Virtumonde - I see I am not alone.

P

paccousa

New member
Hi,

Spybot found it and I applied the fix. Instructions recommended to look at the forum and here I am.

Read a few posts. So I installed HJT and run it. Log below. Also, I've tried to download Combofix, but I am not able to save .exe files with Mozilla (staying away from IE). If that is part of my fix, please share a link to a zip version.
Thank you for taking the time.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:19 AM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctapsd.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\CtaEoU.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctatransapt.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Altiris\ALTIRI~1\AeXNSAgent.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Cisco Systems\CEPS\CEPSWatch.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Credant\Gatekeeper\Gatekeeper.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Credant\Gatekeeper\GKProbe.exe
C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WScript.exe
C:\Documents and Settings\mfaini\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwwin.cisco.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wwwin.cisco.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {018B27FF-E05F-4CB5-8763-540CB3FD457A} - C:\WINDOWS\system32\geBsRJDV.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {684A2C96-1067-4139-B27A-BEF06AA9DA51} - C:\WINDOWS\system32\tuvWoPJc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {aad37708-01cf-d8d9-b024-3017e0ab93ea} - {ae39ba0e-7103-420b-9d8d-fc1080773daa} - C:\WINDOWS\system32\chcehi.dll (disabled by BHODemon)
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AeXAgentLogon] C:\PROGRA~1\Altiris\ALTIRI~1\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [CMGShieldUI] C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe"
O4 - HKLM\..\Run: [3c5d4e4f] rundll32.exe "C:\WINDOWS\system32\colkajsv.dll",b
O4 - HKLM\..\Run: [BM3f6e7dd3] Rundll32.exe "C:\WINDOWS\system32\gjrqfdpk.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DiskCleanup] C:\WINDOWS\CISCO_IT\Scripts\DiskCleanup\DiskCleanup.vbs
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: GKProbe.lnk = C:\Program Files\Credant\Gatekeeper\GKProbe.exe
O4 - Global Startup: ImageMixer 3 SE Camera Monitor.lnk = ?
O4 - Global Startup: Manage Printers.lnk = C:\Program Files\Cisco Systems\CEPS\AddPrinter.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://qualitycenter.cisco.com/qcbin/Spider80.ocx
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://wwwin-hrdev.cisco.com:8027/OA_HTML/oaj2se.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{690A10D9-8DEA-4C11-B3F7-ADEBD766C0D8}: Domain = cisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cisco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cisco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = cisco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cisco.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: AMINIT.dll csauser.dll
O20 - Winlogon Notify: CMGShieldNP - C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll
O20 - Winlogon Notify: geBsRJDV - C:\WINDOWS\SYSTEM32\geBsRJDV.dll
O20 - Winlogon Notify: PAStates - C:\WINDOWS\SYSTEM32\PAStates.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\PROGRA~1\Altiris\ALTIRI~1\AeXNSAgent.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: CEPS Watch - Cisco Systems - C:\Program Files\Cisco Systems\CEPS\CEPSWatch.exe
O23 - Service: Cisco Trust Agent EOU Daemon (CtaEoU) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\CtaEoU.exe
O23 - Service: Cisco Trust Agent Logger Daemon (ctalogd) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
O23 - Service: Cisco Posture Server Daemon (ctapsd) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctapsd.exe
O23 - Service: Cisco Systems, Inc. CTA Posture State Daemon (ctatransapt) - Unknown owner - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctatransapt.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: CREDANT Mobile Guardian Gatekeeper (guardian) - CREDANT Technologies - C:\Program Files\Credant\Gatekeeper\Gatekeeper.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\bin\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe

--
End of file - 14308 bytes

Edit:
Also, I've tried to download Combofix, but I am not able to save .exe files with Mozilla (staying away from IE). If that is part of my fix, please share a link to a zip version.
Click to expand...
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Do NOT run 'fixes' before helpers have analyzed the HJT log

Yes, I think I am following the instructions.

I read the sticky posts mentioned. The only fix I applied was from Spybot. After that I came to the forum as Spybot suggested.

I have not run, nor applied any other fix as mentioned.

Hope this helps trouble shoot.

Thank you.

Hi guys/gals,

my pc is getting worse. I'm now getting new pop-up with Firefox too, and the latest are targeting adult sites.

Quite embarrassing. I really need to stop it. :sad:

Anything I can do in the mean time? I want to maintain connectivity otherwise I won't know if someone replied to my cry for help.
And this is the only pc I have.

Also, I cannot get to yahoo.com nor to my gmail account.

Thank you
 
Last edited by a moderator:
Hi

You have to use IE for downloading ComboFix file if you can't do it with Firefox.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here
 
Fresh logs

Hi Blade81,

thanks for your time and for the help.

I run Combofix and after reboot, run HJT. Logs attached. FYI, I executed both with my computer offline, it should not matter, but I wanted to mention it just in case.

Thank you. :)


ComboFix 08-06-20.4 - mfaini 2008-06-30 8:16:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.818 [GMT -6:00]
Running from: C:\Documents and Settings\mfaini\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM3f6e7dd3.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\BcKjkUtv.ini
C:\WINDOWS\system32\BcKjkUtv.ini2
C:\WINDOWS\system32\cJPoWvut.ini
C:\WINDOWS\system32\cJPoWvut.ini2
C:\WINDOWS\system32\ikmokixl.ini
C:\WINDOWS\system32\jguovptr.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ploesggf.ini
C:\WINDOWS\system32\vsjakloc.ini
C:\WINDOWS\system32\vtUkjKcB.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-29 12:28 . 2008-06-29 12:28 103,424 --a------ C:\WINDOWS\system32\xuichmyb.dll
2008-06-29 12:28 . 2008-06-29 12:28 103,424 --a------ C:\WINDOWS\system32\enqgaz.dll
2008-06-29 12:25 . 2008-06-29 12:25 81,920 --a------ C:\WINDOWS\system32\rtpvougj.dll
2008-06-29 12:24 . 2008-06-29 12:24 90,624 --a------ C:\WINDOWS\system32\qanfbwkb.dll
2008-06-28 11:38 . 2008-06-28 11:38 103,424 --a------ C:\WINDOWS\system32\bdeiit.dll
2008-06-28 11:37 . 2008-06-28 11:38 103,424 --a------ C:\WINDOWS\system32\fwpungte.dll
2008-06-28 11:32 . 2008-06-28 11:32 90,624 --a------ C:\WINDOWS\system32\fcnqjmhh.dll
2008-06-27 14:05 . 2008-06-28 10:11 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-27 14:05 . 2008-06-28 11:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-27 11:29 . 2008-06-27 11:29 102,912 --a------ C:\WINDOWS\system32\xkejbgxq.dll
2008-06-27 11:29 . 2008-06-27 11:29 102,912 --a------ C:\WINDOWS\system32\chcehi.dll
2008-06-27 11:29 . 2008-06-27 11:29 90,112 --a------ C:\WINDOWS\system32\gjrqfdpk.dll
2008-06-26 16:58 . 2008-06-26 16:58 26,112 --a------ C:\WINDOWS\system32\xxyyaBsP.dll
2008-06-26 16:54 . 2008-06-26 16:54 26,112 --a------ C:\WINDOWS\system32\pmnoNecB.dll
2008-06-26 16:51 . 2008-06-26 16:51 26,112 --a------ C:\WINDOWS\system32\ljJAqnMf.dll
2008-06-26 16:49 . 2008-06-26 16:49 26,112 --a------ C:\WINDOWS\system32\geBsRJDV.dll
2008-06-26 16:02 . 2008-06-13 07:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-23 21:00 . 2008-06-23 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PIXELA
2008-06-23 20:51 . 2008-06-23 20:51 <DIR> d-------- C:\Program Files\PIXELA
2008-06-19 09:13 . 2008-06-19 09:13 <DIR> d-------- C:\Program Files\temp
2008-06-09 21:46 . 2008-06-09 21:46 <DIR> d--hs---- C:\Documents and Settings\All Users\Application Data\System Restore
2008-06-03 21:09 . 2008-06-03 21:09 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-19 20:53 . 2007-02-06 16:31 109,568 --a------ C:\WINDOWS\system32\pxinsi64.exe
2008-05-19 20:53 . 2007-02-06 16:31 108,544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-05-13 14:53 . 2008-05-13 15:44 <DIR> d-------- C:\Program Files\thinkorswim
2008-05-09 23:18 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-05-09 23:18 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-05-09 23:18 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-05-09 23:18 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-05-09 11:57 . 2008-06-18 08:52 <DIR> d-------- C:\Documents and Settings\mfaini\Application Data\skypePM
2008-05-09 11:57 . 2008-05-09 11:57 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-09 11:23 . 2008-06-18 09:35 <DIR> d-------- C:\Documents and Settings\mfaini\Application Data\Skype
2008-05-09 11:19 . 2008-05-09 11:19 <DIR> d-------- C:\Program Files\Skype
2008-05-09 11:19 . 2008-05-09 11:19 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-09 11:19 . 2008-05-09 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-05 13:29 . 2008-06-02 11:01 <DIR> d-------- C:\Program Files\Xobni

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 22:26 --------- d-----w C:\Documents and Settings\mfaini\Application Data\.purple
2008-06-24 02:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-23 16:32 --------- d-----w C:\Program Files\Connected
2008-06-19 16:27 --------- d-----w C:\Documents and Settings\mfaini\Application Data\gtk-2.0
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-15 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-05-10 15:45 --------- d-----w C:\Documents and Settings\mfaini\Application Data\Autodesk
2008-05-10 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-06 22:07 --------- d-----w C:\Program Files\Pidgin
2008-05-06 22:07 --------- d-----w C:\Program Files\Aspell
2008-04-29 20:33 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-29 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-28 05:45 --------- d-----w C:\Documents and Settings\mfaini\Application Data\Apple Computer
2008-04-28 05:44 --------- d-----w C:\Program Files\QuickTime
2008-04-28 05:44 --------- d-----w C:\Program Files\iTunes
2008-04-28 05:44 --------- d-----w C:\Program Files\iPod
2008-04-28 05:44 --------- d-----w C:\Program Files\Bonjour
2008-04-28 05:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-28 05:42 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-28 05:42 --------- d-----w C:\Program Files\Apple Software Update
2008-04-28 05:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-05 00:03 257 ----a-w C:\Program Files\Altira
2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 16:20 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2007-12-04 23:21 979,848 ----a-w C:\Program Files\Common Files\CiscoUnifiedVideoAdvantageInstall.log
2007-11-21 19:32 56,912 ----a-w C:\Documents and Settings\mfaini\g2mdlhlpx.exe
2008-02-06 22:02 44,360 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2008-02-06 22:02 107,928 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{018B27FF-E05F-4CB5-8763-540CB3FD457A}]
2008-06-26 16:49 26112 --a------ C:\WINDOWS\system32\geBsRJDV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{684A2C96-1067-4139-B27A-BEF06AA9DA51}]
C:\WINDOWS\system32\tuvWoPJc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f651bda6-e29f-4775-bf60-7acdc232541f}]
2008-06-29 12:28 103424 --a------ C:\WINDOWS\system32\enqgaz.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56 15360]
"DiskCleanup"="C:\WINDOWS\CISCO_IT\Scripts\DiskCleanup\DiskCleanup.vbs" [2006-06-22 13:17 13730]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 19:30 45632]
"PtiuPbmd"="ptipbm.dll" [2003-09-16 09:26 24576 C:\WINDOWS\system32\ptipbm.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-17 18:53 8433664]
"BluetoothAuthenticationAgent"="bthprops.cpl,,BluetoothAuthenticationAgent" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-07-05 13:07 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 13:07 512000]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 08:49 66176]
"TpShocks"="TpShocks.exe" [2007-03-29 20:40 181808 C:\WINDOWS\system32\TpShocks.exe]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-05 19:18 200704]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-05 19:18 208896]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 21:03 58416]
"TP4EX"="tp4ex.exe" [2005-10-17 03:11 65536 C:\WINDOWS\system32\TP4EX.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 18:28 868352]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-22 20:02 120368]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-26 20:33 243248]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 22:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 15:39 136768]
"AeXAgentLogon"="C:\PROGRA~1\Altiris\ALTIRI~1\AeXAgentActivate.exe" [2008-01-30 21:06 143360]
"CMGShieldUI"="C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe" [2007-05-29 16:01 356352]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2007-01-02 12:35 167936]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"OdTray.exe"="C:\Program Files\Funk Software\Odyssey Client\OdTray.exe" [2006-08-17 12:06 1052735]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06 40048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe" [2007-02-06 16:30 61440]
"3c5d4e4f"="C:\WINDOWS\system32\rtpvougj.dll" [2008-06-29 12:25 81920]
"BM3f6e7dd3"="C:\WINDOWS\system32\qanfbwkb.dll" [2008-06-29 12:24 90624]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Security Agent.lnk - C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe [2007-11-08 08:34:07 450560]
Connected TaskBar Icon.LNK - C:\Program Files\Connected\CBSysTray.exe [2007-11-13 16:39:26 114688]
GKProbe.lnk - C:\Program Files\Credant\Gatekeeper\GKProbe.exe [2005-09-06 20:39:56 708608]
ImageMixer 3 SE Camera Monitor.lnk - C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe [2008-06-23 20:51:44 253952]
Manage Printers.lnk - C:\Program Files\Cisco Systems\CEPS\AddPrinter.exe [2006-12-11 16:51:08 139264]
VPN Client.lnk - C:\WINDOWS\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2007-11-08 08:25:57 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogoff"= 1
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{018B27FF-E05F-4CB5-8763-540CB3FD457A}"= C:\WINDOWS\system32\geBsRJDV.dll [2008-06-26 16:49 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CMGShieldNP]
C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll 2007-05-29 16:01 253952 C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBsRJDV]
geBsRJDV.dll 2008-06-26 16:49 26112 C:\WINDOWS\system32\geBsRJDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
odyEvent.dll 2007-11-21 13:11 106496 C:\WINDOWS\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PAStates]
PAStates.dll 2005-11-07 13:37 94208 C:\WINDOWS\system32\PAStates.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 10:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 05:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=AMINIT.dll csauser.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VXTR"= vxtr.dll
"VIDC.H261"= h261_32.dll
"VIDC.SM4V"= SorensonMPEG4Dec.dll
"msacm.voxacm150"= vct32150.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Cisco Systems\\Cisco Unified Video Advantage\\VideoAdvantage.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 aac;Adaptec RAID Miniport Driver;C:\WINDOWS\system32\DRIVERS\aac.sys [2004-08-19 09:53]
R0 csacenter;Cisco Security Agent Rule Engine;C:\WINDOWS\system32\drivers\csacentr.sys [2007-12-19 13:58]
R0 csafile;Cisco Security Agent File Access Controller;C:\WINDOWS\system32\drivers\csafile.sys [2007-12-19 13:58]
R0 csanet;Cisco Security Agent Packet Verifier;C:\WINDOWS\system32\drivers\csanet.sys [2007-12-19 13:59]
R0 csareg;Cisco Security Agent Registry Access Controller;C:\WINDOWS\system32\drivers\csareg.sys [2007-12-19 13:58]
R0 odFips;odFips;C:\WINDOWS\system32\drivers\odFips.sys [2006-08-17 10:58]
R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 19:49]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 19:47]
R1 CCDevice;CCDevice;C:\WINDOWS\system32\drivers\CCDevice.sys [2005-03-23 21:14]
R1 csatdi;Cisco Security Agent Network Access Controller;C:\WINDOWS\system32\drivers\csatdi.sys [2007-12-19 13:58]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-09-05 19:18]
R2 atchksrv;Intel(R) Active Management Technology System Status Service;C:\Program Files\Intel\AMT\atchksrv.exe [2007-04-10 07:10]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;C:\WINDOWS\system32\DRIVERS\CdpPacket.sys [2007-09-06 19:29]
R2 CEPS Watch;CEPS Watch;C:\Program Files\Cisco Systems\CEPS\CEPSWatch.exe [2007-10-01 06:52]
R2 CtaEoU;Cisco Trust Agent EOU Daemon;"C:\Program Files\Cisco Systems\CiscoTrustAgent\CtaEoU.exe" [2005-11-07 13:36]
R2 ctalogd;Cisco Trust Agent Logger Daemon;"C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe" [2005-11-07 13:37]
R2 ctapsd;Cisco Posture Server Daemon;"C:\Program Files\Cisco Systems\CiscoTrustAgent\ctapsd.exe" [2005-11-07 13:36]
R2 ctatransapt;Cisco Systems, Inc. CTA Posture State Daemon;"C:\Program Files\Cisco Systems\CiscoTrustAgent\ctatransapt.exe" [2005-11-07 13:37]
R2 CvlCdpPacket;Cisco VT Advantage CDP Packet Driver;C:\WINDOWS\system32\DRIVERS\CdpPacketWdmCvl.sys [2006-10-18 16:58]
R2 guardian;CREDANT Mobile Guardian Gatekeeper;"C:\Program Files\Credant\Gatekeeper\Gatekeeper.exe" [2005-09-06 20:40]
R2 LMS;Intel(R) Active Management Technology Local Management Service;C:\Program Files\Intel\AMT\LMS.exe [2007-04-10 07:10]
R2 UNS;Intel(R) Active Management Technology User Notification Service;C:\Program Files\Intel\AMT\UNS.exe [2007-04-10 07:10]
R2 XobniService;XobniService;"C:\Program Files\Xobni\XobniService.exe" [2008-05-15 17:34]
R3 LenovoRd;LenovoRd;C:\WINDOWS\system32\Drivers\LenovoRd.sys [2007-06-08 03:36]
R3 odysseyIM4;Odyssey Network Driver Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2006-08-17 11:51]
S3 CiscoCam8116;Cisco VT Camera(1);C:\WINDOWS\system32\DRIVERS\CamDrC21.sys [2006-04-14 08:17]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;C:\oracle\ora81\bin\ONRSD.EXE [2000-10-19 13:55]
S4 CSAgent;Cisco Security Agent;"C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe" -t c []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 14:25:12 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 08:23:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\jguovptr.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\PAStates.dll
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
-> C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll
-> C:\WINDOWS\system32\geBsRJDV.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\rtpvougj.dll
-> C:\WINDOWS\system32\qanfbwkb.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Connected\AGENTSRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CCSRVC.exe
C:\PROGRA~1\CISCOS~1\CEPS\CEPSWA~1.EXE
C:\Program Files\Altiris\Carbon Copy\ShellKer.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\PROGRA~1\Altiris\CARBON~1\Client.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscript.exe
.
**************************************************************************
.
Completion time: 2008-06-30 8:28:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-30 14:28:41

Pre-Run: 61,607,682,048 bytes free
Post-Run: 61,817,118,720 bytes free

281




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:31, on 2008-06-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctapsd.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\CtaEoU.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctatransapt.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Altiris\ALTIRI~1\AeXNSAgent.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Cisco Systems\CEPS\CEPSWatch.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Credant\Gatekeeper\Gatekeeper.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Credant\Gatekeeper\GKProbe.exe
C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Cisco Systems\CEPS\CEPSWatch.exe
C:\Documents and Settings\mfaini\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwwin.cisco.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wwwin.cisco.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {018B27FF-E05F-4CB5-8763-540CB3FD457A} - C:\WINDOWS\system32\geBsRJDV.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {684A2C96-1067-4139-B27A-BEF06AA9DA51} - C:\WINDOWS\system32\tuvWoPJc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {f145232c-dca7-06fb-5774-f92e6adb156f} - {f651bda6-e29f-4775-bf60-7acdc232541f} - C:\WINDOWS\system32\enqgaz.dll
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AeXAgentLogon] C:\PROGRA~1\Altiris\ALTIRI~1\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [CMGShieldUI] C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe"
O4 - HKLM\..\Run: [3c5d4e4f] rundll32.exe "C:\WINDOWS\system32\rtpvougj.dll",b
O4 - HKLM\..\Run: [BM3f6e7dd3] Rundll32.exe "C:\WINDOWS\system32\qanfbwkb.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DiskCleanup] C:\WINDOWS\CISCO_IT\Scripts\DiskCleanup\DiskCleanup.vbs
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: GKProbe.lnk = C:\Program Files\Credant\Gatekeeper\GKProbe.exe
O4 - Global Startup: ImageMixer 3 SE Camera Monitor.lnk = ?
O4 - Global Startup: Manage Printers.lnk = C:\Program Files\Cisco Systems\CEPS\AddPrinter.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://qualitycenter.cisco.com/qcbin/Spider80.ocx
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://wwwin-hrdev.cisco.com:8027/OA_HTML/oaj2se.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{690A10D9-8DEA-4C11-B3F7-ADEBD766C0D8}: Domain = cisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cisco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cisco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = cisco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cisco.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: AMINIT.dll csauser.dll
O20 - Winlogon Notify: CMGShieldNP - C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll
O20 - Winlogon Notify: geBsRJDV - C:\WINDOWS\SYSTEM32\geBsRJDV.dll
O20 - Winlogon Notify: PAStates - C:\WINDOWS\SYSTEM32\PAStates.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\PROGRA~1\Altiris\ALTIRI~1\AeXNSAgent.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: CEPS Watch - Cisco Systems - C:\Program Files\Cisco Systems\CEPS\CEPSWatch.exe
O23 - Service: Cisco Trust Agent EOU Daemon (CtaEoU) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\CtaEoU.exe
O23 - Service: Cisco Trust Agent Logger Daemon (ctalogd) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
O23 - Service: Cisco Posture Server Daemon (ctapsd) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctapsd.exe
O23 - Service: Cisco Systems, Inc. CTA Posture State Daemon (ctatransapt) - Unknown owner - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctatransapt.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: CREDANT Mobile Guardian Gatekeeper (guardian) - CREDANT Technologies - C:\Program Files\Credant\Gatekeeper\Gatekeeper.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\bin\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe

--
End of file - 14560 bytes
 
Last edited by a moderator:
Hi

Please post the logs straight into reply box instead of using attachments. Exceptions are those logs that take so much space that won't fit into reply.

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\system32\xuichmyb.dll
C:\WINDOWS\system32\enqgaz.dll
C:\WINDOWS\system32\rtpvougj.dll
C:\WINDOWS\system32\qanfbwkb.dll
C:\WINDOWS\system32\bdeiit.dll
C:\WINDOWS\system32\fwpungte.dll
C:\WINDOWS\system32\fcnqjmhh.dll
C:\WINDOWS\system32\xkejbgxq.dll
C:\WINDOWS\system32\chcehi.dll
C:\WINDOWS\system32\gjrqfdpk.dll
C:\WINDOWS\system32\xxyyaBsP.dll
C:\WINDOWS\system32\pmnoNecB.dll
C:\WINDOWS\system32\ljJAqnMf.dll
C:\WINDOWS\system32\geBsRJDV.dll
C:\WINDOWS\system32\jguovptr.ini
C:\WINDOWS\system32\geBsRJDV.dll

DirLook::
C:\Program Files\temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{018B27FF-E05F-4CB5-8763-540CB3FD457A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{684A2C96-1067-4139-B27A-BEF06AA9DA51}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f651bda6-e29f-4775-bf60-7acdc232541f}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"3c5d4e4f"=-
"BM3f6e7dd3"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{018B27FF-E05F-4CB5-8763-540CB3FD457A}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBsRJDV]


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file & a fresh hjt log in your next reply.
 
Malwarebytes update

Hi Blade81,

I performed everything up to the malwarebytes.

The Update pop-up does not show any progress, and the message is always saying "Looking for Malwarebytes.org".

I checked connectivity and I can access the internet just fine.

Please let me know what I should do.

Thanks
 
Hi

But have you allowed access for Malwarebytes' A-M? If yes, then try scanning with the database that came with the installation file by skipping update step and doing full scan.
 
3 Log files

Hi Blade81,

I was not able to run the update for Malwarebytes, so I executed the full scan from the local db.

Here are the 3 logs, Combofix, Malawarebytes, and HJT.
Thank you again.

ComboFix 08-06-20.4 - mfaini 2008-06-30 10:09:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1382 [GMT -6:00]
Running from: C:\Documents and Settings\mfaini\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mfaini\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\bdeiit.dll
C:\WINDOWS\system32\chcehi.dll
C:\WINDOWS\system32\enqgaz.dll
C:\WINDOWS\system32\fcnqjmhh.dll
C:\WINDOWS\system32\fwpungte.dll
C:\WINDOWS\system32\geBsRJDV.dll
C:\WINDOWS\system32\gjrqfdpk.dll
C:\WINDOWS\system32\jguovptr.ini
C:\WINDOWS\system32\ljJAqnMf.dll
C:\WINDOWS\system32\pmnoNecB.dll
C:\WINDOWS\system32\qanfbwkb.dll
C:\WINDOWS\system32\rtpvougj.dll
C:\WINDOWS\system32\xkejbgxq.dll
C:\WINDOWS\system32\xuichmyb.dll
C:\WINDOWS\system32\xxyyaBsP.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bdeiit.dll
C:\WINDOWS\system32\chcehi.dll
C:\WINDOWS\system32\enqgaz.dll
C:\WINDOWS\system32\fcnqjmhh.dll
C:\WINDOWS\system32\fwpungte.dll
C:\WINDOWS\system32\geBsRJDV.dll
C:\WINDOWS\system32\gjrqfdpk.dll
C:\WINDOWS\system32\jguovptr.ini
C:\WINDOWS\system32\ljJAqnMf.dll
C:\WINDOWS\system32\pmnoNecB.dll
C:\WINDOWS\system32\qanfbwkb.dll
C:\WINDOWS\system32\rtpvougj.dll
C:\WINDOWS\system32\xkejbgxq.dll
C:\WINDOWS\system32\xuichmyb.dll
C:\WINDOWS\system32\xxyyaBsP.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-30 08:25 . 2008-06-30 08:25 0 --a------ C:\WINDOWS\BM3f6e7dd3.xml
2008-06-27 14:05 . 2008-06-28 10:11 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-27 14:05 . 2008-06-28 11:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-26 16:02 . 2008-06-13 07:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-23 21:00 . 2008-06-23 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PIXELA
2008-06-23 20:51 . 2008-06-23 20:51 <DIR> d-------- C:\Program Files\PIXELA
2008-06-19 09:13 . 2008-06-19 09:13 <DIR> d-------- C:\Program Files\temp
2008-06-09 21:46 . 2008-06-09 21:46 <DIR> d--hs---- C:\Documents and Settings\All Users\Application Data\System Restore
2008-06-03 21:09 . 2008-06-03 21:09 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-19 20:53 . 2007-02-06 16:31 109,568 --a------ C:\WINDOWS\system32\pxinsi64.exe
2008-05-19 20:53 . 2007-02-06 16:31 108,544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-05-13 14:53 . 2008-05-13 15:44 <DIR> d-------- C:\Program Files\thinkorswim
2008-05-09 23:18 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-05-09 23:18 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-05-09 23:18 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-05-09 23:18 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-05-09 11:57 . 2008-06-18 08:52 <DIR> d-------- C:\Documents and Settings\mfaini\Application Data\skypePM
2008-05-09 11:57 . 2008-05-09 11:57 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-09 11:23 . 2008-06-18 09:35 <DIR> d-------- C:\Documents and Settings\mfaini\Application Data\Skype
2008-05-09 11:19 . 2008-05-09 11:19 <DIR> d-------- C:\Program Files\Skype
2008-05-09 11:19 . 2008-05-09 11:19 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-09 11:19 . 2008-05-09 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-05 13:29 . 2008-06-02 11:01 <DIR> d-------- C:\Program Files\Xobni

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 22:26 --------- d-----w C:\Documents and Settings\mfaini\Application Data\.purple
2008-06-24 02:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-23 16:32 --------- d-----w C:\Program Files\Connected
2008-06-19 16:27 --------- d-----w C:\Documents and Settings\mfaini\Application Data\gtk-2.0
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-15 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-05-10 15:45 --------- d-----w C:\Documents and Settings\mfaini\Application Data\Autodesk
2008-05-10 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-05-06 22:07 --------- d-----w C:\Program Files\Pidgin
2008-05-06 22:07 --------- d-----w C:\Program Files\Aspell
2008-04-29 20:33 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-29 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-28 05:45 --------- d-----w C:\Documents and Settings\mfaini\Application Data\Apple Computer
2008-04-28 05:44 --------- d-----w C:\Program Files\QuickTime
2008-04-28 05:44 --------- d-----w C:\Program Files\iTunes
2008-04-28 05:44 --------- d-----w C:\Program Files\iPod
2008-04-28 05:44 --------- d-----w C:\Program Files\Bonjour
2008-04-28 05:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-28 05:42 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-28 05:42 --------- d-----w C:\Program Files\Apple Software Update
2008-04-28 05:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-05 00:03 257 ----a-w C:\Program Files\Altira
2007-12-04 23:21 979,848 ----a-w C:\Program Files\Common Files\CiscoUnifiedVideoAdvantageInstall.log
2007-11-21 19:32 56,912 ----a-w C:\Documents and Settings\mfaini\g2mdlhlpx.exe
2008-02-06 22:02 44,360 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2008-02-06 22:02 107,928 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\temp ----

2008-06-19 09:14 25724 --a------ C:\Program Files\temp\mp-rtp-c2-w1.cisco.com\Tue_04_18_2006__12_25p\HostingInterfaceRes.dll
2008-06-19 09:14 25708 --a------ C:\Program Files\temp\mp-rtp-c2-w1.cisco.com\Tue_04_18_2006__12_25p\015.dll
2008-06-19 09:14 25708 --a------ C:\Program Files\temp\mp-rtp-c2-w1.cisco.com\Tue_04_18_2006__12_25p\014.dll
2008-06-19 09:14 25708 --a------ C:\Program Files\temp\mp-rtp-c2-w1.cisco.com\Tue_04_18_2006__12_25p\007.dll
2008-06-19 09:14 25708 --a------ C:\Program Files\temp\mp-rtp-c2-w1.cisco.com\Tue_04_18_2006__12_25p\006.dll
2008-06-19 09:14 25708 --a------ C:\Program Files\temp\mp-rtp-c2-w1.cisco.com\Tue_04_18_2006__12_25p\005.dll
2008-06-19 09:14 25708 --a------ C:\Program Files\temp\mp-rtp-c2-w1.cisco.com\Tue_04_18_2006__12_25p\004.dll
2008-06-19 09:14 25708 --a------ C:\Program Files\temp\mp-rtp-c2-w1.cisco.com\Tue_04_18_2006__12_25p\003.dll
2008-06-19 09:14 25708 --a------ C:\Program Files\temp\mp-rtp-c2-w1.cisco.com\Tue_04_18_2006__12_25p\002.dll
2008-06-19 09:14 25708 --a------ C:\Program Files\temp\mp-rtp-c2-w1.cisco.com\Tue_04_18_2006__12_25p\000.dll
2008-06-19 09:14 23 --a------ C:\Program Files\temp\mp-rtp-c2-w1.cisco.com\Tue_04_18_2006__12_25p\DCMSDownload.txt
2008-06-19 09:14 198009 --a------ C:\Program Files\temp\mp-rtp-c2-w1.cisco.com\Tue_04_18_2006__12_25p\HostingInterface.dll
2008-06-19 09:14 14563 --a------ C:\Program Files\temp\mp-rtp-c2-w1.cisco.com\Tue_04_18_2006__12_25p\HostingInputManagerLib.dll
2008-06-19 09:13 270637 --a------ C:\Program Files\temp\mp-rtp-c2-w1.cisco.com\Tue_04_18_2006__12_25p\host.dll
2008-06-19 09:13 14001 --a------ C:\Program Files\temp\mp-rtp-c2-w1.cisco.com\Tue_04_18_2006__12_25p\hostloadTue_04_18_2006__12_25p.dll


((((((((((((((((((((((((((((( snapshot@2008-06-30_ 8.28.04.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-30 14:22:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 16:14:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 16:14:28 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_158.dat
+ 2008-06-30 16:15:05 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_654.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56 15360]
"DiskCleanup"="C:\WINDOWS\CISCO_IT\Scripts\DiskCleanup\DiskCleanup.vbs" [2006-06-22 13:17 13730]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 19:30 45632]
"PtiuPbmd"="ptipbm.dll" [2003-09-16 09:26 24576 C:\WINDOWS\system32\ptipbm.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-17 18:53 8433664]
"BluetoothAuthenticationAgent"="bthprops.cpl,,BluetoothAuthenticationAgent" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-07-05 13:07 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 13:07 512000]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 08:49 66176]
"TpShocks"="TpShocks.exe" [2007-03-29 20:40 181808 C:\WINDOWS\system32\TpShocks.exe]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-05 19:18 200704]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-05 19:18 208896]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 21:03 58416]
"TP4EX"="tp4ex.exe" [2005-10-17 03:11 65536 C:\WINDOWS\system32\TP4EX.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 18:28 868352]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-22 20:02 120368]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-26 20:33 243248]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 22:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 15:39 136768]
"AeXAgentLogon"="C:\PROGRA~1\Altiris\ALTIRI~1\AeXAgentActivate.exe" [2008-01-30 21:06 143360]
"CMGShieldUI"="C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe" [2007-05-29 16:01 356352]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2007-01-02 12:35 167936]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"OdTray.exe"="C:\Program Files\Funk Software\Odyssey Client\OdTray.exe" [2006-08-17 12:06 1052735]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06 40048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe" [2007-02-06 16:30 61440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Security Agent.lnk - C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe [2007-11-08 08:34:07 450560]
Connected TaskBar Icon.LNK - C:\Program Files\Connected\CBSysTray.exe [2007-11-13 16:39:26 114688]
GKProbe.lnk - C:\Program Files\Credant\Gatekeeper\GKProbe.exe [2005-09-06 20:39:56 708608]
ImageMixer 3 SE Camera Monitor.lnk - C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe [2008-06-23 20:51:44 253952]
Manage Printers.lnk - C:\Program Files\Cisco Systems\CEPS\AddPrinter.exe [2006-12-11 16:51:08 139264]
VPN Client.lnk - C:\WINDOWS\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2007-11-08 08:25:57 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogoff"= 1
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CMGShieldNP]
C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll 2007-05-29 16:01 253952 C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
odyEvent.dll 2007-11-21 13:11 106496 C:\WINDOWS\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PAStates]
PAStates.dll 2005-11-07 13:37 94208 C:\WINDOWS\system32\PAStates.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 10:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 05:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=AMINIT.dll csauser.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VXTR"= vxtr.dll
"VIDC.H261"= h261_32.dll
"VIDC.SM4V"= SorensonMPEG4Dec.dll
"msacm.voxacm150"= vct32150.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Cisco Systems\\Cisco Unified Video Advantage\\VideoAdvantage.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 aac;Adaptec RAID Miniport Driver;C:\WINDOWS\system32\DRIVERS\aac.sys [2004-08-19 09:53]
R0 csacenter;Cisco Security Agent Rule Engine;C:\WINDOWS\system32\drivers\csacentr.sys [2007-12-19 13:58]
R0 csafile;Cisco Security Agent File Access Controller;C:\WINDOWS\system32\drivers\csafile.sys [2007-12-19 13:58]
R0 csanet;Cisco Security Agent Packet Verifier;C:\WINDOWS\system32\drivers\csanet.sys [2007-12-19 13:59]
R0 csareg;Cisco Security Agent Registry Access Controller;C:\WINDOWS\system32\drivers\csareg.sys [2007-12-19 13:58]
R0 odFips;odFips;C:\WINDOWS\system32\drivers\odFips.sys [2006-08-17 10:58]
R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 19:49]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 19:47]
R1 CCDevice;CCDevice;C:\WINDOWS\system32\drivers\CCDevice.sys [2005-03-23 21:14]
R1 csatdi;Cisco Security Agent Network Access Controller;C:\WINDOWS\system32\drivers\csatdi.sys [2007-12-19 13:58]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-09-05 19:18]
R2 atchksrv;Intel(R) Active Management Technology System Status Service;C:\Program Files\Intel\AMT\atchksrv.exe [2007-04-10 07:10]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;C:\WINDOWS\system32\DRIVERS\CdpPacket.sys [2007-09-06 19:29]
R2 CEPS Watch;CEPS Watch;C:\Program Files\Cisco Systems\CEPS\CEPSWatch.exe [2007-10-01 06:52]
R2 CtaEoU;Cisco Trust Agent EOU Daemon;"C:\Program Files\Cisco Systems\CiscoTrustAgent\CtaEoU.exe" [2005-11-07 13:36]
R2 ctalogd;Cisco Trust Agent Logger Daemon;"C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe" [2005-11-07 13:37]
R2 ctapsd;Cisco Posture Server Daemon;"C:\Program Files\Cisco Systems\CiscoTrustAgent\ctapsd.exe" [2005-11-07 13:36]
R2 ctatransapt;Cisco Systems, Inc. CTA Posture State Daemon;"C:\Program Files\Cisco Systems\CiscoTrustAgent\ctatransapt.exe" [2005-11-07 13:37]
R2 CvlCdpPacket;Cisco VT Advantage CDP Packet Driver;C:\WINDOWS\system32\DRIVERS\CdpPacketWdmCvl.sys [2006-10-18 16:58]
R2 guardian;CREDANT Mobile Guardian Gatekeeper;"C:\Program Files\Credant\Gatekeeper\Gatekeeper.exe" [2005-09-06 20:40]
R2 LMS;Intel(R) Active Management Technology Local Management Service;C:\Program Files\Intel\AMT\LMS.exe [2007-04-10 07:10]
R2 UNS;Intel(R) Active Management Technology User Notification Service;C:\Program Files\Intel\AMT\UNS.exe [2007-04-10 07:10]
R2 XobniService;XobniService;"C:\Program Files\Xobni\XobniService.exe" [2008-05-15 17:34]
R3 LenovoRd;LenovoRd;C:\WINDOWS\system32\Drivers\LenovoRd.sys [2007-06-08 03:36]
R3 odysseyIM4;Odyssey Network Driver Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2006-08-17 11:51]
S3 CiscoCam8116;Cisco VT Camera(1);C:\WINDOWS\system32\DRIVERS\CamDrC21.sys [2006-04-14 08:17]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;C:\oracle\ora81\bin\ONRSD.EXE [2000-10-19 13:55]
S4 CSAgent;Cisco Security Agent;"C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe" -t c []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 16:16:37 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 10:15:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\PAStates.dll
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
-> C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Connected\AGENTSRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CCSRVC.exe
C:\PROGRA~1\CISCOS~1\CEPS\CEPSWA~1.EXE
C:\Program Files\Altiris\Carbon Copy\ShellKer.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\PROGRA~1\Altiris\CARBON~1\Client.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscript.exe
C:\PROGRA~1\CISCOS~1\CEPS\CEPSWA~1.EXE
.
**************************************************************************
.
Completion time: 2008-06-30 10:19:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-30 16:19:34
ComboFix2.txt 2008-06-30 14:28:55

Pre-Run: 61,954,093,056 bytes free
Post-Run: 61,933,436,928 bytes free

291


Malwarebytes' Anti-Malware 1.19
Database version: 899
Windows 5.1.2600 Service Pack 2

12:15:21 2008-06-30
mbam-log-6-30-2008 (12-15-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 128887
Time elapsed: 47 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\mfaini\My Documents\Installs\Adobe\AdobeExtract\ADOBE_ACROBAT_PRO_8\Crack\keygen.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rtpvougj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vtUkjKcB.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{145E4538-FF2C-4E77-A041-092D0EEC750F}\RP251\A0035303.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{145E4538-FF2C-4E77-A041-092D0EEC750F}\RP252\A0035407.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17, on 2008-06-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctapsd.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\CtaEoU.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctatransapt.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Altiris\ALTIRI~1\AeXNSAgent.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Cisco Systems\CEPS\CEPSWatch.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Credant\Gatekeeper\Gatekeeper.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Credant\Gatekeeper\GKProbe.exe
C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mfaini\Desktop\HijackThis.exe
C:\Program Files\Cisco Systems\CEPS\CEPSWatch.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwwin.cisco.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wwwin.cisco.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AeXAgentLogon] C:\PROGRA~1\Altiris\ALTIRI~1\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [CMGShieldUI] C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DiskCleanup] C:\WINDOWS\CISCO_IT\Scripts\DiskCleanup\DiskCleanup.vbs
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: GKProbe.lnk = C:\Program Files\Credant\Gatekeeper\GKProbe.exe
O4 - Global Startup: ImageMixer 3 SE Camera Monitor.lnk = ?
O4 - Global Startup: Manage Printers.lnk = C:\Program Files\Cisco Systems\CEPS\AddPrinter.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://qualitycenter.cisco.com/qcbin/Spider80.ocx
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://wwwin-hrdev.cisco.com:8027/OA_HTML/oaj2se.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{690A10D9-8DEA-4C11-B3F7-ADEBD766C0D8}: Domain = cisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cisco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cisco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = cisco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cisco.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: AMINIT.dll csauser.dll
O20 - Winlogon Notify: CMGShieldNP - C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll
O20 - Winlogon Notify: PAStates - C:\WINDOWS\SYSTEM32\PAStates.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\PROGRA~1\Altiris\ALTIRI~1\AeXNSAgent.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: CEPS Watch - Cisco Systems - C:\Program Files\Cisco Systems\CEPS\CEPSWatch.exe
O23 - Service: Cisco Trust Agent EOU Daemon (CtaEoU) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\CtaEoU.exe
O23 - Service: Cisco Trust Agent Logger Daemon (ctalogd) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
O23 - Service: Cisco Posture Server Daemon (ctapsd) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctapsd.exe
O23 - Service: Cisco Systems, Inc. CTA Posture State Daemon (ctatransapt) - Unknown owner - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctatransapt.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: CREDANT Mobile Guardian Gatekeeper (guardian) - CREDANT Technologies - C:\Program Files\Credant\Gatekeeper\Gatekeeper.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\bin\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe

--
End of file - 13975 bytes
 
Hi

Delete C:\WINDOWS\BM3f6e7dd3.xml file. Then we'll do one more scan, this time with Kaspersky online scanner. :)


Please run an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:​
  • Extended (If available, otherwise Standard)
Scan Options:​
  • Scan Archives
  • Scan Mail Bases
  • Click OK.
  • Under
    select a target to scan
    , select My Computer.
  • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
Once the scan is complete:
  • Click on the Save as Text button.
  • Save the file to your desktop.
  • Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log too.


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
 
Kaspersky and HJT logs

Hello there.

I've deleted the xml as instructed. Please find below the 2 logs requested.

Thank you.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-06-30 15:10
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/06/2008
Kaspersky Anti-Virus database records: 899354
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 96161
Number of viruses found: 2
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 01:28:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_MFAINI-WXP01.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_MFAINI-WXP01.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\mfaini\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\cert8.db Object is locked skipped
C:\Documents and Settings\mfaini\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\content-prefs.sqlite Object is locked skipped
C:\Documents and Settings\mfaini\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\cookies.sqlite Object is locked skipped
C:\Documents and Settings\mfaini\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\downloads.sqlite Object is locked skipped
C:\Documents and Settings\mfaini\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\formhistory.sqlite Object is locked skipped
C:\Documents and Settings\mfaini\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\key3.db Object is locked skipped
C:\Documents and Settings\mfaini\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\parent.lock Object is locked skipped
C:\Documents and Settings\mfaini\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\permissions.sqlite Object is locked skipped
C:\Documents and Settings\mfaini\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\places.sqlite Object is locked skipped
C:\Documents and Settings\mfaini\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\places.sqlite-journal Object is locked skipped
C:\Documents and Settings\mfaini\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\places.sqlite-stmtjrnl Object is locked skipped
C:\Documents and Settings\mfaini\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\search.sqlite Object is locked skipped
C:\Documents and Settings\mfaini\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\mfaini\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\mfaini\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\mfaini\Local Settings\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\mfaini\Local Settings\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\mfaini\Local Settings\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\mfaini\Local Settings\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\mfaini\Local Settings\Application Data\Mozilla\Firefox\Profiles\da2yno67.default\urlclassifier3.sqlite Object is locked skipped
C:\Documents and Settings\mfaini\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mfaini\Local Settings\History\History.IE5\MSHist012008063020080701\index.dat Object is locked skipped
C:\Documents and Settings\mfaini\Local Settings\Temp\~DFAD74.tmp Object is locked skipped
C:\Documents and Settings\mfaini\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mfaini\My Documents\Downloads\PINNACLE.STUDIO.12.ULTIMATE-NZ\STUDIO12 ULTIMATE.iso/setup.exe/file.exe Infected: Trojan.Win32.Monderc.gen skipped
C:\Documents and Settings\mfaini\My Documents\Downloads\PINNACLE.STUDIO.12.ULTIMATE-NZ\STUDIO12 ULTIMATE.iso/setup.exe Infected: Trojan.Win32.Monderc.gen skipped
C:\Documents and Settings\mfaini\My Documents\Downloads\PINNACLE.STUDIO.12.ULTIMATE-NZ\STUDIO12 ULTIMATE.iso ISOimage: infected - 2 skipped
C:\Documents and Settings\mfaini\ntuser.dat Object is locked skipped
C:\Documents and Settings\mfaini\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Agents\InventoryRuleAgent\InventoryRuleCache.iad Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\pkgdlvlk.tmp Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Tasks\AeXTaskSchedulerLock\taskSchedulerLock.tmp Object is locked skipped
C:\Program Files\Cisco Systems\CEPS\CEPS.log Object is locked skipped
C:\Program Files\Cisco Systems\CEPS\CEPSWatchM.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fcnqjmhh.dll.vir Infected: Trojan.Win32.Monder.wj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\geBsRJDV.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJAqnMf.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnoNecB.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qanfbwkb.dll.vir Infected: Trojan.Win32.Monder.wj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyyaBsP.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{145E4538-FF2C-4E77-A041-092D0EEC750F}\RP248\A0035168.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{145E4538-FF2C-4E77-A041-092D0EEC750F}\RP252\A0035399.dll Infected: Trojan.Win32.Monder.wj skipped
C:\System Volume Information\_restore{145E4538-FF2C-4E77-A041-092D0EEC750F}\RP252\A0035401.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{145E4538-FF2C-4E77-A041-092D0EEC750F}\RP252\A0035404.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{145E4538-FF2C-4E77-A041-092D0EEC750F}\RP252\A0035405.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{145E4538-FF2C-4E77-A041-092D0EEC750F}\RP252\A0035406.dll Infected: Trojan.Win32.Monder.wj skipped
C:\System Volume Information\_restore{145E4538-FF2C-4E77-A041-092D0EEC750F}\RP252\A0035410.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{145E4538-FF2C-4E77-A041-092D0EEC750F}\RP252\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\atchksrv.log Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_614.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6fc.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:13, on 2008-06-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctapsd.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\CtaEoU.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctatransapt.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Altiris\ALTIRI~1\AeXNSAgent.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Cisco Systems\CEPS\CEPSWatch.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Credant\Gatekeeper\Gatekeeper.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Credant\Gatekeeper\GKProbe.exe
C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Cisco Systems\CEPS\CEPSWatch.exe
C:\Documents and Settings\mfaini\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwwin.cisco.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wwwin.cisco.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AeXAgentLogon] C:\PROGRA~1\Altiris\ALTIRI~1\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [CMGShieldUI] C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DiskCleanup] C:\WINDOWS\CISCO_IT\Scripts\DiskCleanup\DiskCleanup.vbs
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: GKProbe.lnk = C:\Program Files\Credant\Gatekeeper\GKProbe.exe
O4 - Global Startup: ImageMixer 3 SE Camera Monitor.lnk = ?
O4 - Global Startup: Manage Printers.lnk = C:\Program Files\Cisco Systems\CEPS\AddPrinter.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://qualitycenter.cisco.com/qcbin/Spider80.ocx
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://wwwin-hrdev.cisco.com:8027/OA_HTML/oaj2se.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{690A10D9-8DEA-4C11-B3F7-ADEBD766C0D8}: Domain = cisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cisco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cisco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = cisco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cisco.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: AMINIT.dll csauser.dll
O20 - Winlogon Notify: CMGShieldNP - C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll
O20 - Winlogon Notify: PAStates - C:\WINDOWS\SYSTEM32\PAStates.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\PROGRA~1\Altiris\ALTIRI~1\AeXNSAgent.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: CEPS Watch - Cisco Systems - C:\Program Files\Cisco Systems\CEPS\CEPSWatch.exe
O23 - Service: Cisco Trust Agent EOU Daemon (CtaEoU) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\CtaEoU.exe
O23 - Service: Cisco Trust Agent Logger Daemon (ctalogd) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
O23 - Service: Cisco Posture Server Daemon (ctapsd) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctapsd.exe
O23 - Service: Cisco Systems, Inc. CTA Posture State Daemon (ctatransapt) - Unknown owner - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctatransapt.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: CREDANT Mobile Guardian Gatekeeper (guardian) - CREDANT Technologies - C:\Program Files\Credant\Gatekeeper\Gatekeeper.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\bin\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe

--
End of file - 14161 bytes
 
Hi

Delete C:\Documents and Settings\mfaini\My Documents\Downloads\PINNACLE.STUDIO.12.ULTIMATE-NZ\STUDIO12 ULTIMATE.iso. Other bad items will be removed when system restore is resetted and ComboFix uninstalled. Instructions below.


Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis




Now lets uninstall ComboFix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says
    The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • Download SpywareBlaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
    kill bits
    in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster here here
    SpywareBlaster tutorial
  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:
 
All is good now

Hello Blade81,

thank you very much for the great help. All seems to work as usual. Only problem I have, I cannot turn System Restore back on.

Message says system has problems restoring some devices. After trying few times with reboots, System Restore tab is no longer there.

Not sure what to make out of it.

Thank you.:bigthumb:
 
Hi

Try this to restore system restore tab:
Rightclick the C:\WINDOWS\inf\sr.inf file, "install" and skip all the files that you are promped. Then check if the tab is back.
 
System Restore

Hi,

thanks for the tip.
Unfortunately, I do not have the *\inf\* folder on my system :sad:

I was able to get the tab back by modifying the registry item "DisabledSR".

I will try to figure out why I cannot turn it back on, and let you know.

Question for you. Should I change all my passwords especially financially related ones?

I could not find any info on what Virtumonde does besides messing up the system.

Thanks

Marco
 
inf folder

Hi,
minor correction, I have the inf folder, it was just hidden.

Anyway, I do not want to bother you with this.

Can you please comment on my question around passwords? Virtumonde seems to be "just" adware program.

Thank you
 
You're welcome Marco :)

Vundo (aka Virtumonde) won't require password change.
 
One last question, I promise

Hi Toni, :)

I am glad I do not have to rush changing all my passwords.

My last question is: how do I go about doing all this by myself?

What are you using to analyze all these logs? I do not imagine you read each line by line, and determine what to do next. Or do you?

BTW congratulation on the MS MVP award - that is a big deal. :2thumb:


Thanks.
 
I do not imagine you read each line by line, and determine what to do next. Or do you?
Click to expand...
Hi

It actually goes like that - checking entries line by line :)

Thanks for the congratulations :)
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top