXE - c:\windows\system32\PRISMSVR.EXE
HKLM-Run-NAV CfgWiz - c:\program files\Norton AntiVirus\CfgWiz.exe
HKLM-Run-Mediafour XPlay Tray Notification Icon - c:\program files\Mediafour\XPlay\XPTRYICN.EXE
HKLM-Run-Mediafour Mac Volume Notifications - c:\program files\Common Files\Mediafour\MACVNTFY.EXE
HKLM-Run-MDDiskProtect.exe - c:\program files\Mediafour\MacDrive\MDDiskProtect.exe
HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
Notify-NavLogon - (no file)
MSConfigStartUp-GetPack22 - c:\program files\GetPack\GetPack22.exe
MSConfigStartUp-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-zfzu - c:\progra~1\COMMON~1\zfzu\zfzum.exe
.
------- Supplementary Scan -------
.
uStart Page = https://owa.mse9.exchange.ms/exchweb/bin/auth/owalogon.asp?url=https://owa.mse9.exchange.ms/exchange&reason=0
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: bmnet.dll
Trusted Zone: *.turbotax.com
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 14:43:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1172)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll
- - - - - - - > 'lsass.exe'(1228)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll
c:\windows\system32\bmnet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\SiteAdvisor\6173\SAService.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\windows\system32\wwSecure.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\IBM ThinkVantage\Common\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2009-01-14 14:48:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-14 20:48:53
Pre-Run: 22,197,514,240 bytes free
Post-Run: 22,051,729,408 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:35 PM, on 1/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://owa.mse9.exchange.ms/exchweb/bin/auth/owalogon.asp?url=https://owa.mse9.exchange.ms/exchange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: desktop.inisteve
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://jcgfiles/ConnectComputer/nshelp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://expresspay.webex.com/client/T25L/training/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://sremote1.duffandphelps.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = june.local
O17 - HKLM\Software\..\Telephony: DomainName = june.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = JCG.local
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
--
End of file - 12664 bytes
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
404 --- E O F --- 2008-12-21 17:51:15
HIJACK THIS log file --
srogers8989
2009-01-14, 22:17
Not sure the Hijack This log made it in the last post --
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:35 PM, on 1/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://owa.mse9.exchange.ms/exchweb/bin/auth/owalogon.asp?url=https://owa.mse9.exchange.ms/exchange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: desktop.inisteve
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://jcgfiles/ConnectComputer/nshelp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://expresspay.webex.com/client/T25L/training/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://sremote1.duffandphelps.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = june.local
O17 - HKLM\Software\..\Telephony: DomainName = june.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = JCG.local
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
--
End of file - 12664 bytes
Looking better :bigthumb:
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
c:\windows\system32\8G6Bph7b.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
srogers8989
2009-01-16, 18:56
Any ideas on the combination of antivirus I should run?
Thanks so much for your help.
Here are the log files.
ComboFix 09-01-15.01 - srogers 2009-01-16 11:34:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2514 [GMT -6:00]
Running from: c:\documents and settings\Steve\My Documents\Desktop\Unused Desktop Shortcuts\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\My Documents\Desktop\cfscript.txt
AV: Total Protection Service *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\system32\8G6Bph7b.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.
2009-01-14 12:52 . 2009-01-14 12:52 <DIR> d-------- c:\program files\RealVNC
2009-01-14 10:11 . 2009-01-14 10:11 <DIR> d-------- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-01-14 10:06 . 2009-01-14 10:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 10:06 . 2009-01-14 10:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-14 10:06 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 10:06 . 2009-01-04 18:39 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-09 13:11 . 2009-01-09 13:11 <DIR> d-------- c:\program files\Trend Micro
2009-01-07 12:01 . 2008-07-07 08:42 4,891,472 --a------ C:\SpybotSD.exe
2009-01-07 09:09 . 2009-01-16 11:03 5,644 --a------ c:\windows\system32\PerfStringBackup.TMP
2009-01-07 09:05 . 2009-01-16 11:43 2,206 --a------ c:\windows\system32\wpa.dbl
2008-12-29 14:58 . 2008-12-29 14:58 <DIR> d-------- c:\windows\zfzu
2008-12-29 14:58 . 2009-01-05 13:51 <DIR> d-------- c:\program files\Common Files\zfzu
2008-12-21 22:59 . 2008-12-21 22:59 <DIR> d-------- c:\program files\Opera
2008-12-21 22:25 . 2008-12-22 10:38 <DIR> d--hs---- c:\windows\U3RldmU
2008-12-21 22:20 . 2008-12-30 09:25 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SpeedRunner
2008-12-21 22:04 . 2008-12-30 09:24 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\GetModule
2008-12-21 21:55 . 2008-12-21 21:55 <DIR> d-------- c:\documents and settings\Steve\Application Data\MSNInstaller
2008-12-21 21:00 . 2008-12-21 21:00 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor
2008-12-21 21:00 . 2008-12-21 21:00 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\SiteAdvisor
2008-12-21 12:17 . 2008-12-30 11:41 12 --a------ c:\windows\system32\47101b27-.txtsteve
2008-12-21 12:05 . 2008-12-21 12:05 0 --a------ c:\windows\system32\8G6Bph7b.exeSteve.a_a
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 17:00 --------- d-----w c:\documents and settings\Steve\Application Data\SiteAdvisor
2009-01-10 14:51 --------- d-----w c:\program files\PLSQL Developer
2009-01-08 23:03 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-08 21:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-07 20:51 --------- d-----w c:\program files\TVT SMBus
2009-01-06 19:28 --------- d-----w c:\program files\Cavaj Java Decompiler
2009-01-05 15:32 --------- d-----w c:\documents and settings\Steve\Application Data\Juniper Networks
2008-12-22 03:58 --------- d-----w c:\program files\Sony
2008-12-22 03:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-12 15:03 --------- d-----w c:\documents and settings\LocalService\Application Data\SiteAdvisor
2008-12-11 10:57 333,952 ------w c:\windows\system32\drivers\srv.sys
2008-12-05 17:19 --------- d-----w c:\documents and settings\Steve\Application Data\Sony
2008-12-05 17:19 --------- d-----w c:\documents and settings\All Users\Application Data\Sony
2008-11-19 16:19 --------- d-----w c:\documents and settings\Steve\Application Data\webex
2007-05-07 04:12 47,360 -c--a-w c:\documents and settings\Steve\Application Data\pcouffin.sys
2007-05-02 00:54 87,608 -c--a-w c:\documents and settings\Steve\Application Data\ezpinst.exe
.
((((((((((((((((((((((((((((( snapshot@2009-01-14_14.47.44.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-14 20:40:39 220,324 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-01-16 17:45:04 220,328 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 212992]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-01 40960]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696]
"SiteAdvisor"="c:\program files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 36640]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\Agent\Splash.exe" [2008-01-22 468288]
"McAfee Managed Services Tray"="c:\program files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2008-01-22 87360]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-01-25 106496]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-11-11 864256]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2007-06-15 22528]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 487424]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]
"TpShocks"="TpShocks.exe" [2005-11-07 c:\windows\system32\TpShocks.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
desktop.inisteve [2004-08-09 84]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 14:01 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-08 15:59 39936 c:\windows\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 00:45 28672 c:\windows\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 21:16 24576 c:\windows\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd csspwntfy
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
-----c--- 2005-12-21 19:08 1996336 c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra--c--- 2005-10-26 15:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
-----c--- 2005-09-15 14:57 512000 c:\program files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
-----c--- 2005-09-15 14:57 110592 c:\program files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
--------- 2005-06-10 08:43 1095680 c:\program files\Webroot\Washer\wwDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
--a------ 2005-10-17 02:11 65536 c:\windows\system32\TP4EX.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BOBJCS"=3 (0x3)
"BOBJCentralMS"=2 (0x2)
"LiveUpdate"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"BOBJWIRS"=2 (0x2)
"BOBJWebiServer"=2 (0x2)
"BOBJTomcat"=2 (0x2)
"BOBJOutputFileServer"=2 (0x2)
"BOBJJobServer_Report"=2 (0x2)
"BOBJJobServer_DesktopIntelligence"=2 (0x2)
"BOBJInputFileServer"=2 (0x2)
"BOBJEventServer"=2 (0x2)
"BOBJDestinationServer"=2 (0x2)
"BOBJDesktopIntelligenceReportServer"=2 (0x2)
"BOBJDesktopIntelligenceCacheServer"=2 (0x2)
"BOBJCrystalReportspageserver"=2 (0x2)
"BOBJCrystalReportsCacheServer"=2 (0x2)
"BOBJCrystalReportApplicationServer"=2 (0x2)
"bmwebcfg"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AcPrfMgrSvc"=2 (0x2)
"cmdService"=2 (0x2)
"Bonjour Service"=2 (0x2)
"BOBJProgramServer"=2 (0x2)
"BOBJProcessServer"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\ma3platform.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"=
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2006-05-08 85760]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2006-05-08 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2006-05-08 6016]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2006-05-08 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2006-05-08 4442]
R4 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2008-07-14 14144]
R4 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-21 12544]
R4 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2008-07-14 169280]
R4 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [2005-11-15 46142]
R4 smi2;smi2;c:\program files\SMI2\smi2.sys [2005-12-21 3968]
R4 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2005-12-08 3328]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\drivers\avpnnic.sys [2007-10-18 13952]
S3 SE31bus;Sony Ericsson Device 049 Driver driver (WDM);c:\windows\system32\drivers\SE31bus.sys [2007-07-24 61600]
S3 SE31mdfl;Sony Ericsson Device 049 USB WMC Modem Filter;c:\windows\system32\drivers\SE31mdfl.sys [2007-07-24 9360]
S3 SE31mdm;Sony Ericsson Device 049 USB WMC Modem Driver;c:\windows\system32\drivers\SE31mdm.sys [2007-07-24 97184]
S3 SE31mgmt;Sony Ericsson Device 049 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE31mgmt.sys [2007-07-24 88688]
S3 se31nd5;Sony Ericsson Device 049 USB Ethernet Emulation SEMC49 (NDIS);c:\windows\system32\drivers\se31nd5.sys [2007-07-24 18704]
S3 SE31obex;Sony Ericsson Device 049 USB WMC OBEX Interface;c:\windows\system32\drivers\SE31obex.sys [2007-07-24 86560]
S3 se31unic;Sony Ericsson Device 049 USB Ethernet Emulation SEMC49 (WDM);c:\windows\system32\drivers\se31unic.sys [2007-07-24 90800]
S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [2008-06-21 82432]
S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [2008-06-21 66304]
S4 BOBJCentralMS;Central Management Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe [2005-11-15 2613248]
S4 BOBJCrystalReportApplicationServer;Report Application Server;c:\program files\Business Objects\common\3.5\bin\crystalras.exe [2005-11-15 454656]
S4 BOBJCrystalReportsCacheServer;Crystal Reports Cache Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe [2005-11-15 3207168]
S4 BOBJCrystalReportspageserver;Crystal Reports Page Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe [2005-11-15 3207168]
S4 BOBJCS;Connection Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe [2005-11-15 1421312]
S4 BOBJDesktopIntelligenceCacheServer;Desktop Intelligence Cache Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe [2005-11-15 5189632]
S4 BOBJDesktopIntelligenceReportServer;Desktop Intelligence Report Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe [2005-11-15 5189632]
S4 BOBJDestinationServer;Destination Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe [2005-11-15 942080]
S4 BOBJEventServer;Event Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe [2005-11-15 888832]
S4 BOBJInputFileServer;Input File Repository Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe [2005-11-15 626688]
S4 BOBJJobServer_DesktopIntelligence;Desktop Intelligence Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe [2005-11-15 942080]
S4 BOBJJobServer_Report;Crystal Reports Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe [2005-11-15 942080]
S4 BOBJOutputFileServer;Output File Repository Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe [2005-11-15 626688]
S4 BOBJProcessServer;List of Values Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe [2005-11-15 942080]
S4 BOBJProgramServer;Program Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe [2005-11-15 942080]
S4 BOBJTomcat;Apache Tomcat 5.0.27;c:\program files\Business Objects\Tomcat\bin\tomcat5.exe [2004-06-17 94208]
S4 BOBJWebiServer;Web Intelligence Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe [2005-11-15 942080]
S4 BOBJWIRS;Web Intelligence Report Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe [2005-11-15 974848]
.
Contents of the 'Scheduled Tasks' folder
2009-01-16 c:\windows\Tasks\arintpiz.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
.
------- Supplementary Scan -------
.
uStart Page = https://owa.mse9.exchange.ms/exchweb/bin/auth/owalogon.asp?url=https://owa.mse9.exchange.ms/exchange&reason=0
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: bmnet.dll
Trusted Zone: *.turbotax.com
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 11:45:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
c:\windows\explorer.exe [3412] 0x8A905B50
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1196)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\windows\system32\tphklock.dll
- - - - - - - > 'lsass.exe'(1252)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll
c:\windows\system32\bmnet.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\SiteAdvisor\6173\SAService.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\windows\system32\wwSecure.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\IBM ThinkVantage\Common\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
.
**************************************************************************
.
Completion time: 2009-01-16 11:50:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-16 17:50:28
ComboFix2.txt 2009-01-14 20:48:57
Pre-Run: 23,151,837,184 bytes free
Post-Run: 23,144,480,768 bytes free
353 --- E O F --- 2008-12-21 17:51:15
Hijack This --
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:43 AM, on 1/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://owa.mse9.exchange.ms/exchweb/bin/auth/owalogon.asp?url=https://owa.mse9.exchange.ms/exchange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: desktop.inisteve
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://jcgfiles/ConnectComputer/nshelp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://expresspay.webex.com/client/T25L/training/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://sremote1.duffandphelps.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = june.local
O17 - HKLM\Software\..\Telephony: DomainName = june.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = JCG.local
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
--
End of file - 12167 bytes
Hi,
You have Mcafee installed and you should only have one AV, more will eat up system resources and slow down your system, more than one is overkill and not needed. When we're done I will link you to some free Anti Spyware programs to install to help keep you more secure.
My bad but I missed these two.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::
Folder::
c:\windows\system32\config\systemprofile\Application Data\SpeedRunner
c:\windows\system32\config\systemprofile\Application Data\GetModule
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
srogers8989
2009-01-19, 22:32
I copied and ran the latest script. I have been working on making a full os/data type backup using the installed Lenovo application. Any ideas you have for what I should do in the future to prevent/recover would be welcome.
Thanks again for your help.
ComboFix 09-01-15.01 - srogers 2009-01-19 15:07:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2522 [GMT -6:00]
Running from: c:\documents and settings\Steve\My Documents\Desktop\Unused Desktop Shortcuts\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\My Documents\Desktop\CFScript.txt
AV: Total Protection Service *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\config\systemprofile\Application Data\GetModule
c:\windows\system32\config\systemprofile\Application Data\GetModule\dicik.gzsteve
c:\windows\system32\config\systemprofile\Application Data\GetModule\kwdik.gzsteve
c:\windows\system32\config\systemprofile\Application Data\GetModule\ofadik.gzsteve
c:\windows\system32\config\systemprofile\Application Data\SpeedRunner
c:\windows\system32\config\systemprofile\Application Data\SpeedRunner\config.cfgsteve
.
((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.
2009-01-19 14:12 . 2009-01-19 14:55 <DIR> d-------- c:\windows\system32\NtmsData
2009-01-17 10:56 . 2009-01-17 10:56 <DIR> d-------- c:\program files\Common Files\Lenovo
2009-01-17 10:55 . 2007-02-18 23:56 21,376 --------- c:\windows\system32\drivers\psadd.sys
2009-01-17 09:53 . 2009-01-17 09:53 <DIR> d-------- c:\windows\system32\(null)
2009-01-14 12:52 . 2009-01-14 12:52 <DIR> d-------- c:\program files\RealVNC
2009-01-14 10:11 . 2009-01-14 10:11 <DIR> d-------- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-01-14 10:06 . 2009-01-14 10:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 10:06 . 2009-01-14 10:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-14 10:06 . 2009-01-04 18:39 38,496 --------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 10:06 . 2009-01-04 18:39 15,504 --------- c:\windows\system32\drivers\mbam.sys
2009-01-09 13:11 . 2009-01-09 13:11 <DIR> d-------- c:\program files\Trend Micro
2009-01-07 09:09 . 2009-01-19 15:19 5,644 --a------ c:\windows\system32\PerfStringBackup.TMP
2009-01-07 09:05 . 2009-01-19 15:18 2,206 --a------ c:\windows\system32\wpa.dbl
2008-12-29 14:58 . 2008-12-29 14:58 <DIR> d-------- c:\windows\zfzu
2008-12-29 14:58 . 2009-01-05 13:51 <DIR> d-------- c:\program files\Common Files\zfzu
2008-12-21 22:59 . 2008-12-21 22:59 <DIR> d-------- c:\program files\Opera
2008-12-21 22:25 . 2008-12-22 10:38 <DIR> d--hs---- c:\windows\U3RldmU
2008-12-21 21:55 . 2008-12-21 21:55 <DIR> d-------- c:\documents and settings\Steve\Application Data\MSNInstaller
2008-12-21 21:00 . 2008-12-21 21:00 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor
2008-12-21 21:00 . 2008-12-21 21:00 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\SiteAdvisor
2008-12-21 12:17 . 2008-12-30 11:41 12 --------- c:\windows\system32\47101b27-.txtsteve
2008-12-21 12:05 . 2008-12-21 12:05 0 --------- c:\windows\system32\8G6Bph7b.exeSteve.a_a
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 16:56 --------- d-----w c:\program files\Lenovo
2009-01-14 17:00 --------- d-----w c:\documents and settings\Steve\Application Data\SiteAdvisor
2009-01-10 14:51 --------- d-----w c:\program files\PLSQL Developer
2009-01-08 23:03 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-08 21:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-07 20:51 --------- d-----w c:\program files\TVT SMBus
2009-01-06 19:28 --------- d-----w c:\program files\Cavaj Java Decompiler
2009-01-05 15:32 --------- d-----w c:\documents and settings\Steve\Application Data\Juniper Networks
2008-12-22 03:58 --------- d-----w c:\program files\Sony
2008-12-22 03:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-12 15:03 --------- d-----w c:\documents and settings\LocalService\Application Data\SiteAdvisor
2008-12-11 10:57 333,952 ------w c:\windows\system32\drivers\srv.sys
2008-12-05 17:19 --------- d-----w c:\documents and settings\Steve\Application Data\Sony
2008-12-05 17:19 --------- d-----w c:\documents and settings\All Users\Application Data\Sony
2008-11-19 16:19 --------- d-----w c:\documents and settings\Steve\Application Data\webex
2007-05-07 04:12 47,360 -c----w c:\documents and settings\Steve\Application Data\pcouffin.sys
2007-05-02 00:54 87,608 -c----w c:\documents and settings\Steve\Application Data\ezpinst.exe
2008-10-17 04:17 32,768 -csh--w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101620081017\index.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-14_14.47.44.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-17 16:56:19 53,248 ------r c:\windows\Installer\{8675339C-128C-44DD-83BF-0A5D6ABD8297}\ARPPRODUCTICON.exe
+ 2009-01-17 15:53:01 49,152 ------r c:\windows\Installer\{8675339C-128C-44DD-83BF-0A5D6ABD8297}\LenovoSystemUpdateSh_8675339C128C44DD83BF0A5D6ABD8297.exe
+ 2009-01-17 16:56:19 53,248 ------r c:\windows\Installer\{8675339C-128C-44DD-83BF-0A5D6ABD8297}\tvsu.exe2_8675339C128C44DD83BF0A5D6ABD8297.exe
+ 2009-01-17 16:56:19 49,152 ------r c:\windows\Installer\{8675339C-128C-44DD-83BF-0A5D6ABD8297}\tvsu.exe3_8675339C128C44DD83BF0A5D6ABD8297.exe
+ 2008-04-14 00:11:48 24,064 ------w c:\windows\system32\dllcache\agentanm.dll
+ 2008-04-14 00:11:48 214,016 ------w c:\windows\system32\dllcache\agentctl.dll
+ 2008-04-14 00:11:48 57,344 ------w c:\windows\system32\dllcache\agentdpv.dll
+ 2008-04-14 00:11:48 49,152 ------w c:\windows\system32\dllcache\agentmpx.dll
+ 2008-04-14 00:11:48 44,032 ------w c:\windows\system32\dllcache\agentsr.dll
+ 2008-04-14 00:12:12 256,512 ------w c:\windows\system32\dllcache\agentsvr.exe
+ 2007-04-02 18:25:59 19,456 ------w c:\windows\system32\dllcache\agt0405.dll
+ 2007-04-02 18:25:59 19,456 ------w c:\windows\system32\dllcache\agt0406.dll
+ 2007-04-02 18:26:00 21,504 ------w c:\windows\system32\dllcache\agt0407.dll
+ 2007-04-02 18:26:00 22,016 ------w c:\windows\system32\dllcache\agt0408.dll
+ 2008-04-13 17:32:28 19,968 ------w c:\windows\system32\dllcache\agt0409.dll
+ 2007-04-02 18:26:00 19,456 ------w c:\windows\system32\dllcache\agt040b.dll
+ 2007-04-02 18:26:00 21,504 ------w c:\windows\system32\dllcache\agt040c.dll
+ 2007-04-02 18:26:00 19,968 ------w c:\windows\system32\dllcache\agt040e.dll
+ 2007-04-02 18:26:00 20,992 ------w c:\windows\system32\dllcache\agt0410.dll
+ 2007-04-02 18:26:01 20,992 ------w c:\windows\system32\dllcache\agt0413.dll
+ 2007-04-02 18:26:01 19,456 ------w c:\windows\system32\dllcache\agt0414.dll
+ 2007-04-02 18:26:01 19,456 ------w c:\windows\system32\dllcache\agt0415.dll
+ 2007-04-02 18:26:01 20,480 ------w c:\windows\system32\dllcache\agt0416.dll
+ 2007-04-02 18:26:01 19,456 ------w c:\windows\system32\dllcache\agt0419.dll
+ 2007-04-02 18:26:01 19,456 ------w c:\windows\system32\dllcache\agt041d.dll
+ 2007-04-02 18:26:01 19,456 ------w c:\windows\system32\dllcache\agt041f.dll
+ 2007-04-02 18:26:02 20,992 ------w c:\windows\system32\dllcache\agt0816.dll
+ 2007-04-02 18:26:02 20,480 ------w c:\windows\system32\dllcache\agt0c0a.dll
+ 2008-04-14 00:11:49 24,064 ------w c:\windows\system32\dllcache\agtintl.dll
+ 2008-04-14 00:11:49 108,544 ------w c:\windows\system32\dllcache\appconf.dll
+ 2008-04-13 16:44:16 17,920 ------w c:\windows\system32\dllcache\cobramsg.dll
+ 2008-04-14 00:12:16 42,496 ------w c:\windows\system32\dllcache\davcdata.exe
+ 2008-04-14 00:11:54 133,120 ------w c:\windows\system32\dllcache\guitrn.dll
+ 2008-04-14 00:11:54 115,200 ------w c:\windows\system32\dllcache\guitrna.dll
+ 2008-04-14 00:12:21 18,432 ------w c:\windows\system32\dllcache\hscupd.exe
+ 2008-04-14 00:11:54 8,192 ------w c:\windows\system32\dllcache\httpmb51.dll
+ 2008-04-14 00:11:54 61,440 ------w c:\windows\system32\dllcache\httpod51.dll
+ 2008-04-14 00:11:54 145,408 ------w c:\windows\system32\dllcache\iische51.dll
+ 2008-04-14 00:11:55 829,440 ------w c:\windows\system32\dllcache\inetmgr.dll
+ 2008-04-14 00:11:56 19,968 ------w c:\windows\system32\dllcache\log.dll
+ 2008-04-14 00:11:57 274,432 ------w c:\windows\system32\dllcache\migism.dll
+ 2008-04-14 00:11:57 261,120 ------w c:\windows\system32\dllcache\migisma.dll
+ 2008-04-14 00:12:25 103,936 ------w c:\windows\system32\dllcache\migload.exe
+ 2008-04-14 00:12:25 241,152 ------w c:\windows\system32\dllcache\migwiza.exe
+ 2008-04-14 00:11:58 220,160 ------w c:\windows\system32\dllcache\mscandui.dll
+ 2008-04-14 00:11:59 3,166,208 ------w c:\windows\system32\dllcache\msgr3en.dll
+ 2008-04-14 00:12:00 39,936 ------w c:\windows\system32\dllcache\mslwvtts.dll
+ 2008-04-14 00:12:00 122,368 ------w c:\windows\system32\dllcache\msobcomm.dll
+ 2008-04-14 00:12:00 16,384 ------w c:\windows\system32\dllcache\msobdl.dll
+ 2008-04-14 00:12:00 30,720 ------w c:\windows\system32\dllcache\msobshel.dll
+ 2008-04-14 00:12:00 19,456 ------w c:\windows\system32\dllcache\msobweb.dll
+ 2008-04-14 00:12:28 29,184 ------w c:\windows\system32\dllcache\msoobe.exe
+ 2008-04-14 00:12:29 90,624 ------w c:\windows\system32\dllcache\muisetup.exe
+ 2008-04-14 00:12:01 57,344 ------w c:\windows\system32\dllcache\ndisnpp.dll
+ 2008-04-14 00:12:29 15,360 ------w c:\windows\system32\dllcache\nppagent.exe
+ 2008-04-13 18:40:07 393,728 ------w c:\windows\system32\dllcache\obrb0401.dll
+ 2008-04-13 18:40:23 212,480 ------w c:\windows\system32\dllcache\obrb0404.dll
+ 2008-04-13 18:40:24 428,032 ------w c:\windows\system32\dllcache\obrb0405.dll
+ 2008-04-13 18:40:27 418,816 ------w c:\windows\system32\dllcache\obrb0406.dll
+ 2008-04-13 18:40:34 403,456 ------w c:\windows\system32\dllcache\obrb0407.dll
+ 2008-04-13 18:40:30 419,328 ------w c:\windows\system32\dllcache\obrb0408.dll
+ 2008-04-13 18:40:32 405,504 ------w c:\windows\system32\dllcache\obrb040b.dll
+ 2008-04-13 18:40:33 410,624 ------w c:\windows\system32\dllcache\obrb040C.dll
+ 2008-04-13 18:40:32 384,000 ------w c:\windows\system32\dllcache\obrb040D.dll
+ 2008-04-13 18:40:39 434,176 ------w c:\windows\system32\dllcache\obrb040e.dll
+ 2008-04-13 18:40:39 413,696 ------w c:\windows\system32\dllcache\obrb0410.dll
+ 2008-04-13 18:40:44 275,456 ------w c:\windows\system32\dllcache\obrb0411.dll
+ 2008-04-13 18:40:48 306,688 ------w c:\windows\system32\dllcache\obrb0412.dll
+ 2008-04-13 18:40:44 401,920 ------w c:\windows\system32\dllcache\obrb0413.dll
+ 2008-04-13 18:40:44 353,792 ------w c:\windows\system32\dllcache\obrb0414.dll
+ 2008-04-13 18:40:47 391,680 ------w c:\windows\system32\dllcache\obrb0415.dll
+ 2008-04-13 18:40:10 409,600 ------w c:\windows\system32\dllcache\obrb0416.dll
+ 2008-04-13 18:40:50 427,008 ------w c:\windows\system32\dllcache\obrb0419.dll
+ 2008-04-13 18:40:52 405,504 ------w c:\windows\system32\dllcache\obrb041b.dll
+ 2008-04-13 18:40:56 363,008 ------w c:\windows\system32\dllcache\obrb041D.dll
+ 2008-04-13 18:41:00 390,144 ------w c:\windows\system32\dllcache\obrb041f.dll
+ 2008-04-13 18:40:56 408,576 ------w c:\windows\system32\dllcache\obrb0424.dll
+ 2008-04-13 18:40:24 270,336 ------w c:\windows\system32\dllcache\obrb0804.dll
+ 2008-04-13 18:40:48 435,200 ------w c:\windows\system32\dllcache\obrb0816.dll
+ 2008-04-13 18:40:30 446,464 ------w c:\windows\system32\dllcache\obrb0C0A.dll
+ 2008-04-14 00:12:31 51,200 ------w c:\windows\system32\dllcache\oobebaln.exe
+ 2008-04-14 00:12:05 215,552 ------w c:\windows\system32\dllcache\script.dll
+ 2008-04-14 00:12:05 199,680 ------w c:\windows\system32\dllcache\scripta.dll
+ 2008-04-14 00:12:06 189,440 ------w c:\windows\system32\dllcache\smtpadm.dll
+ 2008-04-14 00:12:06 2,134,528 ------w c:\windows\system32\dllcache\smtpsnap.dll
+ 2008-04-14 00:12:06 130,048 ------w c:\windows\system32\dllcache\softkbd.dll
+ 2008-04-13 16:43:18 62,976 ------w c:\windows\system32\dllcache\spgrmr.dll
+ 2008-04-13 18:35:06 186,880 ------w c:\windows\system32\dllcache\spra0401.dll
+ 2008-04-13 18:35:08 189,440 ------w c:\windows\system32\dllcache\spra0402.dll
+ 2008-04-13 18:35:09 161,280 ------w c:\windows\system32\dllcache\spra0404.dll
+ 2008-04-13 18:35:09 188,928 ------w c:\windows\system32\dllcache\spra0405.dll
+ 2008-04-13 18:35:09 192,000 ------w c:\windows\system32\dllcache\spra0406.dll
+ 2008-04-13 18:35:21 199,680 ------w c:\windows\system32\dllcache\spra0407.dll
+ 2008-04-13 18:35:11 197,632 ------w c:\windows\system32\dllcache\spra0408.dll
+ 2008-04-13 18:35:11 186,368 ------w c:\windows\system32\dllcache\spra040b.dll
+ 2008-04-13 18:35:20 197,632 ------w c:\windows\system32\dllcache\spra040C.dll
+ 2008-04-13 18:35:21 181,760 ------w c:\windows\system32\dllcache\spra040D.dll
+ 2008-04-13 18:35:23 195,584 ------w c:\windows\system32\dllcache\spra040e.dll
+ 2008-04-13 18:35:23 195,072 ------w c:\windows\system32\dllcache\spra0410.dll
+ 2008-04-13 18:35:23 171,008 ------w c:\windows\system32\dllcache\spra0411.dll
+ 2008-04-13 18:35:23 167,936 ------w c:\windows\system32\dllcache\spra0412.dll
+ 2008-04-13 18:35:25 196,096 ------w c:\windows\system32\dllcache\spra0413.dll
+ 2008-04-13 18:35:25 189,440 ------w c:\windows\system32\dllcache\spra0414.dll
+ 2008-04-13 18:35:26 194,560 ------w c:\windows\system32\dllcache\spra0415.dll
+ 2008-04-13 18:35:08 192,512 ------w c:\windows\system32\dllcache\spra0416.dll
+ 2008-04-13 18:35:27 190,464 ------w c:\windows\system32\dllcache\spra0418.dll
+ 2008-04-13 18:35:27 192,512 ------w c:\windows\system32\dllcache\spra0419.dll
+ 2008-04-13 18:35:21 188,928 ------w c:\windows\system32\dllcache\spra041a.dll
+ 2008-04-13 18:35:28 192,512 ------w c:\windows\system32\dllcache\spra041b.dll
+ 2008-04-13 18:35:28 188,928 ------w c:\windows\system32\dllcache\spra041D.dll
+ 2008-04-13 18:35:29 188,416 ------w c:\windows\system32\dllcache\spra041e.dll
+ 2008-04-13 18:35:30 188,928 ------w c:\windows\system32\dllcache\spra041f.dll
+ 2008-04-13 18:35:28 192,512 ------w c:\windows\system32\dllcache\spra0424.dll
+ 2008-04-13 18:35:11 186,880 ------w c:\windows\system32\dllcache\spra0425.dll
+ 2008-04-13 18:35:24 188,928 ------w c:\windows\system32\dllcache\spra0426.dll
+ 2008-04-13 18:35:24 189,952 ------w c:\windows\system32\dllcache\spra0427.dll
+ 2008-04-13 18:35:06 161,280 ------w c:\windows\system32\dllcache\spra0804.dll
+ 2008-04-13 18:35:26 194,560 ------w c:\windows\system32\dllcache\spra0816.dll
+ 2008-04-13 18:35:11 196,096 ------w c:\windows\system32\dllcache\spra0C0A.dll
+ 2008-04-13 18:35:49 2,869,248 ------w c:\windows\system32\dllcache\sprb0401.dll
+ 2008-04-13 18:36:10 477,696 ------w c:\windows\system32\dllcache\sprb0404.dll
+ 2008-04-13 18:36:10 734,720 ------w c:\windows\system32\dllcache\sprb0405.dll
+ 2008-04-13 18:36:10 742,912 ------w c:\windows\system32\dllcache\sprb0406.dll
+ 2008-04-13 18:37:03 788,480 ------w c:\windows\system32\dllcache\sprb0407.dll
+ 2008-04-13 18:36:35 801,280 ------w c:\windows\system32\dllcache\sprb0408.dll
+ 2008-04-13 18:36:39 729,088 ------w c:\windows\system32\dllcache\sprb040b.dll
+ 2008-04-13 18:36:55 793,088 ------w c:\windows\system32\dllcache\sprb040C.dll
+ 2008-04-13 18:37:07 2,842,112 ------w c:\windows\system32\dllcache\sprb040D.dll
+ 2008-04-13 18:37:22 769,536 ------w c:\windows\system32\dllcache\sprb040e.dll
+ 2008-04-13 18:37:22 769,536 ------w c:\windows\system32\dllcache\sprb0410.dll
+ 2008-04-13 18:37:34 562,688 ------w c:\windows\system32\dllcache\sprb0411.dll
+ 2008-04-13 18:37:37 543,744 ------w c:\windows\system32\dllcache\sprb0412.dll
+ 2008-04-13 18:38:00 769,024 ------w c:\windows\system32\dllcache\sprb0413.dll
+ 2008-04-13 18:38:02 716,288 ------w c:\windows\system32\dllcache\sprb0414.dll
+ 2008-04-13 18:38:05 759,808 ------w c:\windows\system32\dllcache\sprb0415.dll
+ 2008-04-13 18:35:43 752,128 ------w c:\windows\system32\dllcache\sprb0416.dll
+ 2008-04-13 18:38:28 736,768 ------w c:\windows\system32\dllcache\sprb0419.dll
+ 2008-04-13 18:38:37 757,248 ------w c:\windows\system32\dllcache\sprb041b.dll
+ 2008-04-13 18:38:47 724,480 ------w c:\windows\system32\dllcache\sprb041D.dll
+ 2008-04-13 18:38:51 724,480 ------w c:\windows\system32\dllcache\sprb041f.dll
+ 2008-04-13 18:38:36 732,160 ------w c:\windows\system32\dllcache\sprb0424.dll
+ 2008-04-13 18:35:54 470,016 ------w c:\windows\system32\dllcache\sprb0804.dll
+ 2008-04-13 18:38:06 751,616 ------w c:\windows\system32\dllcache\sprb0816.dll
+ 2008-04-13 18:36:38 773,632 ------w c:\windows\system32\dllcache\sprb0C0A.dll
+ 2008-04-13 18:39:02 656,896 ------w c:\windows\system32\dllcache\sprc0401.dll
+ 2008-04-13 18:39:13 327,680 ------w c:\windows\system32\dllcache\sprc0404.dll
+ 2008-04-13 18:39:02 601,088 ------w c:\windows\system32\dllcache\sprc0405.dll
+ 2008-04-13 18:39:12 605,696 ------w c:\windows\system32\dllcache\sprc0406.dll
+ 2008-04-13 18:39:19 663,552 ------w c:\windows\system32\dllcache\sprc0407.dll
+ 2008-04-13 18:39:12 679,936 ------w c:\windows\system32\dllcache\sprc0408.dll
+ 2008-04-13 18:39:17 604,672 ------w c:\windows\system32\dllcache\sprc040b.dll
+ 2008-04-13 18:39:20 663,040 ------w c:\windows\system32\dllcache\sprc040C.dll
+ 2008-04-13 18:39:28 620,544 ------w c:\windows\system32\dllcache\sprc040D.dll
+ 2008-04-13 18:39:28 645,120 ------w c:\windows\system32\dllcache\sprc040e.dll
+ 2008-04-13 18:39:28 658,432 ------w c:\windows\system32\dllcache\sprc0410.dll
+ 2008-04-13 18:39:49 412,672 ------w c:\windows\system32\dllcache\sprc0411.dll
+ 2008-04-13 18:39:49 392,704 ------w c:\windows\system32\dllcache\sprc0412.dll
+ 2008-04-13 18:39:47 645,120 ------w c:\windows\system32\dllcache\sprc0413.dll
+ 2008-04-13 18:39:48 591,872 ------w c:\windows\system32\dllcache\sprc0414.dll
+ 2008-04-13 18:39:52 641,024 ------w c:\windows\system32\dllcache\sprc0415.dll
+ 2008-04-13 18:38:56 620,032 ------w c:\windows\system32\dllcache\sprc0416.dll
+ 2008-04-13 18:39:56 627,200 ------w c:\windows\system32\dllcache\sprc0419.dll
+ 2008-04-13 18:40:04 577,536 ------w c:\windows\system32\dllcache\sprc041b.dll
+ 2008-04-13 18:40:05 590,848 ------w c:\windows\system32\dllcache\sprc041D.dll
+ 2008-04-13 18:40:09 592,896 ------w c:\windows\system32\dllcache\sprc041f.dll
+ 2008-04-13 18:40:05 576,512 ------w c:\windows\system32\dllcache\sprc0424.dll
+ 2008-04-13 18:39:03 322,560 ------w c:\windows\system32\dllcache\sprc0804.dll
+ 2008-04-13 18:39:53 639,488 ------w c:\windows\system32\dllcache\sprc0816.dll
+ 2008-04-13 18:39:13 648,704 ------w c:\windows\system32\dllcache\sprc0C0A.dll
+ 2008-04-14 00:12:06 151,552 ------w c:\windows\system32\dllcache\sqldb20.dll
+ 2008-04-14 00:12:06 462,848 ------w c:\windows\system32\dllcache\sqlqp20.dll
+ 2008-04-14 00:12:06 110,592 ------w c:\windows\system32\dllcache\sqlse20.dll
+ 2008-04-14 00:12:07 45,056 ------w c:\windows\system32\dllcache\ssinc51.dll
+ 2008-04-14 00:12:07 193,024 ------w c:\windows\system32\dllcache\sysmod.dll
+ 2008-04-14 00:12:07 173,568 ------w c:\windows\system32\dllcache\sysmoda.dll
+ 2008-04-14 00:12:07 33,792 ------w c:\windows\system32\dllcache\tools.dll
+ 2008-04-14 00:12:38 150,528 ------w c:\windows\system32\dllcache\uploadm.exe
- 2009-01-12 15:29:42 5,427 ----a-w c:\windows\system32\EGATHDRV.SYS
+ 2009-01-17 15:56:54 11,712 ------w c:\windows\system32\EGATHDRV.SYS
- 2008-10-17 04:17:28 206,512 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-17 16:15:16 205,712 ------w c:\windows\system32\FNTCACHE.DAT
- 2009-01-14 20:40:39 220,324 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-01-19 21:18:15 220,325 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696]
"SiteAdvisor"="c:\program files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 36640]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\Agent\Splash.exe" [2008-01-22 468288]
"McAfee Managed Services Tray"="c:\program files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2008-01-22 87360]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-01-25 106496]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 487424]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"TpShocks"="TpShocks.exe" [2005-11-07 c:\windows\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2005-10-17 c:\windows\system32\TP4EX.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 14:01 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-08 15:59 39936 c:\windows\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 00:45 28672 c:\windows\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 21:16 24576 c:\windows\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd csspwntfy
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--------- 2007-06-15 17:43 22528 c:\program files\AT&T\Communication Manager\ATTCM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--------- 2004-11-11 22:00 864256 c:\program files\Brother\ControlCenter2\brctrcen.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
-----c--- 2005-12-21 19:08 1996336 c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--------- 2007-01-01 15:22 3739648 c:\program files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
-----c--- 2007-03-09 17:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
-----c--- 2005-02-25 18:28 212992 c:\progra~1\Nero\data\Xtras\mssysmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-r---c--- 2005-10-26 15:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
-----c--- 2007-07-12 03:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--------- 2008-04-13 18:12 143360 c:\windows\system32\mobsync.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-r------- 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
--------- 2005-06-10 08:43 1095680 c:\program files\Webroot\Washer\wwDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"cmdService"=2 (0x2)
"CVPND"=2 (0x2)
"BOBJWIRS"=2 (0x2)
"BOBJWebiServer"=2 (0x2)
"BOBJTomcat"=2 (0x2)
"BOBJProgramServer"=2 (0x2)
"BOBJProcessServer"=2 (0x2)
"BOBJOutputFileServer"=2 (0x2)
"BOBJJobServer_Report"=2 (0x2)
"BOBJJobServer_DesktopIntelligence"=2 (0x2)
"BOBJInputFileServer"=2 (0x2)
"BOBJEventServer"=2 (0x2)
"BOBJDestinationServer"=2 (0x2)
"BOBJDesktopIntelligenceReportServer"=2 (0x2)
"BOBJDesktopIntelligenceCacheServer"=2 (0x2)
"BOBJCS"=3 (0x3)
"BOBJCrystalReportspageserver"=2 (0x2)
"BOBJCrystalReportsCacheServer"=2 (0x2)
"BOBJCrystalReportApplicationServer"=2 (0x2)
"BOBJCentralMS"=2 (0x2)
"bmwebcfg"=2 (0x2)
"AcSvc"=2 (0x2)
"aawservice"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\ma3platform.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"=
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2006-05-08 85760]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2006-05-08 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2006-05-08 6016]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2006-05-08 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2006-05-08 4442]
R4 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2008-07-14 14144]
R4 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-21 12544]
R4 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2008-07-14 169280]
R4 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [2005-11-15 46142]
R4 smi2;smi2;c:\program files\SMI2\smi2.sys [2005-12-21 3968]
R4 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2005-12-08 3328]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\drivers\avpnnic.sys [2007-10-18 13952]
S3 SE31bus;Sony Ericsson Device 049 Driver driver (WDM);c:\windows\system32\drivers\SE31bus.sys [2007-07-24 61600]
S3 SE31mdfl;Sony Ericsson Device 049 USB WMC Modem Filter;c:\windows\system32\drivers\SE31mdfl.sys [2007-07-24 9360]
S3 SE31mdm;Sony Ericsson Device 049 USB WMC Modem Driver;c:\windows\system32\drivers\SE31mdm.sys [2007-07-24 97184]
S3 SE31mgmt;Sony Ericsson Device 049 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE31mgmt.sys [2007-07-24 88688]
S3 se31nd5;Sony Ericsson Device 049 USB Ethernet Emulation SEMC49 (NDIS);c:\windows\system32\drivers\se31nd5.sys [2007-07-24 18704]
S3 SE31obex;Sony Ericsson Device 049 USB WMC OBEX Interface;c:\windows\system32\drivers\SE31obex.sys [2007-07-24 86560]
S3 se31unic;Sony Ericsson Device 049 USB Ethernet Emulation SEMC49 (WDM);c:\windows\system32\drivers\se31unic.sys [2007-07-24 90800]
S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [2008-06-21 82432]
S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [2008-06-21 66304]
S4 BOBJCentralMS;Central Management Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe [2005-11-15 2613248]
S4 BOBJCrystalReportApplicationServer;Report Application Server;c:\program files\Business Objects\common\3.5\bin\crystalras.exe [2005-11-15 454656]
S4 BOBJCrystalReportsCacheServer;Crystal Reports Cache Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe [2005-11-15 3207168]
S4 BOBJCrystalReportspageserver;Crystal Reports Page Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe [2005-11-15 3207168]
S4 BOBJCS;Connection Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe [2005-11-15 1421312]
S4 BOBJDesktopIntelligenceCacheServer;Desktop Intelligence Cache Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe [2005-11-15 5189632]
S4 BOBJDesktopIntelligenceReportServer;Desktop Intelligence Report Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe [2005-11-15 5189632]
S4 BOBJDestinationServer;Destination Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe [2005-11-15 942080]
S4 BOBJEventServer;Event Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe [2005-11-15 888832]
S4 BOBJInputFileServer;Input File Repository Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe [2005-11-15 626688]
S4 BOBJJobServer_DesktopIntelligence;Desktop Intelligence Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe [2005-11-15 942080]
S4 BOBJJobServer_Report;Crystal Reports Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe [2005-11-15 942080]
S4 BOBJOutputFileServer;Output File Repository Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe [2005-11-15 626688]
S4 BOBJProcessServer;List of Values Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe [2005-11-15 942080]
S4 BOBJProgramServer;Program Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe [2005-11-15 942080]
S4 BOBJTomcat;Apache Tomcat 5.0.27;c:\program files\Business Objects\Tomcat\bin\tomcat5.exe [2004-06-17 94208]
S4 BOBJWebiServer;Web Intelligence Job Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe [2005-11-15 942080]
S4 BOBJWIRS;Web Intelligence Report Server;c:\program files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe [2005-11-15 974848]
.
Contents of the 'Scheduled Tasks' folder
2009-01-19 c:\windows\Tasks\arintpiz.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
.
------- Supplementary Scan -------
.
uStart Page = https://owa.mse9.exchange.ms/exchweb/bin/auth/owalogon.asp?url=https://owa.mse9.exchange.ms/exchange&reason=0
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: bmnet.dll
Trusted Zone: *.turbotax.com
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 15:19:24
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1196)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\windows\system32\tphklock.dll
- - - - - - - > 'lsass.exe'(1252)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll
c:\windows\system32\bmnet.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\SiteAdvisor\6173\SAService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\wwSecure.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
.
**************************************************************************
.
Completion time: 2009-01-19 15:24:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-19 21:24:46
ComboFix2.txt 2009-01-16 17:50:32
ComboFix3.txt 2009-01-14 20:48:57
Pre-Run: 296,730,624 bytes free
Post-Run: 323,510,272 bytes free
495 --- E O F --- 2008-12-21 17:51:15
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:08 PM, on 1/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\wwSecure.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://owa.mse9.exchange.ms/exchweb/bin/auth/owalogon.asp?url=https://owa.mse9.exchange.ms/exchange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://jcgfiles/ConnectComputer/nshelp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://expresspay.webex.com/client/T25L/training/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://sremote1.duffandphelps.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = june.local
O17 - HKLM\Software\..\Telephony: DomainName = june.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = JCG.local
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
--
End of file - 11363 bytes
Looking good :bigthumb:
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://java.sun.com/javase/downloads/index.jsp) and install the update
Java SE Runtime Environment (JRE) 6 Update 11 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
How are things running now???
srogers8989
2009-01-28, 06:24
Took me a while to get to this as I wanted to get another hard drive backup in first.
I installed Java 6 version 11 and verified. I have been working on shoring up my OS backup. I have been using the Rescue and Recovery that comes with Lenovo laptops. I just received Acronis True Image Home 2009 today and installed it and created a copy of the c: partition. I also installed Vine Server on my little mac and Vine Viewer on my laptop so I can surf the internet using my mac.
My laptop is running great thanks to your assistance. It is booting up slowly as I messed with msconfig in this process and a bunch of programs are loading up in startup. I will chip away at them in the days to come. Any ideas as to the best combination of malware recovery software from you would be appreciated.
Thanks so much!
Hello,
You can post in one of these windows forums for help with your startup programs, this is what they do and are very good at it.
Windows Tech Support Forums
Windows Helpnet (http://www.windowsbbs.com/) <-- Excellent XP Forum
PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here.
Windows Support (http://forums.whatthetech.com/Microsoft_Windows_f119.html)
It's Not Always Malware
Slow Computer (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)
Microsoft (http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx)
Speedup Windows
TechBuilder (http://www.techbuilder.org/recipes/59201471)
Windows Tips
Techruler (http://www.techruler.com/tips.html#1)
Kellys Korner (http://www.kellys-korner-xp.com/xp_abc.htm)
ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken