Symptoms:
- Popups including winantiviruspro2006
- Spybot repeatedly detecting stuff such as:
Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0
Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0
- loss of internet access
- something repeatedly trying to access the internet
- hijack this closing in error after running
- this one is wierd - everytime I tried to save my hijack logfile onto a jump drive it would come up corrupted on my other computer. I tried copy and pasting it into word and excel. No luck. Finally I just dumped my clipboard onto the jumpdrive and it worked.
- Vundofix found one problem and fixed it(see log below), but I am still infected. I have also run avg anti virus, virtumundobegone, combofix, adaware, spybot and cwshredder.
______________________________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 12:50:01 PM, on 10/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\runservice.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\system\winlogon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINNT\system32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINNT\runservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - Lenovo - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINNT\system\winlogon.exe
___________________________________________________________________________
VundoFix V6.1.6
Checking Java version...
Java version is 1.5.0.5
Scan started at 10:52:00 AM 10/2/2006
Listing files found while scanning....
C:\WINNT\system32\ggfbgojf.dll
Beginning removal...
Attempting to delete C:\WINNT\system32\ggfbgojf.dll
C:\WINNT\system32\ggfbgojf.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.1.6
Checking Java version...
Java version is 1.5.0.5
Scan started at 11:03:57 AM 10/2/2006
Listing files found while scanning....
C:\WINNT\system32\ggfbgojf.dll
Beginning removal...
Attempting to delete C:\WINNT\system32\ggfbgojf.dll
C:\WINNT\system32\ggfbgojf.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.1.6
Checking Java version...
Java version is 1.5.0.5
Scan started at 11:13:23 AM 10/2/2006
Listing files found while scanning....
No infected files were found.
VundoFix V6.1.6
Checking Java version...
Java version is 1.5.0.5
Scan started at 11:20:47 AM 10/2/2006
Listing files found while scanning....
No infected files were found.
VundoFix V6.1.6
Checking Java version...
Java version is 1.5.0.5
Scan started at 11:57:07 AM 10/2/2006
Listing files found while scanning....
No infected files were found.
________________________________________________________
[10/02/2006, 14:35:10] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator\Desktop\VirtumundoBeGone.exe" )
[10/02/2006, 14:35:17] - Detected System Information:
[10/02/2006, 14:35:17] - Windows Version: 5.0.2195, Service Pack 4
[10/02/2006, 14:35:17] - Current Username: Administrator (Admin)
[10/02/2006, 14:35:17] - Windows is in NORMAL mode.
[10/02/2006, 14:35:17] - Searching for Browser Helper Objects:
[10/02/2006, 14:35:17] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/02/2006, 14:35:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:17] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/02/2006, 14:35:17] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/02/2006, 14:35:17] - BHO 2: {68676EFE-9B30-4EBD-B842-7ED9B3460C53} ()
[10/02/2006, 14:35:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:17] - Checking for HKLM\...\Winlogon\Notify\rqrqpqp
[10/02/2006, 14:35:17] - Found: HKLM\...\Winlogon\Notify\rqrqpqp - This is probably Virtumundo.
[10/02/2006, 14:35:17] - Assigning {68676EFE-9B30-4EBD-B842-7ED9B3460C53} MSEvents Object
[10/02/2006, 14:35:17] - BHO list has been changed! Starting over...
[10/02/2006, 14:35:17] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/02/2006, 14:35:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:17] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/02/2006, 14:35:17] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/02/2006, 14:35:17] - BHO 2: {68676EFE-9B30-4EBD-B842-7ED9B3460C53} (MSEvents Object)
[10/02/2006, 14:35:17] - ALERT: Found MSEvents Object!
[10/02/2006, 14:35:18] - BHO 3: {9C5C49A1-CDFF-44C4-9778-406598686987} ()
[10/02/2006, 14:35:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:18] - Checking for HKLM\...\Winlogon\Notify\cbxxw
[10/02/2006, 14:35:18] - Found: HKLM\...\Winlogon\Notify\cbxxw - This is probably Virtumundo.
[10/02/2006, 14:35:18] - Assigning {9C5C49A1-CDFF-44C4-9778-406598686987} MSEvents Object
[10/02/2006, 14:35:18] - BHO list has been changed! Starting over...
[10/02/2006, 14:35:18] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/02/2006, 14:35:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:18] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/02/2006, 14:35:18] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/02/2006, 14:35:18] - BHO 2: {68676EFE-9B30-4EBD-B842-7ED9B3460C53} (MSEvents Object)
[10/02/2006, 14:35:18] - ALERT: Found MSEvents Object!
[10/02/2006, 14:35:18] - BHO 3: {9C5C49A1-CDFF-44C4-9778-406598686987} (MSEvents Object)
[10/02/2006, 14:35:18] - ALERT: Found MSEvents Object!
[10/02/2006, 14:35:18] - BHO 4: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[10/02/2006, 14:35:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:18] - Checking for HKLM\...\Winlogon\Notify\ggfbgojf
[10/02/2006, 14:35:18] - Key not found: HKLM\...\Winlogon\Notify\ggfbgojf, continuing.
[10/02/2006, 14:35:18] - Finished Searching Browser Helper Objects
[10/02/2006, 14:35:18] - *** Detected MSEvents Object
[10/02/2006, 14:35:18] - Trying to remove MSEvents Object...
[10/02/2006, 14:35:19] - Terminating Process: IEXPLORE.EXE
[10/02/2006, 14:35:19] - Terminating Process: RUNDLL32.EXE
[10/02/2006, 14:35:19] - Disabling Automatic Shell Restart
[10/02/2006, 14:35:19] - Terminating Process: EXPLORER.EXE
[10/02/2006, 14:35:20] - Suspending the NT Session Manager System Service
[10/02/2006, 14:35:20] - Terminating Windows NT Logon/Logoff Manager
[10/02/2006, 14:35:20] - Re-enabling Automatic Shell Restart
[10/02/2006, 14:35:20] - File to disable: C:\WINNT\system32\rqrqpqp.dll
[10/02/2006, 14:35:20] - Renaming C:\WINNT\system32\rqrqpqp.dll -> C:\WINNT\system32\rqrqpqp.dll.vir
[10/02/2006, 14:35:20] - ! File rename was unsucessful.
[10/02/2006, 14:35:20] - Attempting to Deny Access to C:\WINNT\system32\rqrqpqp.dll
[10/02/2006, 14:35:20] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[10/02/2006, 14:35:20] - processed file: C:\WINNT\system32\rqrqpqp.dll
[10/02/2006, 14:35:20] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[10/02/2006, 14:35:21] - Removing HKLM\...\Browser Helper Objects\{68676EFE-9B30-4EBD-B842-7ED9B3460C53}
[10/02/2006, 14:35:21] - Removing HKCR\CLSID\{68676EFE-9B30-4EBD-B842-7ED9B3460C53}
[10/02/2006, 14:35:21] - Adding Kill Bit for ActiveX for GUID: {68676EFE-9B30-4EBD-B842-7ED9B3460C53}
[10/02/2006, 14:35:21] - Deleting ATLEvents/MSEvents Registry entries
[10/02/2006, 14:35:21] - Removing HKLM\...\Winlogon\Notify\rqrqpqp
[10/02/2006, 14:35:21] - Searching for Browser Helper Objects:
[10/02/2006, 14:35:21] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/02/2006, 14:35:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:21] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/02/2006, 14:35:21] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/02/2006, 14:35:21] - BHO 2: {9C5C49A1-CDFF-44C4-9778-406598686987} (MSEvents Object)
[10/02/2006, 14:35:21] - ALERT: Found MSEvents Object!
[10/02/2006, 14:35:21] - BHO 3: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[10/02/2006, 14:35:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:21] - Checking for HKLM\...\Winlogon\Notify\ggfbgojf
[10/02/2006, 14:35:21] - Key not found: HKLM\...\Winlogon\Notify\ggfbgojf, continuing.
[10/02/2006, 14:35:21] - Finished Searching Browser Helper Objects
[10/02/2006, 14:35:21] - *** Detected MSEvents Object
[10/02/2006, 14:35:21] - Trying to remove MSEvents Object...
[10/02/2006, 14:35:22] - Terminating Process: IEXPLORE.EXE
[10/02/2006, 14:35:22] - Terminating Process: RUNDLL32.EXE
[10/02/2006, 14:35:22] - Disabling Automatic Shell Restart
[10/02/2006, 14:35:22] - Terminating Process: EXPLORER.EXE
[10/02/2006, 14:35:22] - Suspending the NT Session Manager System Service
[10/02/2006, 14:35:22] - Terminating Windows NT Logon/Logoff Manager
[10/02/2006, 14:35:22] - Re-enabling Automatic Shell Restart
[10/02/2006, 14:35:22] - File to disable: C:\WINNT\system32\cbxxw.dll
[10/02/2006, 14:35:22] - Renaming C:\WINNT\system32\cbxxw.dll -> C:\WINNT\system32\cbxxw.dll.vir
[10/02/2006, 14:35:22] - ! File rename was unsucessful.
[10/02/2006, 14:35:22] - Attempting to Deny Access to C:\WINNT\system32\cbxxw.dll
[10/02/2006, 14:35:22] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[10/02/2006, 14:35:22] - ERROR: The system cannot find the file specified.
[10/02/2006, 14:35:22] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[10/02/2006, 14:35:22] - Removing HKLM\...\Browser Helper Objects\{9C5C49A1-CDFF-44C4-9778-406598686987}
[10/02/2006, 14:35:22] - Removing HKCR\CLSID\{9C5C49A1-CDFF-44C4-9778-406598686987}
[10/02/2006, 14:35:23] - Adding Kill Bit for ActiveX for GUID: {9C5C49A1-CDFF-44C4-9778-406598686987}
[10/02/2006, 14:35:23] - Deleting ATLEvents/MSEvents Registry entries
[10/02/2006, 14:35:23] - Removing HKLM\...\Winlogon\Notify\cbxxw
[10/02/2006, 14:35:23] - Searching for Browser Helper Objects:
[10/02/2006, 14:35:23] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/02/2006, 14:35:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:23] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/02/2006, 14:35:23] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/02/2006, 14:35:23] - BHO 2: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[10/02/2006, 14:35:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:35:23] - Checking for HKLM\...\Winlogon\Notify\ggfbgojf
[10/02/2006, 14:35:23] - Key not found: HKLM\...\Winlogon\Notify\ggfbgojf, continuing.
[10/02/2006, 14:35:23] - Finished Searching Browser Helper Objects
[10/02/2006, 14:35:23] - Finishing up...
[10/02/2006, 14:35:23] - A restart is needed.
[10/02/2006, 14:35:32] - Attempting to Restart via STOP error (Blue Screen!)
[10/02/2006, 14:40:19] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator\Desktop\VirtumundoBeGone.exe" )
[10/02/2006, 14:40:24] - Detected System Information:
[10/02/2006, 14:40:24] - Windows Version: 5.0.2195, Service Pack 4
[10/02/2006, 14:40:24] - Current Username: Administrator (Admin)
[10/02/2006, 14:40:24] - Windows is in NORMAL mode.
[10/02/2006, 14:40:24] - Searching for Browser Helper Objects:
[10/02/2006, 14:40:24] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/02/2006, 14:40:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:40:24] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/02/2006, 14:40:24] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/02/2006, 14:40:24] - BHO 2: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[10/02/2006, 14:40:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/02/2006, 14:40:24] - Checking for HKLM\...\Winlogon\Notify\ggfbgojf
[10/02/2006, 14:40:24] - Key not found: HKLM\...\Winlogon\Notify\ggfbgojf, continuing.
[10/02/2006, 14:40:24] - Finished Searching Browser Helper Objects
[10/02/2006, 14:40:24] - Finishing up...
[10/02/2006, 14:40:24] - Nothing found! Exiting...
______________________________________________________________________________
Administrator - Mon 10/02/2006 16:56:45.33 Service Pack 4
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Administrator\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-09-02 to 2006-10-02 ))))))))))))))))))))))))))))))))))
2006-10-02 12:55 778,656 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-10-02 12:55 4,288 --a------ C:\WINNT\system32\drivers\avg7rsw.sys
2006-10-02 12:55 27,904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-10-02 12:55 26,912 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2006-10-02 12:55 23,104 --a------ C:\WINNT\system32\drivers\avgmfrs.sys
2006-10-02 11:09 9,216 --a------ C:\WINNT\system32\VundoFixSVC.exe
2006-10-01 12:53 929,792 --a------ C:\WINNT\system32\AegisE5.dll
2006-10-01 12:53 651,264 --a------ C:\WINNT\system32\libeay32.dll
2006-10-01 12:53 61,440 --a------ C:\WINNT\system32\W32N50.dll
2006-10-01 12:53 379,488 --a------ C:\WINNT\system32\drivers\wg111nd5.sys
2006-10-01 12:53 16,292 --a------ C:\WINNT\system32\PCANDIS5.SYS
2006-10-01 12:53 15,781 --a------ C:\WINNT\system32\drivers\mdc8021x.sys
2006-10-01 12:53 147,456 --a------ C:\WINNT\system32\ssleay32.dll
2006-09-30 07:48 850,379 ---hs---- C:\WINNT\system32\wxxbc.bak2
2006-09-29 22:01 40,973 ---hs---- C:\WINNT\system32\awtsrqn.dll
2006-09-29 21:39 40,973 ---hs---- C:\WINNT\system32\xxyxyvw.dll
2006-09-29 21:20 40,973 ---hs---- C:\WINNT\system32\byxxywt.dll
2006-09-29 21:19 40,973 ---hs---- C:\WINNT\system32\vturrom.dll
2006-09-29 20:57 40,973 ---hs---- C:\WINNT\system32\awtuvvt.dll
2006-09-29 10:51 40,973 ---hs---- C:\WINNT\system32\urqqnon.dll
2006-09-29 09:58 40,973 ---hs---- C:\WINNT\system32\fccbbyy.dll
2006-09-29 08:31 40,973 ---hs---- C:\WINNT\system32\xxyxxxw.dll
2006-09-29 08:25 40,973 ---hs---- C:\WINNT\system32\byxxvsq.dll
2006-09-29 08:22 40,973 ---hs---- C:\WINNT\system32\nnnnono.dll
2006-09-29 08:20 40,973 ---hs---- C:\WINNT\system32\vtutsqr.dll
2006-09-29 08:17 40,973 ---hs---- C:\WINNT\system32\mljigeb.dll
2006-09-29 08:01 40,973 ---hs---- C:\WINNT\system32\jkklkji.dll
2006-09-29 07:58 40,973 ---hs---- C:\WINNT\system32\tuvvwxu.dll
2006-09-29 07:51 40,973 --ahs---- C:\WINNT\system32\rqrqpqp.dll
2006-09-28 23:52 839,801 ---hs---- C:\WINNT\system32\wxxbc.bak1
2006-09-28 23:52 45,525 --a------ C:\WINNT\system32\ecyttwsc.dll
2006-09-28 23:52 143,380 --a------ C:\WINNT\system32\nlsnqxhw.exe
2006-09-28 23:51 577,588 --ahs---- C:\WINNT\system32\cbxxw.dll.vir
2006-09-28 23:45 40,973 ---hs---- C:\WINNT\system32\yayayab.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-02 16:30 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-02 16:21 1225 --ahs---- C:\WINNT\system32\mmf.sys
2006-10-02 12:55 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2006-10-01 12:53 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-01 12:53 -------- d-------- C:\Program Files\NETGEAR
2006-09-29 21:54 -------- d-------- C:\Program Files\ProjectionsDominator
2006-09-29 21:53 -------- d-------- C:\Program Files\DraftDominator
2006-09-29 21:50 -------- d-------- C:\Program Files\pcDrafter
2006-09-29 10:53 -------- d-------- C:\Program Files\Grisoft
2006-09-29 10:43 44288 --a------ C:\WINNT\system32\drivers\cdr4_2K.sys
2006-09-29 10:11 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-18 20:41 -------- d-------- C:\Program Files\Sling Media
2006-08-22 14:10 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-08-21 19:08 796672 --a------ C:\WINNT\GPInstall.exe
2006-08-07 21:21 -------- d-------- C:\Program Files\Windows Media Player
2006-08-07 21:20 -------- d-------- C:\Program Files\Last.fm
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe"
"Synchronization Manager"="mobsync.exe /logon"
"ATIModeChange"="Ati2mdxx.exe"
"LTWinModem1"="ltmsg.exe 9"
"PRONoMgr.exe"="C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"TPHOTKEY"="C:\\PROGRA~1\\Lenovo\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"TP4EX"="tp4ex.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"QCTRAY"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCTRAY.EXE"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"BMMMONWND"="rundll32.exe C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatInfEx.dll,BMMAutonomicMonitor"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00002002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,c0
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{68676EFE-9B30-4EBD-B842-7ED9B3460C53}"=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID\{68676EFE-9B30-4EBD-B842-7ED9B3460C53}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID\{68676EFE-9B30-4EBD-B842-7ED9B3460C53}\InprocServer32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\BMMTask.job
Completion time: Mon 2006-10-02 16:59:22.88
ComboFix.txt
Edited by snatex, 02 October 2006 - 03:59 PM.