Results 1 to 10 of 19

Thread: SCPROT4.EXE Malware Trojan/ Worm infection

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. 2010-01-04, 06:07 #1
    anand_am01
    anand_am01 is offline
    Junior Member
    Join Date
    Jan 2010
    Posts
    10

    Unhappy SCPROT4.EXE Malware Trojan/ Worm infection

    Hello Experts,
    Following your instructions, I have created a backup with ERUNT and the HJT log is enclosed.
    Await further instructions, and thank you for your time & consideration.
    Sincerely,
    Anand Murthy

    =================================================
    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 11:43:48 PM, on 03/01/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
    C:\WINDOWS\system32\IPSSVC.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe
    c:\program files\lenovo\system update\suservice.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\WINDOWS\system32\taskswitch.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\CardScan\CardScan\CardScanAgent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe
    C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgr.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Live\Toolbar\wltuser.exe
    C:\Program Files\Mozilla Firefox 3.6 Beta 5\firefox.exe
    C:\Program Files\Windows Live\Mail\wlmail.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe
    C:\WINDOWS\system32\msfeedssync.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Microsoft Office\Office\EXCEL.EXE
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\Microsoft Office\Office\1033\msohelp.exe
    C:\Program Files\Microsoft Office\Office\1033\msohelp.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
    C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.toronto.ca:8080
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: (no name) - {1ECE7AC5-2091-419D-BD0F-FCDB92EEBA9B} - (no file)
    O2 - BHO: (no name) - {29A92273-C690-41FF-92AB-468EF44B16B4} - (no file)
    O2 - BHO: (no name) - {30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {62780D18-D103-03D3-323A-01F43008B839} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
    O2 - BHO: (no name) - {C1AC8C15-62FC-1F2B-8B2E-48E679F00E91} - (no file)
    O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
    O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
    O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
    O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.e
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
    O4 - HKLM\..\RunOnce: [OEMSAVHomeDirectory] cmd.exe /c rmdir "C:\Program Files\Symantec Client Security\Symantec AntiVirus\"
    O4 - HKLM\..\RunOnce: [OEMCommonHomeDirectory] cmd.exe /c rmdir "C:\Program Files\Common Files\Symantec Shared\OEM\"
    O4 - HKLM\..\RunOnce: [OEMSCFHomeDirectory] cmd.exe /c rmdir "C:\Program Files\Symantec Client Security\Symantec Client Firewall"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [RCUI] "C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe"
    O4 - HKCU\..\Run: [RCHotKey] "C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe"
    O4 - HKUS\S-1-5-18\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [supportdir] cmd /c "rmdir /q /s "C:\WINDOWS\TEMP\{BF90215F-2D7B-4C84-8A24-A03BC41B95DD}"" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'Default user')
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?cd20b42499654f789f343cf995bad7de
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?cd20b42499654f789f343cf995bad7de
    O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
    O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O15 - Trusted Zone: *.sap.com
    O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://connectphl05.sap.com/vdesk/c...2008,0514,2338
    O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://connectphl05.sap.com/vdesk/t...2008,0514,2345
    O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://connectphl05.sap.com/vdesk/t...2008,0514,2340
    O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://connectphl05.sap.com/vdesk/t...2008,0701,2202
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1203342374438
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://connectphl05.sap.com/vdesk/t...ion=5,2,3790,0
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
    O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://epass.toronto.ca/vdesk/termi...2008,0514,2341
    O16 - DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} (RingCentral Message Player Control) - https://service.ringcentral.com/Acti...age_Player.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
    O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://connectphl05.sap.com/vdesk/t...2008,0605,2205
    O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://connectphl05.sap.com/policy/...2008,0514,2348
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O20 - Winlogon Notify: winqxl32 - winqxl32.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: HLIXMZGQPRS - Unknown owner - C:\DOCUME~1\Anand\LOCALS~1\Temp\HLIXMZGQPRS.exe (file missing)
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
    O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
    O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
    O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 19966 bytes
  2. 2010-01-07, 14:07 #2
    peku006
    peku006 is offline
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hello and to Safer Networking

    My name is peku006 and I will be helping you to remove any infection(s) that you may have.
    I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

    Please observe these rules while we work:

    • If you don't know or understand something please don't hesitate to ask
    • Please DO NOT run any other tools or scans whilst I am helping you.
    • It is important that you reply to this thread. Do not start a new topic.
    • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    • Absence of symptoms does not mean that everything is clear.


    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    If you need help to disable your protection programs see here.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.
  3. 2010-01-10, 08:03 #3
    anand_am01
    anand_am01 is offline
    Junior Member
    Join Date
    Jan 2010
    Posts
    10

    Default Combofix Log

    Hi peku006!
    Thank you for picking up the case.
    Here is the log from combofix as directed.
    Sincerely,
    Anand Murthy

    =======================================

    ComboFix 10-01-04.01 - Anand 10/01/2010 0:44.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.246 [GMT -5:00]
    Running from: c:\documents and settings\Anand\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\kmd.exe
    c:\windows\Downloaded Program Files\poPCaploader.dll
    c:\windows\Downloaded Program Files\popcaploader.inf
    c:\windows\unins000.dat
    c:\windows\unins000.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_PASSWORD


    ((((((((((((((((((((((((( Files Created from 2009-12-10 to 2010-01-10 )))))))))))))))))))))))))))))))
    .

    2010-01-10 02:57 . 2010-01-10 02:58 -------- dc----w- c:\windows\system32\NtmsData
    2010-01-04 06:22 . 2010-01-04 06:22 -------- dc----w- c:\program files\Common Files\Adobe AIR
    2010-01-04 06:16 . 2010-01-04 06:13 411368 -c--a-w- c:\windows\system32\deploytk.dll
    2010-01-04 06:12 . 2010-01-05 18:51 -------- dc----w- c:\documents and settings\All Users\Application Data\NOS
    2010-01-04 06:12 . 2010-01-04 06:12 -------- dc----w- c:\program files\NOS
    2010-01-04 04:25 . 2010-01-04 04:25 -------- dc----w- c:\documents and settings\Anand\Application Data\CheckPoint
    2010-01-04 04:25 . 2010-01-04 04:25 -------- dc----w- c:\program files\CheckPoint
    2010-01-04 04:24 . 2010-01-04 04:24 4212 -c-ha-w- c:\windows\system32\zllictbl.dat
    2010-01-04 04:24 . 2009-11-22 20:42 103816 -c--a-w- c:\windows\system32\zlcommdb.dll
    2010-01-04 04:24 . 2009-11-22 20:42 69000 -c--a-w- c:\windows\system32\zlcomm.dll
    2010-01-04 04:23 . 2009-11-22 20:42 1238408 -c--a-w- c:\windows\system32\zpeng25.dll
    2010-01-04 04:23 . 2010-01-04 04:24 -------- dc----w- c:\windows\system32\ZoneLabs
    2010-01-04 04:23 . 2010-01-04 04:23 -------- dc----w- c:\program files\Zone Labs
    2010-01-04 04:22 . 2010-01-10 06:00 -------- dc----w- c:\windows\Internet Logs
    2010-01-03 21:07 . 2010-01-03 21:07 -------- dc----w- c:\program files\TrendMicro
    2010-01-03 20:02 . 2010-01-03 20:02 -------- dc----w- c:\program files\ERUNT
    2009-12-25 04:22 . 2009-12-25 04:22 -------- dc----w- c:\program files\Mozilla Firefox 3.6 Beta 5
    2009-12-17 18:32 . 2009-12-17 18:32 -------- dc----w- c:\program files\tools

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2098-06-17 14:00 . 2002-01-18 05:33 89360 -c--a-w- c:\windows\system32\VB5DB.DLL
    2010-01-10 04:57 . 2010-01-04 05:31 46188061 -c--a-w- c:\windows\Internet Logs\tvDebug.Zip
    2010-01-06 05:25 . 2007-05-15 22:57 -------- dc----w- c:\documents and settings\Anand\Application Data\Skype
    2010-01-06 02:37 . 2007-05-15 22:51 -------- dc----w- c:\program files\Common Files\Skype
    2010-01-05 19:21 . 2009-08-05 02:54 -------- dc----w- c:\documents and settings\Anand\Application Data\HPAppData
    2010-01-04 06:30 . 2006-06-04 17:45 -------- dc----w- c:\program files\Common Files\Adobe
    2010-01-04 06:16 . 2010-01-04 06:16 86016 -c--a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    2010-01-04 06:12 . 2006-06-20 22:46 -------- dc----w- c:\program files\Java
    2010-01-04 06:07 . 2010-01-04 06:07 152576 -c--a-w- c:\documents and settings\Anand\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
    2010-01-04 06:06 . 2010-01-04 06:06 79488 -c--a-w- c:\documents and settings\Anand\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2010-01-04 05:33 . 2006-05-24 13:44 -------- dc----w- c:\program files\Symantec Client Security
    2010-01-03 21:07 . 2010-01-03 21:07 388096 -c--a-r- c:\documents and settings\Anand\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-01-03 20:14 . 2009-07-18 14:24 -------- dc----w- c:\program files\Juice
    2010-01-03 20:11 . 2009-06-17 15:46 -------- dc----w- c:\documents and settings\Anand\Application Data\uTorrent
    2010-01-03 19:33 . 2007-08-14 02:04 -------- dc----w- c:\documents and settings\Anand\Application Data\Move Networks
    2010-01-03 19:07 . 2009-08-14 00:20 -------- dc----w- c:\documents and settings\All Users\Application Data\Skyline
    2010-01-03 12:57 . 2006-05-24 13:44 -------- dc----w- c:\program files\Common Files\Symantec Shared
    2010-01-03 12:57 . 2006-05-24 13:44 -------- dc----w- c:\program files\Symantec
    2010-01-03 12:56 . 2006-05-24 13:44 -------- dc----w- c:\documents and settings\All Users\Application Data\Symantec
    2010-01-03 07:50 . 2008-03-30 21:44 -------- dc----w- c:\documents and settings\All Users\Application Data\Intuit
    2010-01-03 07:25 . 2009-11-24 12:18 4639 -c--a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
    2010-01-03 07:24 . 2010-01-03 07:33 816456 -c--a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB18\Patch\qbpatch2.exe
    2010-01-03 07:24 . 2010-01-03 07:33 75280 -c--a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB18\Patch\qbpatch.exe
    2010-01-03 07:22 . 2010-01-03 07:33 348160 -c--a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB18\Patch\msvcr71.dll
    2010-01-03 07:22 . 2010-01-03 07:33 499712 -c--a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB18\Patch\msvcp71.dll
    2010-01-03 07:11 . 2007-12-01 21:12 -------- dc----w- c:\program files\Spybot - Search & Destroy
    2009-12-29 00:57 . 2009-06-23 14:31 -------- dc----w- c:\program files\Acro Software
    2009-12-22 14:33 . 2009-12-12 14:42 2066200 -c--a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
    2009-12-19 21:34 . 2006-06-21 06:15 -------- dc----w- c:\program files\Google
    2009-12-10 01:20 . 2009-12-09 23:03 -------- dc----w- c:\documents and settings\All Users\Application Data\CardScan
    2009-12-09 23:06 . 2009-12-09 23:06 -------- dc----w- c:\documents and settings\All Users\Application Data\ScanSoft
    2009-12-09 23:04 . 2009-12-09 23:04 -------- dc----w- c:\documents and settings\Anand\Application Data\CardScan
    2009-12-09 22:49 . 2009-12-09 22:48 -------- dc----w- c:\program files\CardScan
    2009-12-04 15:03 . 2009-12-04 15:03 251376 -c--a-w- c:\documents and settings\Anand\Application Data\Mozilla\plugins\npgoogletalk.dll
    2009-12-02 22:53 . 2009-02-05 02:48 -------- dc----w- c:\program files\MSECache
    2009-11-20 11:08 . 2010-01-04 06:40 38784 -c--a-w- c:\documents and settings\Anand\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
    2009-11-19 16:48 . 2009-12-01 21:56 872960 -c--a-w- c:\documents and settings\Anand\Application Data\Mozilla\Firefox\Profiles\p5pyhhaj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    2009-11-19 16:48 . 2009-12-01 21:56 43008 -c--a-w- c:\documents and settings\Anand\Application Data\Mozilla\Firefox\Profiles\p5pyhhaj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
    2009-11-19 16:48 . 2009-12-01 21:56 340480 -c--a-w- c:\documents and settings\Anand\Application Data\Mozilla\Firefox\Profiles\p5pyhhaj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
    2009-11-19 16:48 . 2009-12-01 21:56 346624 -c--a-w- c:\documents and settings\Anand\Application Data\Mozilla\Firefox\Profiles\p5pyhhaj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
    2009-11-19 12:47 . 2008-01-16 02:58 -------- dc----w- c:\program files\Microsoft Silverlight
    2009-11-16 13:04 . 2009-11-11 22:32 -------- dc----w- c:\documents and settings\All Users\Application Data\RingCentral
    2009-11-12 15:06 . 2006-05-31 21:34 75592 -c--a-w- c:\documents and settings\Anand\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-11-11 22:36 . 2009-11-11 22:32 -------- dc----w- c:\program files\RingCentral
    2009-11-11 13:27 . 2009-11-11 13:27 423168 -c--a-w- c:\windows\system32\RCMedia.dll
    2009-11-06 02:09 . 2009-11-06 02:09 60744 -c--a-w- c:\documents and settings\Anand\g2mdlhlpx.exe
    2009-12-02 23:43 . 2006-06-21 06:16 119808 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    2007-09-21 22:58 . 2007-09-21 22:58 44360 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2007-09-21 22:58 . 2007-09-21 22:58 107928 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2007-06-21 08:38 . 2007-06-21 08:38 30280 -c--a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2007-06-21 08:38 . 2007-06-21 08:38 79432 -c--a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2007-06-21 08:38 . 2007-06-21 08:38 71240 -c--a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2007-06-21 08:38 . 2007-06-21 08:38 140872 -c--a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2007-06-21 08:39 . 2007-06-21 08:39 38472 -c--a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2007-06-21 08:39 . 2007-06-21 08:39 46664 -c--a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2007-06-21 08:39 . 2007-06-21 08:39 34376 -c--a-w- c:\program files\mozilla firefox\plugins\logging.dll
    2007-06-21 08:39 . 2007-06-21 08:39 685640 -c--a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2007-06-21 08:40 . 2007-06-21 08:40 30280 -c--a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RCUI"="c:\program files\RingCentral\RingCentral Call Controller\RCUI.exe" [2009-05-04 479232]
    "RCHotKey"="c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2009-05-04 32768]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-08 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-08-01 110592]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 512000]
    "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-08-10 237568]
    "TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-05-10 94208]
    "LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-01-25 106496]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-19 127037]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-21 1996336]
    "PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
    "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
    "PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2006-04-26 31232]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-02 30192]
    "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 503808]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
    "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
    "PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-09-18 36864]
    "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
    "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
    "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "configmsi"="rmdir" [X]
    "supportdir"="rmdir" [X]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-31 24576]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-08-26 14:00 11952 -c--a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2006-04-26 02:20 40448 ----a-w- c:\windows\system32\psqlpwd.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 7.0 Tray Icon.lnk.disabled]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk.disabled
    backup=c:\windows\pss\AOL 7.0 Tray Icon.lnk.disabledCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk.disabled]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk.disabled
    backup=c:\windows\pss\hp psc 1000 series.lnk.disabledCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk.disabled]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk.disabled
    backup=c:\windows\pss\hpoddt01.exe.lnk.disabledCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR ProSafe VPN Client.lnk.disabled]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR ProSafe VPN Client.lnk.disabled
    backup=c:\windows\pss\NETGEAR ProSafe VPN Client.lnk.disabledCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
    backup=c:\windows\pss\Service Manager.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Anand^Start Menu^Programs^Startup^Juice.lnk]
    path=c:\documents and settings\Anand\Start Menu\Programs\Startup\Juice.lnk
    backup=c:\windows\pss\Juice.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^Anand^Start Menu^Programs^Startup^Yuuguu.lnk.disabled]
    path=c:\documents and settings\Anand\Start Menu\Programs\Startup\Yuuguu.lnk.disabled
    backup=c:\windows\pss\Yuuguu.lnk.disabledStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
    c:\program files\SecCenter\scprot4.e [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2009-09-04 17:08 935288 -c--a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    2007-03-09 01:09 63712 -c--a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CardScanAgent]
    2008-02-15 00:34 152824 -c--a-w- c:\program files\CardScan\CardScan\CardScanAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionManager]
    2008-06-10 04:00 32768 -c--a-w- c:\program files\winsim\ConnectionManager\Simply.SystemTrayIcon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2009-07-01 02:49 133104 -c--atw- c:\documents and settings\Anand\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2004-07-27 23:50 81920 -c----w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 20:44 3883856 -c--a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-01-04 06:13 149280 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2007-07-08 14:41 68856 -c--a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=2 (0x2)
    "SymSecurePort"=2 (0x2)
    "Symantec AntiVirus"=3 (0x3)
    "SQLSERVERAGENT"=3 (0x3)
    "SPBBCSvc"=3 (0x3)
    "SNDSrvc"=3 (0x3)
    "Remasoft Canada Inc.: Rema update permissions manager. 19151."=2 (0x2)
    "MSSQLServerADHelper"=3 (0x3)
    "MSSQLSERVER"=2 (0x2)
    "iPod Service"=3 (0x3)
    "FileZilla Server"=3 (0x3)
    "DefWatch"=2 (0x2)
    "ccSetMgr"=2 (0x2)
    "ccPwdSvc"=3 (0x3)
    "ccProxy"=2 (0x2)
    "ccEvtMgr"=2 (0x2)
    "Simply Accounting Database Connection Manager"=3 (0x3)
    "wuauserv"=2 (0x2)
    "Pml Driver HPZ12"=2 (0x2)
    "gusvc"=3 (0x3)
    "gupdate1c942bc34c5debc"=2 (0x2)
    "LVSrvLauncher"=2 (0x2)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe"
    "HP Software Update"=c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\winsim\\ConnectionManager\\MySqlBinary\\5.0.38\\mysql\\mysqld-nt.exe"=
    "c:\\Program Files\\winsim\\ConnectionManager\\SimplyConnectionManager.exe"=
    "c:\\Program Files\\SAP\\FrontEnd\\SAPgui\\saplogon.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Documents and Settings\\Anand\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
    "c:\\Documents and Settings\\Anand\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
    "c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqcopy2.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxs08.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
    "c:\\Program Files\\CallWave\\IAM.exe"=
    "c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "67:UDP"= 67:UDP:DHCP Discovery Service

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [03/02/2009 12:01 AM 335240]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [03/02/2009 12:01 AM 108552]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [03/02/2009 12:00 AM 297752]
    R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [05/06/2006 12:38 PM 521786]
    R2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [05/06/2006 12:38 PM 119864]
    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [14/10/2009 8:30 AM 25208]
    R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [14/10/2009 8:30 AM 476528]
    R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [15/11/2005 1:11 PM 46142]
    R2 smi2;smi2;c:\program files\SMI2\smi2.sys [02/08/2005 7:47 PM 3968]
    R2 SmiHlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [25/04/2006 9:00 PM 3456]
    R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [05/06/2006 12:36 PM 36188]
    S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]
    S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [21/06/2006 1:15 AM 30192]
    S3 HLIXMZGQPRS;HLIXMZGQPRS;c:\docume~1\Anand\LOCALS~1\Temp\HLIXMZGQPRS.exe --> c:\docume~1\Anand\LOCALS~1\Temp\HLIXMZGQPRS.exe [?]
    S3 IZE;IZE;c:\docume~1\Anand\LOCALS~1\Temp\IZE.exe --> c:\docume~1\Anand\LOCALS~1\Temp\IZE.exe [?]
    S4 gupdate1c942bc34c5debc;Google Update Service (gupdate1c942bc34c5debc);c:\program files\Google\Update\GoogleUpdate.exe [09/11/2008 5:40 PM 133104]
    S4 Remasoft Canada Inc.: Rema update permissions manager. 19151.;Remasoft Canada Inc.: Rema update permissions manager. 19151.;c:\program files\Rema\RemaUpd.exe -PermissionManagerRun --> c:\program files\Rema\RemaUpd.exe -PermissionManagerRun [?]
    S4 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\ConnectionManager\SimplyConnectionManager.exe [29/03/2008 10:36 PM 24576]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2006-09-29 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8150069797.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]

    2010-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2008-11-09 22:40]

    2010-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2008-11-09 22:40]

    2010-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2345978724-3825532129-4291118871-1005Core.job
    - c:\documents and settings\Anand\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-15 02:49]

    2010-01-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2345978724-3825532129-4291118871-1005UA.job
    - c:\documents and settings\Anand\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-15 02:49]

    2010-01-10 c:\windows\Tasks\PMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-05-24 08:10]

    2010-01-10 c:\windows\Tasks\User_Feed_Synchronization-{CC6DF3AB-01C8-4ADD-88D3-1F788BBB9D72}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyServer = proxy.toronto.ca:8080
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?cd20b42499654f789f343cf995bad7de
    IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?cd20b42499654f789f343cf995bad7de
    Trusted Zone: live.com\login
    Trusted Zone: sap.com
    DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} - hxxps://service.ringcentral.com/ActiveX/RingCentral_Message_Player.cab
    FF - ProfilePath - c:\documents and settings\Anand\Application Data\Mozilla\Firefox\Profiles\p5pyhhaj.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?auth=DQAAAHIAAAAnlt7ZJUrz5d6QBslySlXPZD_vHklFz_18lmXFwrswvhnjdDOW5zZb93mkuMqxHqkXb_sl6mAiTnXddUrMgd5QOjZbVqimVruXqW-cLhByaGzoJsa8DkGQDY3sGXhVvJwzUPx0to_EEgHa7vgMVSsrdgbN-3JRmuuyqm6GO6PPng
    FF - prefs.js: network.proxy.http - 192.168.0.2
    FF - prefs.js: network.proxy.http_port - 8080
    FF - prefs.js: network.proxy.type - 4
    FF - component: c:\documents and settings\Anand\Application Data\Mozilla\Firefox\Profiles\p5pyhhaj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
    FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
    FF - plugin: c:\documents and settings\Anand\Application Data\Mozilla\Firefox\Profiles\p5pyhhaj.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07061050.dll
    FF - plugin: c:\documents and settings\Anand\Application Data\Mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\Anand\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{1ECE7AC5-2091-419D-BD0F-FCDB92EEBA9B} - (no file)
    BHO-{29A92273-C690-41FF-92AB-468EF44B16B4} - (no file)
    BHO-{C1AC8C15-62FC-1F2B-8B2E-48E679F00E91} - (no file)
    Notify-ACNotify - ACNotify.dll
    Notify-NavLogon - (no file)
    Notify-winqxl32 - winqxl32.dll
    MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    AddRemove-Spybot - Search & Destroy_is1 - c:\windows\unins000.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-01-10 01:01
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\windows\system32\wuauclt.exe.wusetup.378546.bak 51224 bytes executable
    c:\windows\system32\wuaueng.dll.wusetup.392765.bak 1809944 bytes executable

    scan completed successfully
    hidden files: 2

    **************************************************************************
    "ImagePath"="c:\program files\Intel\Wireless\Bin\RegSrvc.exe"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Remasoft Canada Inc.: Rema update permissions manager. 19151.]
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1400)
    c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
    c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
    c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
    c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
    c:\windows\system32\psqlpwd.dll
    c:\program files\ThinkVantage Fingerprint Software\infra.dll
    c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
    c:\windows\system32\biologon.dll
    c:\program files\ThinkVantage Fingerprint Software\homepass.dll
    c:\program files\ThinkVantage Fingerprint Software\bio.dll
    c:\program files\ThinkVantage Fingerprint Software\remote.dll
    c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
    c:\windows\system32\tphklock.dll
    c:\program files\ThinkVantage Fingerprint Software\crypto.dll
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

    - - - - - - - > 'lsass.exe'(1456)
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

    - - - - - - - > 'explorer.exe'(7292)
    c:\windows\system32\WININET.dll
    c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1801_x-ww_5eed8217\MSVCR80.dll
    c:\windows\system32\PROCHLP.DLL
    c:\program files\RingCentral\RingCentral Call Controller\RCHotKeyHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
    c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
    c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
    c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\windows\system32\IPSSVC.EXE
    c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\progra~1\AVG\AVG8\avgrsx.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\progra~1\AVG\AVG8\avgnsx.exe
    c:\program files\lenovo\system update\suservice.exe
    c:\windows\System32\TPHDEXLG.EXE
    c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
    c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
    c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
    c:\windows\wanmpsvc.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\windows\system32\fxssvc.exe
    c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
    c:\program files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
    c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
    c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
    c:\program files\ThinkPad\UltraNav Wizard\UNavTray.EXE
    c:\windows\system32\igfxsrvc.exe
    c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
    c:\program files\IBM ThinkVantage\Client Security Solution\pwmgr.exe
    c:\windows\system32\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2010-01-10 01:12:29 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-01-10 06:12
    ComboFix2.txt 2008-02-18 05:30

    Pre-Run: 7,934,054,400 bytes free
    Post-Run: 7,841,267,712 bytes free

    - - End Of File - - AB3ED4C40F8DB6CE9F3ADCE53BE7365C
  4. 2010-01-11, 15:49 #4
    peku006
    peku006 is offline
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi Anand Murthy

    1 - Download and Run Malwarebytes' Anti-Malware

    Please save any items you were working on... close any open programs. You may be asked to reboot your machine.
    Please download Malwarebytes Anti-Malware and save it to your desktop. If needed...Tutorial w/screenshots
    Alternate download sites available here or here.
    1. Make sure you are connected to the Internet.
    2. Double-click on mbam-setup.exe to install the application.
    3. When the installation begins, follow the prompts and do not make any changes to default settings.
    4. When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
      • Then click Finish.
      MBAM will automatically start and you will be asked to update the program before performing a scan.
      • If an update is found, the program will automatically update itself.
      • Press the OK button to close that box and continue.
      • Problems downloading the updates? Manually download them from here and double-click on "mbam-rules.exe" to install.

    On the Scanner tab:
    1. Make sure the "Perform full scan" option is selected.
    2. Then click on the Scan button.
    3. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    4. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    5. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    6. Click OK to close the message box and continue with the removal process.

    Back at the main Scanner screen:
    1. Click on the Show Results button to see a list of any malware that was found.
    2. Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
      We will take care of the System Volume Information items later.
    3. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    4. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
      The log can also be found here:
      C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    5. Copy and paste the contents of that report in your next reply and exit MBAM.


    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
    Click OK to either and let MBAM proceed with the disinfection process.
    If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

    2 - Status Check
    Please reply with

    1. the Malwarebytes' Anti-Malware Log

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.
  5. 2010-01-12, 13:32 #5
    anand_am01
    anand_am01 is offline
    Junior Member
    Join Date
    Jan 2010
    Posts
    10

    Default MBAM Log 2010-01-12

    Hi Peku006,
    Thank you for the instructions.
    Here is the MBAM Log.
    Thanks & regards,
    Anand Murthy

    ==================================
    Malwarebytes' Anti-Malware 1.44
    Database version: 3545
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/01/2010 6:22:26 AM
    mbam-log-2010-01-12 (06-22-26).txt

    Scan type: Full Scan (C:\|D:\|E:\|R:\|)
    Objects scanned: 323896
    Time elapsed: 2 hour(s), 41 minute(s), 50 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winqxl32 (Trojan.Dialer) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\popcaploader.dll.vir (Adware.PopCap) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP257\A0027291.sys (Malware.Trace) -> Not selected for removal.
    C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP257\A0027433.sys (Malware.Trace) -> Not selected for removal.
    C:\WINDOWS\system32\ (Trojan.Dialer) -> Quarantined and deleted successfully.
  6. 2010-01-12, 16:28 #6
    peku006
    peku006 is offline
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi Anand Murthy

    1 - Clean temp files

    • Please download TFC to your desktop
    • Save any unsaved work. TFC will close all open application windows.
    • Double-click TFC.exe to run the program.
    • If prompted, click Yes to reboot.


    NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

    2 - Eset online scannner

    You can use either Internet Explorer or Mozilla FireFox for this scan.

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    • Please go here then click on:
    • Select the option YES, I accept the Terms of Use then click on:
    • When prompted allow the Add-On/Active X to install.
    • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
    • Now click on Advanced Settings and select the following:

      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Now click on:
    • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
    • When completed the Online Scan will begin automatically.
    • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
    • Now click on:
    • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    • Copy and paste that log as a reply to this topic.


    3 - Run Hijackthis
    Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

    4 - Status Check
    Please reply with

    1. the Eset online scannner report
    2. a fresh HijackThis log

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules