Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

OUTERINFO Spyware Infected System [RESOLVED]

Started by rpv_rpv , Aug 27 2007 11:06 AM

This topic is locked

#1
rpv_rpv

Posted 27 August 2007 - 11:06 AM

Member

Member
20 posts

My System is Infected with OIN spyware. I ran the Adaware SE Edition but suspect that it couldnt take the viruses completely out of the system.

Pl help me in removing this,

Thanks a bunch
RPV

#2
rpv_rpv

Posted 27 August 2007 - 11:08 AM

Member

Topic Starter
Member
20 posts

This is my HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:20 PM, on 8/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
c:\windows\system32\DWRCS.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\Antivirus\InoculateIT\InoRpc.exe
c:\Antivirus\InoculateIT\InoRT.exe
c:\Antivirus\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\CyberArmor\casvc.exe
C:\PROGRA~1\CYBERA~1\pcs.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\windows\system32\DWRCST.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\windows\system32\osdsrego.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\kwintpdt.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\PKWARE\PKZIPM\8.00.0038\PKTray.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\isqlw.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Files From Old CPQ Laptop\Program Files\Microsoft Visual Studio\Common\VSS\win32\SSEXP.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\Program Files\Tally Systems Corp\TSCensus\bin\TSUsage32.exe
C:\WINDOWS\system32\nmdcfm32.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\Program Files\Tally Systems Corp\TSCensus\bin\cclientsvc.exe
c:\Program Files\Tally Systems Corp\TSCensus\bin\CClient.exe
C:\program files\marimba\tuner\Tuner.exe
C:\program files\marimba\tuner\lib\jre\bin\java.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Junk\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://epinside/inside
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://epinside/inside
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://itweb/polproc/newsletter.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by El Paso Corporation
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://itweb/ins/ie6script.ins
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4D91-8333-CF10577473F7} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {C0A11650-2175-4F93-AF91-E34BE7F97478} - \
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [EPDeskAdmin] C:\WINDOWS\kix32.exe C:\WINDOWS\EPDesk.KIX
O4 - HKLM\..\Run: [CgaViewer] C:\PROGRA~1\CYBERG~1\cgav.exe -check
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05c\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [{1D-DD-D2-20-ZN}] C:\windows\system32\osdsrego.exe SKY009
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\kwintpdt.exe SKY009
O4 - HKLM\..\Run: [SetDefPrt2] C:\Program Files\Brother\Brmfl05b\BrStDvPt.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [kouf] C:\Program Files\Common Files\kouf\koufm.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\kwintpdt.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: PKZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPM\8.00.0038\PKTray.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://epinside/inside
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://corhouiis01b/...yer/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://epinside/insi...trix/wficat.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - https://accounting.q....585/qboax9.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128107943075
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128107935670
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.q...607/qboax10.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} - https://accounting.q....565/qboax8.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://elpaso.webex...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://epconnect.el...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.epec.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.epec.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.epec.com
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CyberGatekeeper Agent (CGAgent) - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - c:\windows\system32\DWRCS.EXE
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - c:\Antivirus\InoculateIT\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - c:\Antivirus\InoculateIT\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - c:\Antivirus\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Marimba - Marimba, Inc. - C:\program files\marimba\tuner\Tuner.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - c:\Program Files\Tally Systems Corp\TSCensus\bin\cclientsvc.exe

--
End of file - 14856 bytes

#3
Rorschach112

Posted 01 September 2007 - 11:51 AM

Ralphie

Retired Staff
47,710 posts

Hello rpv_rpv, sorry for the delay. My name is Rorschach and I'll be helping you with your problems.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

So in your next reply please post the following : the ComboFix log, a new HijackThis log, and tell me how your PC is running now and if you had any problems.

#4
rpv_rpv

Posted 01 September 2007 - 02:43 PM

Member

Topic Starter
Member
20 posts

Hi Rorschach , Thanks for your Reply. I have run the Comobofix.exe and then after rebooting the system I have run the Hijackthis Log. Pl find them below. Also, After the reboot, I tried browsing a couple of sites and so far I havent seen any ads except for 1. So its defintelya positive news.

Pl review the logs and advice me on what needs to be done further.

===============================HIJACK THIS LOG===============================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:34, on 2007-09-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
c:\windows\system32\DWRCS.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\Antivirus\InoculateIT\InoRpc.exe
c:\Antivirus\InoculateIT\InoRT.exe
c:\Antivirus\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\program files\marimba\tuner\Tuner.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\program files\marimba\tuner\lib\jre\bin\java.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
c:\Program Files\Tally Systems Corp\TSCensus\bin\cclientsvc.exe
c:\Program Files\Tally Systems Corp\TSCensus\bin\CClient.exe
C:\Program Files\CyberArmor\casvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\PROGRA~1\CYBERA~1\pcs.exe
c:\Program Files\Tally Systems Corp\TSCensus\bin\TSUsage32.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\windows\system32\DWRCST.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\PKWARE\PKZIPM\8.00.0038\PKTray.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\WINDOWS\system32\notepad.exe
c:\ANTIVI~1\ScanEng\InoDist.exe
C:\Junk\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://epinside/inside
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://epinside/inside
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://itweb/polproc/newsletter.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://itweb/ins/ie6script.ins
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4D91-8333-CF10577473F7} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {C0A11650-2175-4F93-AF91-E34BE7F97478} - \
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [EPDeskAdmin] C:\WINDOWS\kix32.exe C:\WINDOWS\EPDesk.KIX
O4 - HKLM\..\Run: [CgaViewer] C:\PROGRA~1\CYBERG~1\cgav.exe -check
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05c\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SetDefPrt2] C:\Program Files\Brother\Brmfl05b\BrStDvPt.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [kouf] C:\Program Files\Common Files\kouf\koufm.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: PKZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPM\8.00.0038\PKTray.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://epinside/inside
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://corhouiis01b/...yer/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://epinside/insi...trix/wficat.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - https://accounting.q....585/qboax9.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128107943075
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128107935670
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.q...607/qboax10.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} - https://accounting.q....565/qboax8.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://elpaso.webex...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://epconnect.el...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.epec.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.epec.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.epec.com
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CyberGatekeeper Agent (CGAgent) - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - c:\windows\system32\DWRCS.EXE
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - c:\Antivirus\InoculateIT\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - c:\Antivirus\InoculateIT\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - c:\Antivirus\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Marimba - Marimba, Inc. - C:\program files\marimba\tuner\Tuner.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - c:\Program Files\Tally Systems Corp\TSCensus\bin\cclientsvc.exe

--
End of file - 13630 bytes

===================================COMBO FIX.EXE Report=====================
ComboFix 07-08-30.3 - "RXV2839" 2007-09-01 15:21:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.330 [GMT -5:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\winantispyware 2007
C:\DOCUME~1\rxv2839\err.log
C:\DOCUME~1\rxv2839\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\rxv2839\STARTM~1\Programs\Startup\ta_start.lnk
C:\DOCUME~1\rxv2839\STARTM~1\Programs\Startup\think-adz.lnk
C:\Program Files\Common Files\WinAntiSpyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\inetget2
C:\Program Files\inetget2\popinstall.exe
C:\tempc2
C:\tempc2\tmpFF.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\DOWNLO~1\USDR6_0001_D08M0404NetInstaller.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\osdsrego.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z11
C:\WINDOWS\system32\Z3
C:\WINDOWS\system32\Z5
C:\WINDOWS\system32\Z7
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\TISKY009.exe

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE
-------\LEGACY_FOPN
-------\core

((((((((((((((((((((((((( Files Created from 2007-08-01 to 2007-09-01 )))))))))))))))))))))))))))))))

2007-09-01 15:27 <DIR> d-------- C:\WINDOWS\TEM
2007-09-01 15:19 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-30 15:16 <DIR> d-------- C:\WINDOWS\system32\config\SYSTEM~1\APPLIC~1\Juniper Networks
2007-08-30 15:16 <DIR> d-------- C:\Program Files\Juniper Networks
2007-08-17 17:21 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-08-17 17:21 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-08-17 17:21 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-08-17 17:21 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-08-09 15:39 57,344 --a------ C:\WINDOWS\system32\BRSVC01A.EXE
2007-08-09 15:39 45,056 --a------ C:\WINDOWS\system32\BRSS01A.EXE
2007-08-09 15:39 38,912 --a------ C:\WINDOWS\system32\BrUSi05b.dll
2007-08-09 15:39 135,168 --a------ C:\WINDOWS\system32\BRSCH05A.EXE
2007-08-09 15:39 131,072 --a------ C:\WINDOWS\system32\BRSCH05A.DLL
2007-08-09 15:39 100 --a------ C:\WINDOWS\system32\bd9420cn.dat
2007-08-09 15:39 1,149,952 --a------ C:\WINDOWS\system32\BrWia05b.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-01 15:27 --------- d-------- C:\Program Files\CyberArmor
2007-09-01 10:32 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-08-30 15:16 --------- d-------- C:\DOCUME~1\rxv2839\APPLIC~1\Juniper Networks
2007-08-28 15:57 25148 --a------ C:\WINDOWS\eptoday.vbs
2007-08-09 15:38 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-09 15:38 --------- d-------- C:\Program Files\Brother
2007-07-27 22:11 --------- d-------- C:\Program Files\MSECache
2007-07-21 05:28 192637 --a------ C:\WINDOWS\system32\kwintpdt.exe
2007-07-01 19:23 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Juniper Networks
2006-02-28 16:02 250 --a------ C:\Program Files\INSTALL.LOG

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0A11650-2175-4F93-AF91-E34BE7F97478}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TP4EX"="tp4ex.exe" [2005-08-24 01:10 C:\WINDOWS\system32\TP4EX.exe]
"TpShocks"="TpShocks.exe" [2005-08-22 19:29 C:\WINDOWS\system32\TpShocks.exe]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 01:01]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-14 01:01]
"EPDeskAdmin"="C:\WINDOWS\kix32.exe" [2002-02-22 13:16]
"CgaViewer"="C:\PROGRA~1\CYBERG~1\cgav.exe" []
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-08-26 00:22]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-08-26 00:17]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45]
"SetDefPrt"="C:\Program Files\Brother\Brmfl05c\BrStDvPt.exe" [2005-01-26 18:02]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 18:30]
"SetDefPrt2"="C:\Program Files\Brother\Brmfl05b\BrStDvPt.exe" [2005-01-26 18:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 16:28]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" []
"kouf"="C:\Program Files\Common Files\kouf\koufm.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"=1 (0x1)
"NoAutoUpdate"=0 (0x0)
"ForceStartMenuLogOff"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 2005-07-05 23:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-06-16 22:23 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli ACGina

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys
R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS
R1 IBMTPCHK;IBMTPCHK;\??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys
R2 CGAgent;CyberGatekeeper Agent;C:\PROGRA~1\CYBERG~1\cgasvc.exe
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 CyberArmorRunService;CyberArmor Run Service;C:\Program Files\CyberArmor\casvc.exe
R2 LogWatch;Event Log Watch;C:\WINDOWS\LogWatNT.exe
R2 Marimba;Marimba;C:\program files\marimba\tuner\Tuner.exe
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;"c:\Program Files\Tally Systems Corp\TSCensus\bin\cclientsvc.exe"
R2 Viexca2k;CyberArmor Registry Driver;C:\WINDOWS\system32\drivers\viexca2k.sys
R2 Viexpf2k;CyberArmor W2KDriver;C:\WINDOWS\system32\drivers\viexpf2k.sys
R2 windrvNT;windrvNT;\??\C:\WINDOWS\system32\windrvNT.sys
R2 WNTHW;WNTHW;\??\C:\WINDOWS\system32\DRIVERS\WNTHW.SYS
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
R3 TPInput;TPInput;C:\WINDOWS\system32\DRIVERS\TPInput.sys
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;C:\WINDOWS\system32\DRIVERS\nsctpm11.sys
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{223d76c1-3102-11da-8abc-806d6172696f}]
AutoRun\command- D:\Programs\nu2menu\nu2menu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f908159-91bb-11da-99ee-806d6172696f}]
AutoRun\command- D:\Programs\nu2menu\nu2menu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b936da03-39a0-11da-bce6-806d6172696f}]
AutoRun\command- D:\Programs\nu2menu\nu2menu.exe

Contents of the 'Scheduled Tasks' folder
2007-08-22 07:04:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
2007-08-28 00:16:48 C:\WINDOWS\Tasks\PMTask.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-01 15:28:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan
**************************************************************************

Completion time: 2007-09-01 15:31:45 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-01 15:31

--- E O F ---
==============================================================

Thanks a bunch
rpv_rpv

#5
Rorschach112

Posted 02 September 2007 - 07:26 AM

Ralphie

Retired Staff
47,710 posts

Hello rpv_rpv

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum

Click on "New Topic"
Put your name, e-mail address, and this as the title: "C:\Program Files\Common Files\kouf\koufm.exe"
Put a link to this topic in the description box.
Then next to the file box, at the bottom, click the browse button, then navigate to this file:
- C:\Program Files\Common Files\kouf\koufm.exe
Click Open.
Click Post.

Thank you!

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4D91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {C0A11650-2175-4F93-AF91-E34BE7F97478} - \
O4 - HKCU\..\Run: [kouf] C:\Program Files\Common Files\kouf\koufm.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Open notepad (Start > Run and type notepad > click Ok) and copy/paste the text in the quote box below into it:

File::
C:\WINDOWS\system32\kwintpdt.exe

Folder::
C:\Program Files\Common Files\kouf

Save this as CFScript

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

Run ComboFix again and post the resultant log file.

So in your next reply I need to see the following : a new HijackThis log, the ComboFix log, and tell me how your PC is running now and if you had any problems.

Edited by Rorschach112, 02 September 2007 - 07:27 AM.

#6
rpv_rpv

Posted 03 September 2007 - 10:36 AM

Member

Topic Starter
Member
20 posts

Hi Rorschach112, I was not able to find the koufm.exe in the following location.. C:\Program Files\Common Files\kouf\koufm.exePl advice..

In the mean time I will try doing the 2nd part of the script..

Hello rpv_rpv

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
Click on "New Topic"
Put your name, e-mail address, and this as the title: "C:\Program Files\Common Files\kouf\koufm.exe"
Put a link to this topic in the description box.
Then next to the file box, at the bottom, click the browse button, then navigate to this file:

C:\Program Files\Common Files\kouf\koufm.exe

Click Open.
Click Post.
Thank you!

#7
Rorschach112

Posted 03 September 2007 - 10:44 AM

Ralphie

Retired Staff
47,710 posts

Thats nothing to worry about, just continue on with the rest of the steps.

#8
rpv_rpv

Posted 03 September 2007 - 11:39 AM

Member

Topic Starter
Member
20 posts

Hi Can I download the combofix.exe once again? I guess I deleted my previous download and now the link is now working for a new download.

Pl advice.

#9
Rorschach112

Posted 03 September 2007 - 11:41 AM

Ralphie

Retired Staff
47,710 posts

Yes download it again and continue on with the instructions :whistling:

#10
rpv_rpv

Posted 03 September 2007 - 11:57 AM

Member

Topic Starter
Member
20 posts

Problem is that the link http://www.techsuppo...Bs/ComboFix.exe doesnt work for me anymore....

#11
rpv_rpv

Posted 03 September 2007 - 02:47 PM

Member

Topic Starter
Member
20 posts

Also, My Internet speed has becoming very very slow. I open a browser and for first time, it takes atleast 30 seconds to say page not found. When I try to refresh, the same page opens but atleast takes a minute(no less than a minute ) to open the page. Any Insight on why this slowness could be?

Thanks

#12
Rorschach112

Posted 03 September 2007 - 04:36 PM

Ralphie

Retired Staff
47,710 posts

Try this link
http://www.techsuppo...bs/combofix.exe

Your internet speed is more than likely linked to malware, remind me near the end if you are still having a slow internet speed.

So please follow on with the instructions :whistling:

#13
rpv_rpv

Posted 03 September 2007 - 08:13 PM

Member

Topic Starter
Member
20 posts

Hi, this is the combofix Log

Start Time= 2007-09-03 21:10:12.04

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-30 15:16:26 ( .D... ) "C:\Program Files\Juniper Networks"
2007-07-22 18:39:28 279552 ( A.... ) "C:\WINDOWS\system32\swreg.exe"
2007-07-21 05:28:02 192637 ( A.... ) "C:\WINDOWS\system32\kwintpdt.exe"
2007-07-20 00:47:24 109056 ( A.... ) "C:\WINDOWS\catchme.exe"
2007-06-17 00:11:58 51200 ( A.... ) "C:\WINDOWS\nircmd.exe"
2006-02-28 16:02:24 250 ( A.... ) "C:\Program Files\INSTALL.LOG"

((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TP4EX"="tp4ex.exe"
"TpShocks"="TpShocks.exe"
"PWRMGRTR"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\PWRMGRTR.DLL,PwrMgrBkGndMonitor"
"BLOG"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatLogEx.DLL,StartBattLog"
"EPDeskAdmin"="C:\\WINDOWS\\kix32.exe C:\\WINDOWS\\EPDesk.KIX"
"CgaViewer"="C:\\PROGRA~1\\CYBERG~1\\cgav.exe -check"
"ACTray"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\ACTray.exe"
"ACWLIcon"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\ACWLIcon.exe"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"PaperPort PTD"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"
"IndexSearch"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"
"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl05c\\BrStDvPt.exe"
"ControlCenter2.0"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"SetDefPrt2"="C:\\Program Files\\Brother\\Brmfl05b\\BrStDvPt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\AutorunsDisabled]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="C:\\WINDOWS\\system32\\qttask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AutorunsDisabled]
"MSMSGS"="\"C:\\Program Files\\Messenger\\Msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\PMTask.job

Completion time: 2007-09-03 21:11:30.20
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt

#14
rpv_rpv

Posted 03 September 2007 - 08:14 PM

Member

Topic Starter
Member
20 posts

This is the HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36, on 2007-09-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
c:\windows\system32\DWRCS.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\Antivirus\InoculateIT\InoRpc.exe
c:\Antivirus\InoculateIT\InoRT.exe
c:\Antivirus\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\CyberArmor\casvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\PROGRA~1\CYBERA~1\pcs.exe
c:\Program Files\Tally Systems Corp\TSCensus\bin\TSUsage32.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\windows\system32\DWRCST.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\PKWARE\PKZIPM\8.00.0038\PKTray.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\program files\marimba\tuner\Tuner.exe
C:\program files\marimba\tuner\lib\jre\bin\java.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\Program Files\Tally Systems Corp\TSCensus\bin\cclientsvc.exe
c:\Program Files\Tally Systems Corp\TSCensus\bin\CClient.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Junk\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://epinside/inside
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://epinside/inside
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://itweb/polproc/newsletter.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by El Paso Corporation
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://itweb/ins/ie6script.ins
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [EPDeskAdmin] C:\WINDOWS\kix32.exe C:\WINDOWS\EPDesk.KIX
O4 - HKLM\..\Run: [CgaViewer] C:\PROGRA~1\CYBERG~1\cgav.exe -check
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05c\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SetDefPrt2] C:\Program Files\Brother\Brmfl05b\BrStDvPt.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: PKZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPM\8.00.0038\PKTray.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @c:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - c:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://epinside/inside
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://corhouiis01b/...yer/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://epinside/insi...trix/wficat.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - https://accounting.q....585/qboax9.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128107943075
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128107935670
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.q...607/qboax10.cab
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} - https://accounting.q....565/qboax8.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://elpaso.webex...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://epconnect.el...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.epec.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.epec.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.epec.com
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CyberGatekeeper Agent (CGAgent) - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - c:\windows\system32\DWRCS.EXE
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - c:\Antivirus\InoculateIT\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - c:\Antivirus\InoculateIT\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - c:\Antivirus\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Marimba - Marimba, Inc. - C:\program files\marimba\tuner\Tuner.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - c:\Program Files\Tally Systems Corp\TSCensus\bin\cclientsvc.exe

--
End of file - 13307 bytes

#15
Rorschach112

Posted 04 September 2007 - 07:33 AM

Ralphie

Retired Staff
47,710 posts

Hello rpv_rpv

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\system32\kwintpdt.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

Next download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

So post the following in your next reply : the results of that file I asked you to scan, the AVG anti-spyware report, and tell me how your PC is running now.