View Full Version : Need help removing Win32.TDSS.rtk
Hi -
I am unable to get rid off Win32.TDSS.rtk after multiple runs of Spybot - Search & Destroy. Here is the HijackThis log. Please help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:25 AM, on 8/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\Hummbird\inetd32.exe
C:\Program Files\Common Files\Symantec
Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
*.local;<local>
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {020745A9-3332-4AA6-B54D-A2B7411A3282} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -
C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe
-helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint
software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update
Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32
C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft
Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe"
-r "C:\Documents and Settings\All Users\Application
Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe
/autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [SpybotDeletingA5793] command.com /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7754] cmd.exe /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1983] command.com /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2996] cmd.exe /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1667] command.com /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4386] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2980] command.com /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5919] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4848] command.com /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4543] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1529] command.com /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4943] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2613] command.com /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2663] cmd.exe /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA667] command.com /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3180] cmd.exe /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9320] command.com /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1149] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4557] command.com /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4141] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6559] command.com /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8828] cmd.exe /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA952] command.com /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5325] cmd.exe /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9500] command.com /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4054] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7346] command.com /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4585] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7020] command.com /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3007] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8786] command.com /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9739] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3447] command.com /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3858] cmd.exe /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8256] command.com /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6793] cmd.exe /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3009] command.com /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6894] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7811] command.com /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7811] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6593] command.com /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4812] cmd.exe /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6307] command.com /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4618] cmd.exe /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA13] command.com /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC866] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8642] command.com /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8112] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5006] command.com /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6618] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3078] command.com /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6725] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1399] command.com /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC438] cmd.exe /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA366] command.com /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8879] cmd.exe /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4028] command.com /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9076] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4787] command.com /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4478] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB104] command.com /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1589] cmd.exe /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6236] command.com /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1601] cmd.exe /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2227] command.com /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1142] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB225] command.com /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8338] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3784] command.com /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9264] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5218] command.com /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2878] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1795] command.com /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD922] cmd.exe /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9262] command.com /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7831] cmd.exe /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1536] command.com /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD991] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7753] command.com /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6734] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7253] command.com /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7258] cmd.exe /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5986] command.com /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3885] cmd.exe /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5285] command.com /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5869] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB549] command.com /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9732] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4625] command.com /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2188] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1236] command.com /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8106] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB286] command.com /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1211] cmd.exe /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8692] command.com /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3428] cmd.exe /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5270] command.com /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3197] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5841] command.com /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6865] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7023] command.com /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1042] cmd.exe /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7910] command.com /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD812] cmd.exe /c del
"C:\WINDOWS\system32\drivers\SKYNETsdmpwmnm.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5319] command.com /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4601] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4446] command.com /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4865] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETnthuejwo.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7129] command.com /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1728] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2831] command.com /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4784] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETvoyxodtp.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4475] command.com /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9741] cmd.exe /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7540] command.com /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2346] cmd.exe /c del
"C:\WINDOWS\system32\SKYNEToddvitxs.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8493] command.com /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1571] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1982] command.com /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5833] cmd.exe /c del
"C:\WINDOWS\system32\SKYNETynecoylf.dat"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common
Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth
Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Travelaxe - {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - C:\Program
Files\Travelaxe\Travelaxe.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) -
http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} -
http://home3.ca.com/PestPatrol/uniblue/pestscan/pestscan.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) -
http://www.tvucricket.com/player/vjocx-en.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AntipyProex (AntipPro2009_100) - Unknown owner - C:\WINDOWS\svchast.exe
(file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common
Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program
Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program
Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks -
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program
Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. -
C:\WINDOWS\system32\Hummbird\inetd32.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program
Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner -
C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Neoteris Setup Service - Juniper Networks - C:\Program
Files\Neoteris\Installer Service\NeoterisSetupService.exe
O23 - Service: OracleMTSRecoveryService - Novatel Wireless Inc. - (no file)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program
Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation -
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation -
C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner -
C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program
Files\Common Files\Virtual Token\vtserver.exe
--
End of file - 23393 bytes
Another problem (don't know if this is related to Win32.TDSS.rtk) is that frequently, my firefox browser is hijacked to a website called clean-pc-now.com and starts scanning my computer. After I run Spybot - search & destroy it doesn't happen for a little while and then starts all over again. Thanks.
Hi,
First thing to do, disable word wrap in Notepad to make logs appear in more readable format.
When done, download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
Blade81, thank for helping me out. I will post the three files separately.
DDS.txt
DDS (Ver_09-07-30.01) - NTFSx86
Run by venu potluri at 21:46:52.06 on Wed 08/19/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1402 [GMT -4:00]
============== Running Processes ===============
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\Hummbird\inetd32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\venu potluri\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {020745A9-3332-4AA6-B54D-A2B7411A3282} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRunOnce: [SpybotDeletingB104] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
uRunOnce: [SpybotDeletingD1589] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
uRunOnce: [SpybotDeletingB6236] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
uRunOnce: [SpybotDeletingD1601] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
uRunOnce: [SpybotDeletingB2227] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
uRunOnce: [SpybotDeletingD1142] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
uRunOnce: [SpybotDeletingB225] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll"
uRunOnce: [SpybotDeletingD8338] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll"
uRunOnce: [SpybotDeletingB3784] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
uRunOnce: [SpybotDeletingD9264] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
uRunOnce: [SpybotDeletingB5218] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
uRunOnce: [SpybotDeletingD2878] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
uRunOnce: [SpybotDeletingB1795] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
uRunOnce: [SpybotDeletingD922] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
uRunOnce: [SpybotDeletingB9262] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat"
uRunOnce: [SpybotDeletingD7831] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat"
uRunOnce: [SpybotDeletingB1536] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
uRunOnce: [SpybotDeletingD991] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
uRunOnce: [SpybotDeletingB7753] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat"
uRunOnce: [SpybotDeletingD6734] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat"
uRunOnce: [SpybotDeletingB7253] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
uRunOnce: [SpybotDeletingD7258] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
uRunOnce: [SpybotDeletingB5986] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
uRunOnce: [SpybotDeletingD3885] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
uRunOnce: [SpybotDeletingB5285] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
uRunOnce: [SpybotDeletingD5869] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
uRunOnce: [SpybotDeletingB549] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll"
uRunOnce: [SpybotDeletingD9732] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll"
uRunOnce: [SpybotDeletingB4625] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
uRunOnce: [SpybotDeletingD2188] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
uRunOnce: [SpybotDeletingB1236] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
uRunOnce: [SpybotDeletingD8106] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
uRunOnce: [SpybotDeletingB286] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
uRunOnce: [SpybotDeletingD1211] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
uRunOnce: [SpybotDeletingB8692] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat"
uRunOnce: [SpybotDeletingD3428] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat"
uRunOnce: [SpybotDeletingB5270] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
uRunOnce: [SpybotDeletingD3197] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
uRunOnce: [SpybotDeletingB5841] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat"
uRunOnce: [SpybotDeletingD6865] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat"
uRunOnce: [SpybotDeletingB7023] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
uRunOnce: [SpybotDeletingD1042] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
uRunOnce: [SpybotDeletingB7910] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
uRunOnce: [SpybotDeletingD812] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
uRunOnce: [SpybotDeletingB5319] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
uRunOnce: [SpybotDeletingD4601] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
uRunOnce: [SpybotDeletingB4446] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll"
uRunOnce: [SpybotDeletingD4865] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll"
uRunOnce: [SpybotDeletingB7129] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
uRunOnce: [SpybotDeletingD1728] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
uRunOnce: [SpybotDeletingB2831] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
uRunOnce: [SpybotDeletingD4784] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
uRunOnce: [SpybotDeletingB4475] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
uRunOnce: [SpybotDeletingD9741] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
uRunOnce: [SpybotDeletingB7540] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat"
uRunOnce: [SpybotDeletingD2346] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat"
uRunOnce: [SpybotDeletingB8493] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
uRunOnce: [SpybotDeletingD1571] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
uRunOnce: [SpybotDeletingB1982] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat"
uRunOnce: [SpybotDeletingD5833] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat"
uRunOnce: [SpybotDeletingB4508] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
uRunOnce: [SpybotDeletingD6760] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
uRunOnce: [SpybotDeletingB5933] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
uRunOnce: [SpybotDeletingD4433] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
uRunOnce: [SpybotDeletingB4419] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
uRunOnce: [SpybotDeletingD1946] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
uRunOnce: [SpybotDeletingB9361] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll"
uRunOnce: [SpybotDeletingD8823] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll"
uRunOnce: [SpybotDeletingB8106] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
uRunOnce: [SpybotDeletingD2422] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
uRunOnce: [SpybotDeletingB3925] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
uRunOnce: [SpybotDeletingD436] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
uRunOnce: [SpybotDeletingB5882] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
uRunOnce: [SpybotDeletingD894] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
uRunOnce: [SpybotDeletingB9144] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat"
uRunOnce: [SpybotDeletingD5608] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat"
uRunOnce: [SpybotDeletingB1862] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
uRunOnce: [SpybotDeletingD8074] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
uRunOnce: [SpybotDeletingB6562] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat"
uRunOnce: [SpybotDeletingD8575] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat"
uRunOnce: [SpybotDeletingB8689] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
uRunOnce: [SpybotDeletingD5401] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
uRunOnce: [SpybotDeletingB9060] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
uRunOnce: [SpybotDeletingD5174] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
uRunOnce: [SpybotDeletingB1658] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
uRunOnce: [SpybotDeletingD2886] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
uRunOnce: [SpybotDeletingB9059] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll"
uRunOnce: [SpybotDeletingD375] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll"
uRunOnce: [SpybotDeletingB9628] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
uRunOnce: [SpybotDeletingD3286] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
uRunOnce: [SpybotDeletingB8017] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
uRunOnce: [SpybotDeletingD5792] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
uRunOnce: [SpybotDeletingB4316] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
uRunOnce: [SpybotDeletingD3165] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
uRunOnce: [SpybotDeletingB165] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat"
uRunOnce: [SpybotDeletingD2274] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat"
uRunOnce: [SpybotDeletingB8995] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
uRunOnce: [SpybotDeletingD7756] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
uRunOnce: [SpybotDeletingB2986] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat"
uRunOnce: [SpybotDeletingD4671] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [ControlCenter] "c:\program files\ibm fingerprint software\ctlcntr.exe" /startup
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_07\bin\jusched.exe
mRun: [QCTRAY] c:\program files\thinkpad\connectutilities\QCTRAY.EXE
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRunOnce: [SpybotDeletingA5793] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
mRunOnce: [SpybotDeletingC7754] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
mRunOnce: [SpybotDeletingA1983] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
mRunOnce: [SpybotDeletingC2996] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
mRunOnce: [SpybotDeletingA1667] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
mRunOnce: [SpybotDeletingC4386] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
mRunOnce: [SpybotDeletingA2980] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll"
mRunOnce: [SpybotDeletingC5919] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll"
mRunOnce: [SpybotDeletingA4848] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
mRunOnce: [SpybotDeletingC4543] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
mRunOnce: [SpybotDeletingA1529] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
mRunOnce: [SpybotDeletingC4943] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
mRunOnce: [SpybotDeletingA2613] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
mRunOnce: [SpybotDeletingC2663] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
mRunOnce: [SpybotDeletingA667] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat"
mRunOnce: [SpybotDeletingC3180] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat"
mRunOnce: [SpybotDeletingA9320] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
mRunOnce: [SpybotDeletingC1149] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
mRunOnce: [SpybotDeletingA4557] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat"
mRunOnce: [SpybotDeletingC4141] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat"
mRunOnce: [SpybotDeletingA6559] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
mRunOnce: [SpybotDeletingC8828] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
mRunOnce: [SpybotDeletingA952] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
mRunOnce: [SpybotDeletingC5325] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
mRunOnce: [SpybotDeletingA9500] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
mRunOnce: [SpybotDeletingC4054] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
mRunOnce: [SpybotDeletingA7346] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll"
mRunOnce: [SpybotDeletingC4585] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll"
mRunOnce: [SpybotDeletingA7020] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
mRunOnce: [SpybotDeletingC3007] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
mRunOnce: [SpybotDeletingA8786] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
mRunOnce: [SpybotDeletingC9739] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
mRunOnce: [SpybotDeletingA3447] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
mRunOnce: [SpybotDeletingC3858] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
mRunOnce: [SpybotDeletingA8256] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat"
mRunOnce: [SpybotDeletingC6793] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat"
mRunOnce: [SpybotDeletingA3009] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
mRunOnce: [SpybotDeletingC6894] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
mRunOnce: [SpybotDeletingA7811] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat"
mRunOnce: [SpybotDeletingC7811] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat"
mRunOnce: [SpybotDeletingA6593] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
mRunOnce: [SpybotDeletingC4812] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
mRunOnce: [SpybotDeletingA6307] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
mRunOnce: [SpybotDeletingC4618] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
mRunOnce: [SpybotDeletingA13] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
mRunOnce: [SpybotDeletingC866] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
mRunOnce: [SpybotDeletingA8642] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll"
mRunOnce: [SpybotDeletingC8112] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll"
mRunOnce: [SpybotDeletingA5006] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
mRunOnce: [SpybotDeletingC6618] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
mRunOnce: [SpybotDeletingA3078] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
mRunOnce: [SpybotDeletingC6725] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
mRunOnce: [SpybotDeletingA1399] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
mRunOnce: [SpybotDeletingC438] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
mRunOnce: [SpybotDeletingA366] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat"
mRunOnce: [SpybotDeletingC8879] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat"
mRunOnce: [SpybotDeletingA4028] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
mRunOnce: [SpybotDeletingC9076] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
mRunOnce: [SpybotDeletingA4787] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat"
mRunOnce: [SpybotDeletingC4478] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat"
mRunOnce: [SpybotDeletingA1831] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
mRunOnce: [SpybotDeletingC8806] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
mRunOnce: [SpybotDeletingA9847] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
mRunOnce: [SpybotDeletingC3973] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
mRunOnce: [SpybotDeletingA5897] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
mRunOnce: [SpybotDeletingC315] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
mRunOnce: [SpybotDeletingA7642] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll"
mRunOnce: [SpybotDeletingC1115] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll"
mRunOnce: [SpybotDeletingA8765] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
mRunOnce: [SpybotDeletingC886] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
mRunOnce: [SpybotDeletingA90] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
mRunOnce: [SpybotDeletingC1308] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
mRunOnce: [SpybotDeletingA3879] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
mRunOnce: [SpybotDeletingC1881] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
mRunOnce: [SpybotDeletingA2304] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat"
mRunOnce: [SpybotDeletingC1468] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat"
mRunOnce: [SpybotDeletingA6135] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
mRunOnce: [SpybotDeletingC7798] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
mRunOnce: [SpybotDeletingA5689] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat"
mRunOnce: [SpybotDeletingC6709] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat"
mRunOnce: [SpybotDeletingA6802] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
mRunOnce: [SpybotDeletingC6694] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys_old"
mRunOnce: [SpybotDeletingA818] command.com /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
mRunOnce: [SpybotDeletingC8568] cmd.exe /c del "c:\windows\system32\drivers\SKYNETsdmpwmnm.sys"
mRunOnce: [SpybotDeletingA3325] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
mRunOnce: [SpybotDeletingC7346] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll_old"
mRunOnce: [SpybotDeletingA5167] command.com /c del "c:\windows\system32\SKYNETnthuejwo.dll"
mRunOnce: [SpybotDeletingC160] cmd.exe /c del "c:\windows\system32\SKYNETnthuejwo.dll"
mRunOnce: [SpybotDeletingA6705] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
mRunOnce: [SpybotDeletingC1222] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll_old"
mRunOnce: [SpybotDeletingA8631] command.com /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
mRunOnce: [SpybotDeletingC2617] cmd.exe /c del "c:\windows\system32\SKYNETvoyxodtp.dll"
mRunOnce: [SpybotDeletingA5475] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
mRunOnce: [SpybotDeletingC9243] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat_old"
mRunOnce: [SpybotDeletingA8943] command.com /c del "c:\windows\system32\SKYNEToddvitxs.dat"
mRunOnce: [SpybotDeletingC1857] cmd.exe /c del "c:\windows\system32\SKYNEToddvitxs.dat"
mRunOnce: [SpybotDeletingA8287] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
mRunOnce: [SpybotDeletingC1339] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat_old"
mRunOnce: [SpybotDeletingA7869] command.com /c del "c:\windows\system32\SKYNETynecoylf.dat"
mRunOnce: [SpybotDeletingC2573] cmd.exe /c del "c:\windows\system32\SKYNETynecoylf.dat"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\ibm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickbooks update agent.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Add to AD Black List
IE: Block All Images from the Same Server
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Highlight
IE: Open All Links in This Page...
IE: Open In New Avant Browser
IE: Search
IE: Send To &Bluetooth - c:\program files\ibm\bluetooth software\btsendto_ie_ctx.htm
IE: {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - c:\program files\travelaxe\Travelaxe.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - hxxp://home3.ca.com/PestPatrol/uniblue/pestscan/pestscan.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.tvucricket.com/player/vjocx-en.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll
Notify: QConGina - QConGina.dll
Notify: tphotkey - tphklock.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\iifDUNHx
LSA: Notification Packages = scecli pwdmon c:\windows\system32\rujidovo.dll c:\windows\system32\sijoluja.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\venupo~1\applic~1\mozilla\firefox\profiles\uqbsexaa.default\
FF - plugin: c:\documents and settings\venu potluri\application data\mozilla\firefox\profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\venu potluri\application data\mozilla\firefox\profiles\uqbsexaa.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13123.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMySrWB.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
============= SERVICES / DRIVERS ===============
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-6-22 59776]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-6-22 14208]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-6-22 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-6-22 2432]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-11-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 74480]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-6-22 4608]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005-6-22 4442]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-12-16 63616]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-6-22 6016]
S1 8fcc9dbc.sys;8fcc9dbc.sys;\??\c:\windows\system32\drivers\8fcc9dbc.sys --> c:\windows\system32\drivers\8fcc9dbc.sys [?]
S1 SDManager;SDManager;\??\c:\program files\spywaredetector\sdmanager.sys --> c:\program files\spywaredetector\SDManager.sys [?]
S2 AntipPro2009_100;AntipyProex;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]
S2 dgigpk;dgigpk;c:\windows\system32\drivers\llqtmah.sys --> c:\windows\system32\drivers\llqtmah.sys [?]
S2 vvdsvc;VJVodClientServices;c:\windows\system32\svchost.exe -k vvdsvc [1980-1-1 14336]
S2 xaoesoee;Direct Parallel Link Helper;c:\windows\system32\svchost.exe -k netsvcs [1980-1-1 14336]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-6-22 12288]
S4 Oracle9iClientClientCache;Oracle9iClientClientCache; [x]
UnknownUnknown dsload;dsload; [x]
=============== Created Last 30 ================
2009-08-16 12:04 <DIR> --d----- C:\registry backup
2009-08-16 08:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\RegCure
2009-08-15 22:58 <DIR> --d----- c:\docume~1\venupo~1\applic~1\AVG8
2009-08-15 21:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-15 21:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-15 13:14 54,156 a---h--- c:\windows\QTFont.qfn
2009-08-15 13:14 1,409 a------- c:\windows\QTFont.for
2009-08-11 19:10 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 19:10 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-07 19:54 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-08-07 06:42 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-07 06:40 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-07 06:40 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-07 06:40 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-07 06:40 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-07 06:40 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-07 06:40 <DIR> --d----- C:\c45970b3e444a0af6f0dc93b22
2009-08-07 06:40 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-07 06:40 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-07 06:39 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-23 21:27 <DIR> --d----- c:\docume~1\venupo~1\applic~1\pokerth
2009-07-23 21:26 <DIR> --d----- c:\program files\PokerTH
==================== Find3M ====================
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-18 12:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 12:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 12:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 12:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-14 09:57 102,088 a------- c:\docume~1\venupo~1\applic~1\GDIPFONTCACHEV1.DAT
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 08:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 10:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 02:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2008-06-06 10:54 393 a------- c:\program files\Shortcut to Program Files.lnk
============= FINISH: 21:48:11.28 ===============
Attach.txt is attached in this post.
GMER Log
GMER 1.0.15.15077 [g43t6kf3.exe] - http://www.gmer.net
Rootkit scan 2009-08-19 22:32:58
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
Code 8A6441B0 ZwEnumerateKey
Code 8A633110 ZwFlushInstructionCache
Code 8A63D10E IofCallDriver
Code 8A62A1AE IofCompleteRequest
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 8A63D113
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 8A62A1B3
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEC4 5 Bytes JMP 8A633114
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB70 5 Bytes JMP 8A6441B4
---- User code sections - GMER 1.0.15 ----
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[236] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003E000A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[252] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006E000A
.text C:\WINDOWS\system32\Ati2evxx.exe[396] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0097000A
.text C:\WINDOWS\system32\svchost.exe[488] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0067000A
.text C:\WINDOWS\system32\winlogon.exe[652] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0063000A
.text ...
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 TPInput.sys (IBM SATA Power Management Driver/IBM Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 TPInput.sys (IBM SATA Power Management Driver/IBM Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
Device \FileSystem\Fastfat \Fat B18E2D20
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- Files - GMER 1.0.15 ----
File C:\Program Files\Java\jre1.5.0_07\lib\security\acrobatPI.log 114012 bytes
File C:\Program Files\Java\jre1.5.0_07\lib\security\AdobeUpdaterPrefs.dat 449 bytes
File C:\Program Files\Java\jre1.5.0_07\lib\security\Data 0 bytes
File C:\Program Files\Java\jre1.5.0_07\lib\security\Install 0 bytes
---- EOF - GMER 1.0.15 ----
Hi again,
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds.txt log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Here is ComboFix.txt
ComboFix 09-08-21.02 - ********** 08/22/2009 9:23.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1670 [GMT -4:00]
Running from: c:\documents and settings\**********\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\99181246.ini
C:\p2hhr.bat
c:\windows\Downloaded Program Files\Quarantine
c:\windows\Installer\596f532.msp
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\system\SysSD.dll
c:\windows\system32\abomegis.ini
c:\windows\system32\bennuar.old
c:\windows\system32\bszip.dll
c:\windows\system32\dddesot.dll
c:\windows\system32\desot.exe
c:\windows\system32\drivers\SKYNETsdmpwmnm.sys
c:\windows\system32\drivers\SKYNETwbmlwhkl.sys.vir
c:\windows\system32\fMlmonpo.ini
c:\windows\system32\MabryObj.dll
c:\windows\system32\pwdmon.dll
c:\windows\system32\SKYNETnthuejwo.dll
c:\windows\system32\SKYNEToddvitxs.dat
c:\windows\system32\SKYNETvoyxodtp.dll
c:\windows\system32\SKYNETynecoylf.dat
c:\windows\system32\sysnet.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SKYNETtaeyowtt
-------\Legacy_SKYNETtaeyowtt
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.
2009-08-16 16:04 . 2009-08-16 16:04 -------- d-----w- C:\registry backup
2009-08-16 16:03 . 2009-08-16 16:04 -------- d-----w- c:\program files\ERUNT
2009-08-16 02:58 . 2009-08-16 02:58 -------- d-----w- c:\documents and settings\**********\Application Data\AVG8
2009-08-16 01:02 . 2009-08-22 11:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-16 01:02 . 2009-08-16 01:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-12 19:14 . 2009-08-06 17:11 2492728 ----a-w- c:\documents and settings\**********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2009-08-12 19:14 . 2008-03-04 22:52 286720 ----a-w- c:\documents and settings\**********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\libcurl.dll
2009-08-12 19:14 . 2007-10-31 13:39 59904 ----a-w- c:\documents and settings\**********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\zlib1.dll
2009-08-12 19:14 . 2007-05-17 17:58 143360 ----a-w- c:\documents and settings\**********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\libexpatw.dll
2009-08-12 19:14 . 2006-10-18 21:32 499712 ----a-w- c:\documents and settings\**********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\msvcp71.dll
2009-08-12 19:14 . 2006-10-18 21:32 348160 ----a-w- c:\documents and settings\**********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\msvcr71.dll
2009-08-12 19:14 . 2006-10-16 22:44 196608 ----a-w- c:\documents and settings\**********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\ssleay32.dll
2009-08-12 19:14 . 2006-10-16 22:44 1028096 ----a-w- c:\documents and settings\**********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\libeay32.dll
2009-08-11 23:10 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-07 10:42 . 2009-08-07 10:42 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-07 10:42 . 2009-08-07 10:42 -------- d-----w- c:\program files\MSBuild
2009-08-07 10:41 . 2009-08-07 10:41 -------- d-----w- c:\program files\Reference Assemblies
2009-08-07 10:40 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-07 10:40 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-07 10:40 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-07 10:40 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-07 10:40 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-07 10:40 . 2009-08-07 10:41 -------- d-----w- C:\c45970b3e444a0af6f0dc93b22
2009-08-07 10:40 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-07 10:40 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-07 10:39 . 2009-08-07 13:14 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-24 01:27 . 2009-07-24 01:27 -------- d-----w- c:\documents and settings\**********\Application Data\pokerth
2009-07-24 01:26 . 2009-07-24 01:27 -------- d-----w- c:\program files\PokerTH
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 10:26 . 2008-06-15 11:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-16 20:21 . 2009-03-21 13:17 117760 ----a-w- c:\documents and settings\**********\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-16 01:34 . 2009-05-19 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\19171254
2009-08-15 02:33 . 2008-05-25 13:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-11 01:58 . 2008-11-22 01:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 01:58 . 2008-12-29 12:11 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-10 01:24 . 2005-11-02 11:26 102088 ----a-w- c:\documents and settings\**********\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 13:00 . 2005-06-22 07:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-09 13:00 . 2009-02-09 15:15 -------- d-----w- c:\program files\Norton Security Scan
2009-08-09 11:23 . 2008-11-25 01:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-05 09:01 . 1980-01-01 07:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2008-11-22 01:55 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2008-11-22 01:55 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-22 10:42 . 2009-01-07 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-07-17 19:01 . 1980-01-01 07:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 1980-01-01 07:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:50 . 1980-01-01 07:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 1980-01-01 07:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 1980-01-01 07:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 1980-01-01 07:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-13 12:46 . 2009-06-13 12:46 34 ----a-w- c:\windows\system32\bd9840cd.dat
2009-06-13 12:45 . 2009-06-13 12:45 50 ----a-w- c:\windows\system32\bd9840cn.dat
2009-06-12 12:31 . 1980-01-01 07:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 1980-01-01 07:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 1980-01-01 07:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-08-09 17:51 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 1980-01-01 07:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 1980-01-01 07:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-06-06 14:54 . 2008-06-06 14:54 393 ----a-w- c:\program files\Shortcut to Program Files.lnk
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 442368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-04 94208]
"ControlCenter"="c:\program files\IBM fingerprint software\ctlcntr.exe" [2004-11-04 284766]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-12 344064]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-06 442368]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-12-16 90112]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2004-12-21 135168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 36975]
"QCTRAY"="c:\program files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2005-03-18 745472]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 65536]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-27 180269]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2004-10-27 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2004-11-12 40960]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\IBM\Bluetooth Software\BTTray.exe [2004-10-1 565309]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-22 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-1-10 815104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-26 02:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-11-04 16:51 108636 ----a-w- c:\program files\IBM fingerprint software\psfus.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 10:07 262144 ----a-w- c:\windows\system32\QConGina.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 03:11 24576 ----a-w- c:\windows\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe
[HKLM\~\startupfolder\C:^Documents and Settings^**********^Start Menu^Programs^Startup^Run Clock G2.lnk]
backup=c:\windows\pss\Run Clock G2.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPMbfd37ec1
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"UC_Start"=c:\program files\IBM\Updater\\ucstartup.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Quest Software\\Quest Central\\Plugins\\Load Generator\\ASA\\win32\\dbeng9.exe"=
"c:\\Program Files\\Exceed.nt\\exceed.exe"=
"c:\\Program Files\\Reflection\\Rx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\WINDOWS\\system32\\dla\\tfswctrl.exe"=
"c:\\Program Files\\Juniper Networks\\Common Files\\dsNcService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [6/22/2005 2:48 AM 59776]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [6/22/2005 2:48 AM 14208]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 4:11 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 74480]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [6/22/2005 2:48 AM 4608]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [6/22/2005 3:18 AM 4442]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [12/16/2004 7:12 AM 63616]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [6/22/2005 2:48 AM 6016]
S1 8fcc9dbc.sys;8fcc9dbc.sys;\??\c:\windows\System32\drivers\8fcc9dbc.sys --> c:\windows\System32\drivers\8fcc9dbc.sys [?]
S1 SDManager;SDManager;\??\c:\program files\SpywareDetector\SDManager.sys --> c:\program files\SpywareDetector\SDManager.sys [?]
S2 AntipPro2009_100;AntipyProex;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]
S2 dgigpk;dgigpk;c:\windows\system32\drivers\llqtmah.sys --> c:\windows\system32\drivers\llqtmah.sys [?]
S2 xaoesoee;Direct Parallel Link Helper;c:\windows\System32\svchost.exe -k netsvcs [1/1/1980 3:00 AM 14336]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [6/22/2005 3:13 AM 12288]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 7408]
S4 Oracle9iClientClientCache;Oracle9iClientClientCache; [x]
UnknownUnknown dsload;dsload; [x]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xaoesoee
.
Contents of the 'Scheduled Tasks' folder
2009-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-08-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-15 10:35]
2009-08-16 c:\windows\Tasks\Norton Security Scan for **********.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 00:20]
2009-08-22 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-06-22 08:00]
2009-08-20 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-06-15 22:15]
2009-08-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-06-20 02:18]
.
- - - - ORPHANS REMOVED - - - -
BHO-{020745A9-3332-4AA6-B54D-A2B7411A3282} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to AD Black List
IE: Block All Images from the Same Server
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Highlight
IE: Open All Links in This Page...
IE: Open In New Avant Browser
IE: Search
IE: Send To &Bluetooth - c:\program files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:\documents and settings\**********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\
FF - plugin: c:\documents and settings\**********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\**********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13123.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrWB.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 09:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC60A522-920C-52E9-898A41C82F89CB84}\{735C0629-1D81-42E2-E1D6A541CCD3DFCD}\{29AB0373-A17F-9B90-31C1A0C3BE2157F2}*]
"WHRUBFTNUT3JMXQXKMKSXOBADA1"=hex:01,00,01,00,00,00,00,00,7d,86,67,30,10,5d,1c,
b8,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\IBM fingerprint software\psfus.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\windows\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Virtual Token\vtserver.exe
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\IBM\Bluetooth Software\bin\btwdins.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\windows\system32\Hummbird\inetd32.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Neoteris\Installer Service\NeoterisSetupService.exe
c:\windows\system32\QCONSVC.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\progra~1\ThinkPad\CONNEC~1\QCTRAY.EXE
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
.
**************************************************************************
.
Completion time: 2009-08-22 9:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-22 13:39
Pre-Run: 18,940,993,536 bytes free
Post-Run: 18,805,485,568 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
368 --- E O F --- 2009-08-12 10:04
Here is DDS.txt
DDS (Ver_09-07-30.01) - NTFSx86
Run by ************** at 9:45:18.59 on Sat 08/22/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1483 [GMT -4:00]
============== Running Processes ===============
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\Hummbird\inetd32.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\**************\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [ControlCenter] "c:\program files\ibm fingerprint software\ctlcntr.exe" /startup
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_07\bin\jusched.exe
mRun: [QCTRAY] c:\program files\thinkpad\connectutilities\QCTRAY.EXE
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\ibm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickbooks update agent.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Add to AD Black List
IE: Block All Images from the Same Server
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Highlight
IE: Open All Links in This Page...
IE: Open In New Avant Browser
IE: Search
IE: Send To &Bluetooth - c:\program files\ibm\bluetooth software\btsendto_ie_ctx.htm
IE: {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - c:\program files\travelaxe\Travelaxe.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - hxxp://home3.ca.com/PestPatrol/uniblue/pestscan/pestscan.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.tvucricket.com/player/vjocx-en.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll
Notify: QConGina - QConGina.dll
Notify: tphotkey - tphklock.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\venupo~1\applic~1\mozilla\firefox\profiles\uqbsexaa.default\
FF - plugin: c:\documents and settings\**************\application data\mozilla\firefox\profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\**************\application data\mozilla\firefox\profiles\uqbsexaa.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13123.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMySrWB.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
============= SERVICES / DRIVERS ===============
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-6-22 59776]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-6-22 14208]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-6-22 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-6-22 2432]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-11-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 74480]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-6-22 4608]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005-6-22 4442]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-12-16 63616]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-6-22 6016]
S1 8fcc9dbc.sys;8fcc9dbc.sys;\??\c:\windows\system32\drivers\8fcc9dbc.sys --> c:\windows\system32\drivers\8fcc9dbc.sys [?]
S1 SDManager;SDManager;\??\c:\program files\spywaredetector\sdmanager.sys --> c:\program files\spywaredetector\SDManager.sys [?]
S2 AntipPro2009_100;AntipyProex;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]
S2 dgigpk;dgigpk;c:\windows\system32\drivers\llqtmah.sys --> c:\windows\system32\drivers\llqtmah.sys [?]
S2 vvdsvc;VJVodClientServices;c:\windows\system32\svchost.exe -k vvdsvc [1980-1-1 14336]
S2 xaoesoee;Direct Parallel Link Helper;c:\windows\system32\svchost.exe -k netsvcs [1980-1-1 14336]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-6-22 12288]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]
S4 Oracle9iClientClientCache;Oracle9iClientClientCache; [x]
UnknownUnknown dsload;dsload; [x]
=============== Created Last 30 ================
2009-08-22 09:37 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-08-22 09:12 <DIR> a-dshr-- C:\cmdcons
2009-08-22 09:10 228,864 a------- c:\windows\PEV.exe
2009-08-22 09:10 161,792 a------- c:\windows\SWREG.exe
2009-08-22 09:10 98,816 a------- c:\windows\sed.exe
2009-08-16 12:04 <DIR> --d----- C:\registry backup
2009-08-15 22:58 <DIR> --d----- c:\docume~1\venupo~1\applic~1\AVG8
2009-08-15 21:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-15 21:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-15 13:14 54,156 a---h--- c:\windows\QTFont.qfn
2009-08-15 13:14 1,409 a------- c:\windows\QTFont.for
2009-08-11 19:10 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 19:10 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-07 19:54 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-08-07 06:42 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-07 06:40 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-07 06:40 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-07 06:40 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-07 06:40 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-07 06:40 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-07 06:40 <DIR> --d----- C:\c45970b3e444a0af6f0dc93b22
2009-08-07 06:40 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-07 06:40 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-07 06:39 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-23 21:27 <DIR> --d----- c:\docume~1\venupo~1\applic~1\pokerth
2009-07-23 21:26 <DIR> --d----- c:\program files\PokerTH
==================== Find3M ====================
2009-08-22 08:41 102,088 a------- c:\docume~1\venupo~1\applic~1\GDIPFONTCACHEV1.DAT
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-18 12:05 3,069,440 a------- c:\windows\system32\dllcache\cache\mshtml.dll
2009-07-18 12:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 12:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-06-26 12:50 666,624 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-06-26 12:50 666,624 -------- c:\windows\system32\wininet.dll
2009-06-26 12:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 12:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 12:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 08:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 10:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 02:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2008-06-06 10:54 393 a------- c:\program files\Shortcut to Program Files.lnk
============= FINISH: 9:45:38.32 ===============
Hi,
Ad-Aware SE Professional is not supported anymore. It's recommended to uninstall it. You may get Ad-Aware AE (http://www.lavasoft.com/products/ad_aware.php).
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
"8fcc9dbc.sys"
AntipPro2009_100
dgigpk
xaoesoee
NetSvc::
xaoesoee
File::
c:\windows\System32\drivers\8fcc9dbc.sys
c:\windows\svchast.exe
c:\windows\system32\drivers\llqtmah.sys
Folder::
c:\documents and settings\All Users\Application Data\19171254
DDS::
uStart Page = about:blank
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
Regnull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC60A522-920C-52E9-898A41C82F89CB84}\{735C0629-1D81-42E2-E1D6A541CCD3DFCD}\{29AB0373-A17F-9B90-31C1A0C3BE2157F2}*]
Reglock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPMbfd37ec1]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Uninstall old Adobe Reader versions and get the latest one (9.1 + separate updates 9.1.2 & 9.1.3 for it) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 16 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
ComboFix.txt
ComboFix 09-08-21.02 - ******** 08/22/2009 12:13.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1593 [GMT -4:00]
Running from: c:\documents and settings\********\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\********\Desktop\CFScript.txt
FILE ::
"c:\windows\svchast.exe"
"c:\windows\System32\drivers\8fcc9dbc.sys"
"c:\windows\system32\drivers\llqtmah.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\19171254
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ANTIPPRO2009_100
-------\Legacy_XAOESOEE
-------\Service_8fcc9dbc.sys
-------\Service_AntipPro2009_100
-------\Service_dgigpk
-------\Service_xaoesoee
((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.
2009-08-16 16:04 . 2009-08-22 13:38 -------- d-----w- C:\registry backup
2009-08-16 16:03 . 2009-08-16 16:04 -------- d-----w- c:\program files\ERUNT
2009-08-16 02:58 . 2009-08-16 02:58 -------- d-----w- c:\documents and settings\********\Application Data\AVG8
2009-08-16 01:02 . 2009-08-22 11:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-16 01:02 . 2009-08-16 01:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-12 19:14 . 2009-08-06 17:11 2492728 ----a-w- c:\documents and settings\********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2009-08-12 19:14 . 2008-03-04 22:52 286720 ----a-w- c:\documents and settings\********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\libcurl.dll
2009-08-12 19:14 . 2007-10-31 13:39 59904 ----a-w- c:\documents and settings\********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\zlib1.dll
2009-08-12 19:14 . 2007-05-17 17:58 143360 ----a-w- c:\documents and settings\********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\libexpatw.dll
2009-08-12 19:14 . 2006-10-18 21:32 499712 ----a-w- c:\documents and settings\********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\msvcp71.dll
2009-08-12 19:14 . 2006-10-18 21:32 348160 ----a-w- c:\documents and settings\********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\msvcr71.dll
2009-08-12 19:14 . 2006-10-16 22:44 196608 ----a-w- c:\documents and settings\********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\ssleay32.dll
2009-08-12 19:14 . 2006-10-16 22:44 1028096 ----a-w- c:\documents and settings\********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\libeay32.dll
2009-08-11 23:10 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-07 10:42 . 2009-08-07 10:42 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-07 10:42 . 2009-08-07 10:42 -------- d-----w- c:\program files\MSBuild
2009-08-07 10:41 . 2009-08-07 10:41 -------- d-----w- c:\program files\Reference Assemblies
2009-08-07 10:40 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-07 10:40 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-07 10:40 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-07 10:40 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-07 10:40 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-07 10:40 . 2009-08-07 10:41 -------- d-----w- C:\c45970b3e444a0af6f0dc93b22
2009-08-07 10:40 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-07 10:40 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-07 10:39 . 2009-08-07 13:14 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-24 01:27 . 2009-07-24 01:27 -------- d-----w- c:\documents and settings\********\Application Data\pokerth
2009-07-24 01:26 . 2009-07-24 01:27 -------- d-----w- c:\program files\PokerTH
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 10:26 . 2008-06-15 11:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-16 20:21 . 2009-03-21 13:17 117760 ----a-w- c:\documents and settings\********\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-15 02:33 . 2008-05-25 13:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-11 01:58 . 2008-11-22 01:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 01:58 . 2008-12-29 12:11 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-10 01:24 . 2005-11-02 11:26 102088 ----a-w- c:\documents and settings\********\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 13:00 . 2005-06-22 07:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-09 13:00 . 2009-02-09 15:15 -------- d-----w- c:\program files\Norton Security Scan
2009-08-09 11:23 . 2008-11-25 01:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-05 09:01 . 1980-01-01 07:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2008-11-22 01:55 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2008-11-22 01:55 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-22 10:42 . 2009-01-07 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-07-17 19:01 . 1980-01-01 07:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 1980-01-01 07:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:50 . 1980-01-01 07:00 666624 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 1980-01-01 07:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 1980-01-01 07:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 1980-01-01 07:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-13 12:46 . 2009-06-13 12:46 34 ----a-w- c:\windows\system32\bd9840cd.dat
2009-06-13 12:45 . 2009-06-13 12:45 50 ----a-w- c:\windows\system32\bd9840cn.dat
2009-06-12 12:31 . 1980-01-01 07:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 1980-01-01 07:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 1980-01-01 07:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-08-09 17:51 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 1980-01-01 07:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 1980-01-01 07:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-06-06 14:54 . 2008-06-06 14:54 393 ----a-w- c:\program files\Shortcut to Program Files.lnk
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 442368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-04 94208]
"ControlCenter"="c:\program files\IBM fingerprint software\ctlcntr.exe" [2004-11-04 284766]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-12 344064]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-06 442368]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-12-16 90112]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2004-12-21 135168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 36975]
"QCTRAY"="c:\program files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2005-03-18 745472]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 65536]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-27 180269]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2004-10-27 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2004-11-12 40960]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\IBM\Bluetooth Software\BTTray.exe [2004-10-1 565309]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-22 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-1-10 815104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-26 02:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-11-04 16:51 108636 ----a-w- c:\program files\IBM fingerprint software\psfus.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 10:07 262144 ----a-w- c:\windows\system32\QConGina.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 03:11 24576 ----a-w- c:\windows\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe
[HKLM\~\startupfolder\C:^Documents and Settings^********^Start Menu^Programs^Startup^Run Clock G2.lnk]
backup=c:\windows\pss\Run Clock G2.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"UC_Start"=c:\program files\IBM\Updater\\ucstartup.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Quest Software\\Quest Central\\Plugins\\Load Generator\\ASA\\win32\\dbeng9.exe"=
"c:\\Program Files\\Exceed.nt\\exceed.exe"=
"c:\\Program Files\\Reflection\\Rx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\WINDOWS\\system32\\dla\\tfswctrl.exe"=
"c:\\Program Files\\Juniper Networks\\Common Files\\dsNcService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [6/22/2005 2:48 AM 59776]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [6/22/2005 2:48 AM 14208]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 4:11 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 74480]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [6/22/2005 2:48 AM 4608]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [6/22/2005 3:18 AM 4442]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [12/16/2004 7:12 AM 63616]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [6/22/2005 2:48 AM 6016]
S1 SDManager;SDManager;\??\c:\program files\SpywareDetector\SDManager.sys --> c:\program files\SpywareDetector\SDManager.sys [?]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [6/22/2005 3:13 AM 12288]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 7408]
S4 Oracle9iClientClientCache;Oracle9iClientClientCache; [x]
UnknownUnknown dsload;dsload; [x]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder
2009-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-08-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-15 10:35]
2009-08-16 c:\windows\Tasks\Norton Security Scan for ********.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 00:20]
2009-08-22 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-06-22 08:00]
2009-08-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-06-20 02:18]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to AD Black List
IE: Block All Images from the Same Server
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Highlight
IE: Open All Links in This Page...
IE: Open In New Avant Browser
IE: Search
IE: Send To &Bluetooth - c:\program files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:\documents and settings\********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\
FF - plugin: c:\documents and settings\********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\********\Application Data\Mozilla\Firefox\Profiles\uqbsexaa.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13123.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrWB.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 12:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\IBM fingerprint software\psfus.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\windows\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Virtual Token\vtserver.exe
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\IBM\Bluetooth Software\bin\btwdins.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\windows\system32\Hummbird\inetd32.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Neoteris\Installer Service\NeoterisSetupService.exe
c:\windows\system32\QCONSVC.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
.
**************************************************************************
.
Completion time: 2009-08-22 12:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-22 16:28
ComboFix2.txt 2009-08-22 13:39
Pre-Run: 18,813,956,096 bytes free
Post-Run: 18,766,573,568 bytes free
304 --- E O F --- 2009-08-12 10:04
Test post. Please ignore this.
Had to post to make your previous reply appear here. I'll get back to this when you have other reports ready.
Hi,
Have you run Kaspersky online scanner yet? If you have, please post its report & a fresh dds.txt log.
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.