Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Malware, not sure what it is. Explorer worm. scvhost? Firefox and spyb

Started by HunterAce , May 31 2008 09:13 PM

Please log in to reply

#1
HunterAce

Posted 31 May 2008 - 09:13 PM

Member

Member
27 posts

Hello Team,
I wanted to let you know first of all that I appreciate the previous posts. I am atleast able to run Firefox now (11pm EST) after fighting with this beast all day. I will give you a run down of where I was and what I've done below.

My BIGGEST concern at this point is that I dont have it all removed. I'd like an experts opinion on that.

Today when I turned on my pc I could not run
1) Firefox. Would not launch.
2) Spybot
3) SDFix would not run
4) mbam-setup.exe would not run
5) Adaware did run but did not help.

When I ran IE, I could search but any link I clicked on pushed me to one of those crappy search sites.

I tried to start with mbam-setup.exe, but it would not launch in safe mode or in regular mode (Win XP SP2).

I was able to run SuperAntiSpyware (logs will be below). It removed a couple of things.
I ran it in regular mode and safe mode.

Once I ran that, I ran Combo-Fix ... it removed 10-15 items. Once Combo fix finished I was able to
go back to mbam-setup.exe and run it and it removed 3 more items. I tried to get to the Panda site but it was down or something ... could not get to it at this time.

Since then, I've been able to run firefox (I Am done with IE) and browse.

If someone could take a look at the many logs below and let me know what to do next to ensure cleanliness, I would appreciate it. Plus, it seems when I put my USB drive in now it thinks its a folder and it wont open it?????? Need help fixing the extensions I think.

HiJack This Log. 11:07PM EST

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:28 PM, on 05/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\IBM\tivoli\dcd\client\ISSI\cds\CDSWinSrv.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\C4ebreg\c4ebreg.exe
c:\sdwork\issimsvc.exe
C:\WINDOWS\system32\lxcicoms.exe
C:\Program Files\AT&T Network Client\NetCfgSv.EXE
C:\WINDOWS\system32\cmd.exe
c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\IBM\tivoli\dcd\client\ISSI\_jvm\jre\bin\java.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Drivers\ldlcserv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\IBM\Personal Communications\tpam.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.common_1.3.14\pmonmh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\C4ebreg\isamtray.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SanDisk\Sansa Updater\SansaUpdater.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://w3.ibm.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe"
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Thinkvantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [pmonmh] C:\Program Files\IBM\My Help\workspace\..\plugins\com.ibm.myhelp.common_1.3.14/pmonmh.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [C4EBReg] "C:\Program Files\C4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [Isamtray] "C:\Program Files\C4ebreg\isamtray.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,[email protected]
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [defergui] c:/sdwork/defergui.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (Lotus Quickr Class) - https://extranet.lotus.com/qp2.cab
O16 - DPF: {094ED66B-7F6A-42A1-9A32-57B4255F1A6F} (WedgeXClient.WedgeX) - https://www.aeswebsc...edgeXClient.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.c...pport/acpir.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {8C28EFD7-767B-11D1-844B-0060972DC2AC} - https://w3-03.ibm.co....Insight.en.cab
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bl...lnwebassist.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphoto...ploadClient.cab
O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} (SlimClient Class) - https://9.23.67.90/extender.cab
O16 - DPF: {DF809680-F721-41A4-9D5C-4E9F3EB05C4B} (CrossLinkLauncher Control) - https://webtopxil3.b...inkLauncher.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bigfix.webex...bex/ieatgpc.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\system32\Drivers\appnnode.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Check Point SSL Network Extender (cpextender) - Check Point Software Technologies - C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
O23 - Service: IBM DCD Standard Client (DCDClient-ISSI) (DCDClient-ISSI) - Unknown owner - C:\Program Files\IBM\tivoli\dcd\client\ISSI\cds\CDSWinSrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Corp. - C:\Program Files\C4ebreg\c4ebreg.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Corp. - c:\sdwork\issimsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Network Client\NetCfgSv.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14581 bytes

Edited by HunterAce, 31 May 2008 - 09:19 PM.

#2
HunterAce

Posted 31 May 2008 - 09:15 PM

Member

Topic Starter
Member
27 posts

Here's the combofix log:

ComboFix 08-05-29.1 - bfarnsle 2008-05-31 22:18:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.716 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\D0.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\D1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\D2.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\D4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\D5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\D6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\SLC_bfarnsle.prx
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\hosts
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER

((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-31 18:45 . 2008-05-31 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-31 18:44 . 2008-05-31 18:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-31 18:44 . 2008-05-31 18:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-29 07:11 . 2008-05-30 13:25 1,299 --a------ C:\WINDOWS\system32\drivers\hosts
2008-05-23 09:15 . 2008-05-23 09:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\webex
2008-05-19 10:15 . 2008-05-19 10:17 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-19 00:46 . 2008-05-19 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-19 00:45 . 2008-05-31 18:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-19 00:43 . 2008-05-19 00:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-18 17:12 . 2008-05-18 20:25 8,192 --a------ C:\WINDOWS\waol.exe
2008-05-18 16:33 . 2008-05-31 18:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-18 16:33 . 2008-05-31 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-18 10:07 . 2008-05-18 16:17 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-18 10:07 . 2004-08-04 01:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-17 13:31 . 2008-05-17 13:31 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-09 08:07 . 2008-05-09 08:07 <DIR> d-------- C:\Program Files\My Company Name
2008-05-09 07:47 . 2008-05-09 07:47 <DIR> d-------- C:\notes8bkp
2008-05-07 12:16 . 2008-05-07 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-02 17:45 . 2008-05-12 08:49 <DIR> d-------- C:\MSPPWSV
2008-05-02 17:45 . 2008-05-02 12:36 742 -ra------ C:\WINDOWS\MSPPWSV.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 02:33 --------- d-----w C:\Program Files\C4ebreg
2008-05-30 19:50 --------- d-----w C:\Program Files\WST
2008-05-30 18:30 --------- d-----w C:\Program Files\AT&T Network Client
2008-05-30 17:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-30 15:52 --------- d-----w C:\Program Files\IBM Ayudame
2008-05-30 01:23 --------- d-----w C:\Program Files\Lx_cats
2008-05-20 20:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\IBM
2008-05-19 19:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-19 16:14 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-19 16:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-19 04:46 --------- d-----w C:\Program Files\Lavasoft
2008-05-19 04:35 --------- d-----w C:\Documents and Settings\bfarnsle\Application Data\Lavasoft
2008-05-19 04:33 --------- d-----w C:\Program Files\Yahoo!
2008-05-19 04:25 --------- d-----w C:\Program Files\GSNI
2008-05-15 15:11 53,056 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-05-08 11:36 --------- d-----w C:\Program Files\Google
2008-05-02 14:35 57,344 ----a-w C:\WINDOWS\isamunin.exe
2008-05-02 14:32 7,012 ------w C:\WINDOWS\system32\drivers\PMEMNT.SYS
2008-05-01 14:57 --------- d-----w C:\Program Files\Lexmark 7300 Series
2008-04-04 20:40 --------- d-----w C:\Program Files\QuickTime
2008-04-03 14:21 --------- d-----w C:\Program Files\PuTTY
2008-03-20 13:26 81 ----a-w C:\CTX.DAT
2008-01-17 19:08 389,120 ----a-w C:\Documents and Settings\Administrator\stas75_20060810.0001.dll
2007-12-13 19:05 389,120 ----a-w C:\Documents and Settings\bfarnsle\stas75_20060810.0001.dll
2007-11-21 20:50 56,008 ----a-w C:\Documents and Settings\bfarnsle\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 3,423 2007-10-24 17:55:18 C:\Program Files\IBM\tivoli\dcd\client\ISSI\bak\cds\ISXuninst1.bat.bak

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetSP - restore settings on power failure"="C:\Program Files\AT&T Network Client\NetSP.exe" [2007-01-13 09:00 24576]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tpam.exe"="C:\Program Files\IBM\Personal Communications\tpam.exe" [2004-04-27 05:07 28672]
"stgclean"="c:\sdwork\w32main2.exe" [2008-04-14 09:44 272896]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 14:49 66176]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2006-05-19 03:25 110592]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2006-05-19 03:25 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2006-05-19 03:25 396288]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-19 03:25 208896]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-05-19 03:26 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 03:26 512000]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 15:04 864256]
"TpShocks"="TpShocks.exe" [2005-11-07 07:14 106496 C:\WINDOWS\system32\TpShocks.exe]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 09:09 409600]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 08:59 98304]
"PSQLLauncher"="C:\Program Files\Thinkvantage Fingerprint Software\launcher.exe" [ ]
"ISSI EZUpdate Service"="c:\sdwork\issimsvc.exe" [2008-05-27 09:13 217600]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 01:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 15:07 188416]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2006-01-06 15:07 348160]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-27 20:33 125168]
"pmonmh"="C:\Program Files\IBM\My Help\workspace\..\plugins\com.ibm.myhelp.common_1.3.14/pmonmh.exe" [2008-04-07 16:00 184371]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52 849280]
"C4EBReg"="C:\Program Files\C4ebreg\c4ebreg.exe" [2008-05-02 10:35 372736]
"Isamtray"="C:\Program Files\C4ebreg\isamtray.exe" [2008-05-02 10:35 253952]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-08-01 12:07 540672]
"LXCICATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2006-11-21 13:27 106496]
"lxcimon.exe"="C:\Program Files\Lexmark 7300 Series\lxcimon.exe" [2007-02-01 22:14 205744]
"EzPrint"="C:\Program Files\Lexmark 7300 Series\ezprint.exe" [2007-02-01 22:15 103344]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 09:35 20480]
"defergui"="c:/sdwork/defergui.exe" [2008-03-03 12:18 138752 c:\sdwork\defergui.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 12:52 75584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-04 16:40 413696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll 2006-04-17 09:01 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atmgrtok]
atmgrtok.dll 2004-04-27 05:07 49152 C:\Program Files\IBM\Personal Communications\atmgrtok.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]
pcsinst.dll 2004-04-27 18:02 49152 C:\WINDOWS\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 16:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 11:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"IBMconfig"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\lxcicoms.exe"=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-11-30 11:58]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 05:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2006-01-12 20:33]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 08:18]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2006-05-19 03:25]
R2 AppnApi;AppnApi;C:\WINDOWS\system32\drivers\appnapi.sys [2004-04-27 05:07]
R2 cpextender;Check Point SSL Network Extender;C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe [2007-04-30 08:32]
R2 DCDClient-ISSI;IBM DCD Standard Client (DCDClient-ISSI);C:\Program Files\IBM\tivoli\dcd\client\ISSI\cds\CDSWinSrv.exe [2007-07-06 16:34]
R2 IBM_LLC2;IBM Personal Communications LLC2 Driver;C:\WINDOWS\system32\DRIVERS\llc2.sys [2004-04-27 05:07]
R2 ISAMSvc;IBM Standard Asset Manager Service;"C:\Program Files\C4ebreg\c4ebreg.exe" [2008-05-02 10:35]
R2 lxci_device;lxci_device;C:\WINDOWS\system32\lxcicoms.exe [2007-02-01 22:13]
R2 NsTrcNT;NsTrcNT;C:\WINDOWS\system32\drivers\nstrcnt.sys [2004-04-27 05:07]
R2 pdlnctdl;Twinax CUT Adapter;C:\WINDOWS\system32\drivers\pdlnctdl.sys [2004-04-27 05:07]
R2 pdlndldl;IBM Enterprise Extender (HPR/IP);C:\WINDOWS\system32\drivers\pdlndldl.sys [2004-04-27 05:07]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 agnfilt;AGN Filter Interface;C:\WINDOWS\system32\DRIVERS\agnfilt.sys [2006-05-19 10:46]
R3 Anydlc;Anydlc;C:\WINDOWS\system32\drivers\anydlc.sys [2004-04-27 05:07]
R3 Appn;Appn;C:\WINDOWS\system32\drivers\appn.sys [2004-04-27 05:07]
R3 AppnBase;AppnBase;C:\WINDOWS\system32\drivers\AppnBase.sys [2004-04-27 05:07]
R3 KLOGNT;KLOGNT;C:\WINDOWS\system32\drivers\klognt.sys [2004-04-27 05:07]
R3 pdlnacom;PDLC Adapter -- COM;C:\WINDOWS\system32\drivers\pdlnacom.sys [2004-04-27 05:07]
R3 pdlnafac;PDLC Adapter Factory;C:\WINDOWS\system32\drivers\pdlnafac.sys [2004-04-27 05:07]
R3 pdlnatcm;Twinax Adapter Common;C:\WINDOWS\system32\drivers\pdlnatcm.sys [2004-04-27 05:07]
R3 pdlnatdl;Twinax Adapter;C:\WINDOWS\system32\drivers\pdlnatdl.sys [2004-04-27 05:07]
R3 pdlncbas;PDLC CxM Classes;C:\WINDOWS\system32\drivers\pdlncbas.sys [2004-04-27 05:07]
R3 pdlncfwk;PDLC Connection Manager;C:\WINDOWS\system32\drivers\pdlncfwk.sys [2004-04-27 05:07]
R3 pdlndint;PDLC DLC Classes;C:\WINDOWS\system32\drivers\pdlndint.sys [2004-04-27 05:07]
R3 pdlndlpb;PDLC LAPB;C:\WINDOWS\system32\drivers\pdlndlpb.sys [2004-04-27 05:07]
R3 pdlndoem;PDLC OEM Interface;C:\WINDOWS\system32\drivers\pdlndoem.sys [2004-04-27 05:07]
R3 pdlndqll;PDLC QLLC;C:\WINDOWS\system32\drivers\pdlndqll.sys [2004-04-27 05:07]
R3 pdlndsdl;PDLC SDLC;C:\WINDOWS\system32\drivers\pdlndsdl.sys [2004-04-27 05:07]
R3 pdlndtdl;Twinax DLC;C:\WINDOWS\system32\drivers\pdlndtdl.sys [2004-04-27 05:07]
R3 pdlnebas;PDLC Environment;C:\WINDOWS\system32\drivers\pdlnebas.sys [2004-04-27 05:07]
R3 pdlnecfg;PDLC Configuration;C:\WINDOWS\system32\drivers\pdlnecfg.sys [2004-04-27 05:07]
R3 pdlnemap;PDLC Mapper;C:\WINDOWS\system32\drivers\pdlnemap.sys [2004-04-27 05:07]
R3 pdlnemsg;PDLC Message Driver;C:\WINDOWS\system32\drivers\pdlnemsg.sys [2004-04-27 05:07]
R3 pdlnepkt;PDLC Buffer Manager;C:\WINDOWS\system32\drivers\pdlnepkt.sys [2004-04-27 05:07]
R3 pdlnshay;PDLC Hayes At signalling;C:\WINDOWS\system32\drivers\pdlnshay.sys [2004-04-27 05:07]
R3 pdlnslea;PDLC SDLC Leased;C:\WINDOWS\system32\drivers\pdlnslea.sys [2004-04-27 05:07]
R3 pdlnsv25;PDLC V25bis signalling;C:\WINDOWS\system32\drivers\pdlnsv25.sys [2004-04-27 05:07]
R3 pdlnsx25;PDLC X.25;C:\WINDOWS\system32\drivers\pdlnsx25.sys [2004-04-27 05:07]
R3 VNA;Check Point Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\vna.sys [2007-04-30 08:32]
S3 ABVPN2K;AGN VPN Client Miniport Interface;C:\WINDOWS\system32\DRIVERS\abvpn2k.sys []
S3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 13:48]
S3 gwiopm;gwiopm;C:\Program Files\wst\gwiopm.sys []
S4 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2004-04-29 18:19]
S4 MyHelp;My Help;C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\MyHelpService.exe []
S4 Windows Action Script;Windows Action Script;"C:\WINDOWS\system32\scvhost.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2006-05-19 07:48:38 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
"2007-08-26 21:38:34 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
- c:\Program Files\Microsoft IntelliPoint\ipoint.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 22:35:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\ThinkPad\ConnectUtilities\AcSvcStub.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\AcLocSettings.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\ACHelper.dll
-> C:\WINDOWS\system32\Ati2evxx.dll
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\AT&T Network Client\NetCfgSv.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\Program Files\IBM\tivoli\dcd\client\ISSI\_jvm\jre\bin\java.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\drivers\ldlcserv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.exe
C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.common_1.3.14\pmonmh.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
.
**************************************************************************
.
Completion time: 2008-05-31 22:41:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 02:41:38

Pre-Run: 62,257,238,016 bytes free
Post-Run: 62,511,783,936 bytes free

274

#3
HunterAce

Posted 31 May 2008 - 09:16 PM

Member

Topic Starter
Member
27 posts

Malwarebytes' Anti-Malware 1.14
Database version: 811

10:51:48 PM 05/31/2008
mbam-log-5-31-2008 (22-51-48).txt

Scan type: Quick Scan
Objects scanned: 42148
Time elapsed: 6 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\internet.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#4
HunterAce

Posted 31 May 2008 - 09:17 PM

Member

Topic Starter
Member
27 posts

SuperAntiSpyware #1

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/31/2008 at 08:23 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Quick Scan
Total Scan Time : 00:34:00

Memory items scanned : 192
Memory threats detected : 0
Registry items scanned : 523
Registry threats detected : 0
File items scanned : 13051
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt

EXPLORER32.EXE Worm
C:\WINDOWS\EXPLORER32.EXE

RUNDLL16.EXE
C:\WINDOWS\RUNDLL16.EXE

Worm.Rbot Variant
C:\WINDOWS\SVCHOST32.EXE

#5
HunterAce

Posted 31 May 2008 - 09:18 PM

Member

Topic Starter
Member
27 posts

SuperAnti Spyware #2:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/31/2008 at 10:10 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 01:36:27

Memory items scanned : 654
Memory threats detected : 0
Registry items scanned : 5279
Registry threats detected : 0
File items scanned : 126313
File threats detected : 0

#6
HunterAce

Posted 01 June 2008 - 08:02 PM

Member

Topic Starter
Member
27 posts

More problems. PC was shut off last night and turned on tonight 10 minutes ago and system will not boot properly. I can get into safe mode. If I try to boot normal mode I get a desktop but no taskbar and no icons.

#7
HunterAce

Posted 02 June 2008 - 07:45 PM

Member

Topic Starter
Member
27 posts

Here's the latest. I am running now.. .but I ran a full Kapersky scan. Here's the output. Looks like there may be some suspicious stuff leftover:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, June 02, 2008 09:44:52
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/06/2008
Kaspersky Anti-Virus database records: 821972
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 120427
Number of viruses found: 16
Number of infected objects: 70
Number of suspicious objects: 36
Duration of the scan process: 02:32:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cognitas\apptunnel.log Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\Spyware\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\Spyware\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\Spyware\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008060220080603\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\Personal\UBCD4WinV310.exe/file3614 Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Documents and Settings\Administrator\My Documents\Personal\UBCD4WinV310.exe/file3793 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Documents and Settings\Administrator\My Documents\Personal\UBCD4WinV310.exe/file3795 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\Documents and Settings\Administrator\My Documents\Personal\UBCD4WinV310.exe/file3798 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Documents and Settings\Administrator\My Documents\Personal\UBCD4WinV310.exe/file3851 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Administrator\My Documents\Personal\UBCD4WinV310.exe/file3854 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Administrator\My Documents\Personal\UBCD4WinV310.exe/file3855 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Administrator\My Documents\Personal\UBCD4WinV310.exe/file3856 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Administrator\My Documents\Personal\UBCD4WinV310.exe/file4095/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.g skipped
C:\Documents and Settings\Administrator\My Documents\Personal\UBCD4WinV310.exe/file4095/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Administrator\My Documents\Personal\UBCD4WinV310.exe/file4095/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Administrator\My Documents\Personal\UBCD4WinV310.exe/file4095 Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Administrator\My Documents\Personal\UBCD4WinV310.exe Inno: infected - 12 skipped
C:\Documents and Settings\Administrator\My Documents\Radmin\radmin22sei.exe/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\Administrator\My Documents\Radmin\radmin22sei.exe Gentee: infected - 1 skipped
C:\Documents and Settings\Administrator\My Documents\UPR\UPR_1.7c.zip/UPR/Bin/PsExec/psexec157.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\Documents and Settings\Administrator\My Documents\UPR\UPR_1.7c.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\UserData\index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\11ab8cf46799bea3349f23052ea6ff3b_66ef119f-fcaa-4f96-9e1d-fbb5da69f220 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_66ef119f-fcaa-4f96-9e1d-fbb5da69f220 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll11.zip/loader.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll11.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf2.zip/msupdate.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch2.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch4.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch4.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit1.zip/mssys.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit5.zip/mssys.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip/win32e.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC41.zip/systemcritical.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC41.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC46.zip/win64.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC46.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC76.zip/clrssn.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC76.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC87.zip/users32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC87.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC90.zip/systemcritical.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC90.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip/iexplorer.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric8.zip/accesss.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric8.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp3.zip/x.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp4.zip/x.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp4.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp6.zip/x.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp6.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp7.zip/x.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02B80000\4ABD3A35.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02B80001\4ABD3A5C.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02E00000\4AE1D594.VBN Infected: Trojan-Downloader.Win32.Small.who skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02E00001\4AE1D5E4.VBN Infected: Trojan-Downloader.Win32.Small.who skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05FC0000\4DFF2113.VBN/stream/data0002 Infected: not-a-virus:AdWare.Win32.AdBand.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05FC0000\4DFF2113.VBN/stream Infected: not-a-virus:AdWare.Win32.AdBand.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05FC0000\4DFF2113.VBN NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05FC0000\4DFF2113.VBN CryptZ: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07200000\4F3BEC17.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07200001\4F3BEC44.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08700000\48708F65.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09B00000\49B4AB18.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09B00001\49B4AB46.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09B00002\49B4AB53.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A340000\4A3C9063.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B980000\4BBC08D8.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B980001\4BBC0C9A.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C1C0000\4C3EA1B9.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C1C0001\4C3EA1E9.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C1C0002\4C3EA1F8.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C800000\4CBAB592.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C800001\4CBAB5C5.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C800002\4CBABF45.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D100000\4D32B743.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D100001\4D32B758.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DE40000\4DFF4CCD.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DE40001\4DFF4CF5.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E2C0000\4E3EE73C.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E2C0001\4E3EE767.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EAC0000\4EBEC1E7.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EAC0001\4EBEC1F6.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EAC0002\4EBEC20E.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F2C0000\4F3C2F9B.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F2C0001\4F3C2FCB.VBN Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F540000\4F55B142.VBN Infected: Trojan.Win32.Qhost.aou skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Client Firewall\System.log Object is locked skipped
C:\Documents and Settings\bfarnsle\Desktop\radmin22sei.exe/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\bfarnsle\Desktop\radmin22sei.exe Gentee: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\AT&T Network Client\Diagnostics.txt Object is locked skipped
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\IBM\tivoli\dcd\client\ISSI\logs\msg_client.log Object is locked skipped
C:\Program Files\IBM\tivoli\dcd\client\ISSI\logs\trace_client.log Object is locked skipped
C:\Program Files\IBM\tivoli\dcd\client\ISSI\logs\trace_clientservice.err Object is locked skipped
C:\Program Files\IBM\tivoli\dcd\client\ISSI\logs\trace_clientservice.out Object is locked skipped
C:\Program Files\IBM\tivoli\dcd\client\ISSI\logs\trace_client_nice.log Object is locked skipped
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SAVRT\0108NAV~.TMP Object is locked skipped
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SAVRT\0740NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{01E266C2-86F5-40B2-9145-B4252FFF29C3}\RP4\change.log Object is locked skipped
C:\UBCD4Win\BartPE\PROGRAMS\ultravnc\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\UBCD4Win\plugin\Network\ultravnc\files\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\UBCD4Win\plugin\Network\VNCServer\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\WINDOWS\bthservsdp.dat Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\hostsold.txt Infected: Trojan.Win32.Qhost.aei skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8EZ7WKK3\update[1].upd Infected: Trojan.Win32.Agent.gnw skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8EZ7WKK3\update[2].upd Infected: Trojan.Win32.Agent.gnw skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8EZ7WKK3\update[3].upd Infected: Trojan.Win32.Agent.gnw skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8EZ7WKK3\update[4].upd Infected: Trojan.Win32.Agent.gnw skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8EZ7WKK3\update[5].upd Infected: Trojan.Win32.Agent.gnw skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8EZ7WKK3\update[6].upd Infected: Trojan.Win32.Agent.gnw skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8EZ7WKK3\update[7].upd Infected: Trojan.Win32.Agent.gnw skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8EZ7WKK3\update[8].upd Infected: Trojan.Win32.Agent.gnw skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8EZ7WKK3\update[9].upd Infected: Trojan.Win32.Agent.gnw skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\profile.dat Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_430.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#8
HunterAce

Posted 04 June 2008 - 04:52 PM

Member

Topic Starter
Member
27 posts

The only problem I have that I can't figure out... my USB thumb drive... when I put it into my system now, I cant open the drive. I can access the drive from the dos prompt, but not from XP. Any ideas?

#9
HunterAce

Posted 04 June 2008 - 05:51 PM

Member

Topic Starter
Member
27 posts

ComboFix 08-05-29.1 - bfarnsle 2008-06-04 19:47:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.827 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-04 19:32 . 2008-06-04 19:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 19:32 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-04 19:32 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-04 18:42 . 2008-06-04 18:46 23,040 --a------ C:\Monthly Payments 2008.xls
2008-06-02 07:09 . 2008-06-02 07:09 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-02 07:09 . 2008-06-02 07:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-02 00:03 . 2008-06-02 00:03 6,908 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-01 21:58 . 2008-06-01 21:58 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-31 23:11 . 2008-06-04 18:47 <DIR> d-------- C:\HiJackThis
2008-05-31 22:44 . 2008-05-31 22:44 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-31 22:44 . 2008-05-31 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-31 22:44 . 2008-05-31 22:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-31 18:45 . 2008-05-31 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-31 18:44 . 2008-06-02 01:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-31 18:44 . 2008-06-02 01:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-23 09:15 . 2008-05-23 09:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\webex
2008-05-19 10:15 . 2008-05-19 10:17 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-19 00:46 . 2008-05-19 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-19 00:45 . 2008-06-02 01:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-19 00:43 . 2008-05-19 00:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-18 16:33 . 2008-05-31 18:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-18 16:33 . 2008-05-31 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-18 10:07 . 2004-08-04 01:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-09 08:07 . 2008-05-09 08:07 <DIR> d-------- C:\Program Files\My Company Name
2008-05-09 07:47 . 2008-05-09 07:47 <DIR> d-------- C:\notes8bkp
2008-05-07 12:16 . 2008-05-07 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 23:40 --------- d-----w C:\Program Files\C4ebreg
2008-06-04 23:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-04 20:35 --------- d-----w C:\Program Files\AT&T Network Client
2008-06-04 16:50 --------- d-----w C:\Program Files\WST
2008-06-02 04:41 --------- d-----w C:\Program Files\Lenovo
2008-06-02 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-01 03:44 --------- d-----w C:\Program Files\Lx_cats
2008-05-30 15:52 --------- d-----w C:\Program Files\IBM Ayudame
2008-05-20 20:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\IBM
2008-05-19 19:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-19 16:14 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-19 16:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-19 04:46 --------- d-----w C:\Program Files\Lavasoft
2008-05-19 04:35 --------- d-----w C:\Documents and Settings\bfarnsle\Application Data\Lavasoft
2008-05-19 04:33 --------- d-----w C:\Program Files\Yahoo!
2008-05-19 04:25 --------- d-----w C:\Program Files\GSNI
2008-05-15 15:11 53,056 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-05-08 11:36 --------- d-----w C:\Program Files\Google
2008-05-02 14:35 57,344 ----a-w C:\WINDOWS\isamunin.exe
2008-05-02 14:32 7,012 ------w C:\WINDOWS\system32\drivers\PMEMNT.SYS
2008-05-01 14:57 --------- d-----w C:\Program Files\Lexmark 7300 Series
2008-04-07 20:00 3,430,896 ----a-w C:\WINDOWS\system32\AS_Storage_w32.dll
2008-04-07 20:00 2,336,424 ----a-w C:\WINDOWS\system32\AS_Storage.dll
2008-04-04 20:40 --------- d-----w C:\Program Files\QuickTime
2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 14:20 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
2008-03-20 13:26 81 ----a-w C:\CTX.DAT
2008-01-17 19:08 389,120 ----a-w C:\Documents and Settings\Administrator\stas75_20060810.0001.dll
2007-12-13 19:05 389,120 ----a-w C:\Documents and Settings\bfarnsle\stas75_20060810.0001.dll
2007-11-21 20:50 56,008 ----a-w C:\Documents and Settings\bfarnsle\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 3,423 2007-10-24 17:55:18 C:\Program Files\IBM\tivoli\dcd\client\ISSI\bak\cds\ISXuninst1.bat.bak

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetSP - restore settings on power failure"="C:\Program Files\AT&T Network Client\NetSP.exe" [2007-01-13 09:00 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tpam.exe"="C:\Program Files\IBM\Personal Communications\tpam.exe" [2004-04-27 05:07 28672]
"stgclean"="c:\sdwork\w32main2.exe" [2008-04-14 09:44 272896]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 14:49 66176]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2006-05-19 03:25 110592]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2006-05-19 03:25 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2006-05-19 03:25 396288]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-19 03:25 208896]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-05-19 03:26 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 03:26 512000]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 15:04 864256]
"TpShocks"="TpShocks.exe" [2005-11-07 07:14 106496 C:\WINDOWS\system32\TpShocks.exe]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 09:09 409600]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 08:59 98304]
"PSQLLauncher"="C:\Program Files\Thinkvantage Fingerprint Software\launcher.exe" [ ]
"ISSI EZUpdate Service"="c:\sdwork\issimsvc.exe" [2008-05-27 09:13 217600]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 01:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 15:07 188416]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2006-01-06 15:07 348160]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-27 20:33 125168]
"pmonmh"="C:\Program Files\IBM\My Help\workspace\..\plugins\com.ibm.myhelp.common_1.3.14/pmonmh.exe" [2008-04-07 16:00 184371]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52 849280]
"C4EBReg"="C:\Program Files\C4ebreg\c4ebreg.exe" [2008-05-02 10:35 372736]
"Isamtray"="C:\Program Files\C4ebreg\isamtray.exe" [2008-05-02 10:35 253952]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-11-06 15:27 487424]
"LXCICATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2006-11-21 13:27 106496]
"lxcimon.exe"="C:\Program Files\Lexmark 7300 Series\lxcimon.exe" [2007-02-01 22:14 205744]
"EzPrint"="C:\Program Files\Lexmark 7300 Series\ezprint.exe" [2007-02-01 22:15 103344]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 09:35 20480]
"defergui"="c:/sdwork/defergui.exe" [2008-03-03 12:18 138752 c:\sdwork\defergui.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 12:52 75584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-04 16:40 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll 2006-04-17 09:01 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atmgrtok]
atmgrtok.dll 2004-04-27 05:07 49152 C:\Program Files\IBM\Personal Communications\atmgrtok.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]
pcsinst.dll 2004-04-27 18:02 49152 C:\WINDOWS\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 16:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 11:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"IBMconfig"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\lxcicoms.exe"=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-11-30 11:58]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 05:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2006-01-12 20:33]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 08:18]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2006-05-19 03:25]
R2 AppnApi;AppnApi;C:\WINDOWS\system32\drivers\appnapi.sys [2004-04-27 05:07]
R2 cpextender;Check Point SSL Network Extender;C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe [2007-04-30 08:32]
R2 DCDClient-ISSI;IBM DCD Standard Client (DCDClient-ISSI);C:\Program Files\IBM\tivoli\dcd\client\ISSI\cds\CDSWinSrv.exe [2007-07-06 16:34]
R2 IBM_LLC2;IBM Personal Communications LLC2 Driver;C:\WINDOWS\system32\DRIVERS\llc2.sys [2004-04-27 05:07]
R2 ISAMSvc;IBM Standard Asset Manager Service;"C:\Program Files\C4ebreg\c4ebreg.exe" [2008-05-02 10:35]
R2 lxci_device;lxci_device;C:\WINDOWS\system32\lxcicoms.exe [2007-02-01 22:13]
R2 NsTrcNT;NsTrcNT;C:\WINDOWS\system32\drivers\nstrcnt.sys [2004-04-27 05:07]
R2 pdlnctdl;Twinax CUT Adapter;C:\WINDOWS\system32\drivers\pdlnctdl.sys [2004-04-27 05:07]
R2 pdlndldl;IBM Enterprise Extender (HPR/IP);C:\WINDOWS\system32\drivers\pdlndldl.sys [2004-04-27 05:07]
R3 agnfilt;AGN Filter Interface;C:\WINDOWS\system32\DRIVERS\agnfilt.sys [2006-05-19 10:46]
R3 Anydlc;Anydlc;C:\WINDOWS\system32\drivers\anydlc.sys [2004-04-27 05:07]
R3 Appn;Appn;C:\WINDOWS\system32\drivers\appn.sys [2004-04-27 05:07]
R3 AppnBase;AppnBase;C:\WINDOWS\system32\drivers\AppnBase.sys [2004-04-27 05:07]
R3 KLOGNT;KLOGNT;C:\WINDOWS\system32\drivers\klognt.sys [2004-04-27 05:07]
R3 pdlnacom;PDLC Adapter -- COM;C:\WINDOWS\system32\drivers\pdlnacom.sys [2004-04-27 05:07]
R3 pdlnafac;PDLC Adapter Factory;C:\WINDOWS\system32\drivers\pdlnafac.sys [2004-04-27 05:07]
R3 pdlnatcm;Twinax Adapter Common;C:\WINDOWS\system32\drivers\pdlnatcm.sys [2004-04-27 05:07]
R3 pdlnatdl;Twinax Adapter;C:\WINDOWS\system32\drivers\pdlnatdl.sys [2004-04-27 05:07]
R3 pdlncbas;PDLC CxM Classes;C:\WINDOWS\system32\drivers\pdlncbas.sys [2004-04-27 05:07]
R3 pdlncfwk;PDLC Connection Manager;C:\WINDOWS\system32\drivers\pdlncfwk.sys [2004-04-27 05:07]
R3 pdlndint;PDLC DLC Classes;C:\WINDOWS\system32\drivers\pdlndint.sys [2004-04-27 05:07]
R3 pdlndlpb;PDLC LAPB;C:\WINDOWS\system32\drivers\pdlndlpb.sys [2004-04-27 05:07]
R3 pdlndoem;PDLC OEM Interface;C:\WINDOWS\system32\drivers\pdlndoem.sys [2004-04-27 05:07]
R3 pdlndqll;PDLC QLLC;C:\WINDOWS\system32\drivers\pdlndqll.sys [2004-04-27 05:07]
R3 pdlndsdl;PDLC SDLC;C:\WINDOWS\system32\drivers\pdlndsdl.sys [2004-04-27 05:07]
R3 pdlndtdl;Twinax DLC;C:\WINDOWS\system32\drivers\pdlndtdl.sys [2004-04-27 05:07]
R3 pdlnebas;PDLC Environment;C:\WINDOWS\system32\drivers\pdlnebas.sys [2004-04-27 05:07]
R3 pdlnecfg;PDLC Configuration;C:\WINDOWS\system32\drivers\pdlnecfg.sys [2004-04-27 05:07]
R3 pdlnemap;PDLC Mapper;C:\WINDOWS\system32\drivers\pdlnemap.sys [2004-04-27 05:07]
R3 pdlnemsg;PDLC Message Driver;C:\WINDOWS\system32\drivers\pdlnemsg.sys [2004-04-27 05:07]
R3 pdlnepkt;PDLC Buffer Manager;C:\WINDOWS\system32\drivers\pdlnepkt.sys [2004-04-27 05:07]
R3 pdlnshay;PDLC Hayes At signalling;C:\WINDOWS\system32\drivers\pdlnshay.sys [2004-04-27 05:07]
R3 pdlnslea;PDLC SDLC Leased;C:\WINDOWS\system32\drivers\pdlnslea.sys [2004-04-27 05:07]
R3 pdlnsv25;PDLC V25bis signalling;C:\WINDOWS\system32\drivers\pdlnsv25.sys [2004-04-27 05:07]
R3 pdlnsx25;PDLC X.25;C:\WINDOWS\system32\drivers\pdlnsx25.sys [2004-04-27 05:07]
R3 VNA;Check Point Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\vna.sys [2007-04-30 08:32]
S3 ABVPN2K;AGN VPN Client Miniport Interface;C:\WINDOWS\system32\DRIVERS\abvpn2k.sys []
S3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 13:48]
S3 gwiopm;gwiopm;C:\Program Files\wst\gwiopm.sys []
S4 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2004-04-29 18:19]
S4 MyHelp;My Help;C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\MyHelpService.exe []
S4 Windows Action Script;Windows Action Script;"C:\WINDOWS\system32\scvhost.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2006-05-19 07:48:38 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
"2007-08-26 21:38:34 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
- c:\Program Files\Microsoft IntelliPoint\ipoint.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 19:51:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\ThinkPad\ConnectUtilities\AcSvcStub.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\AcLocSettings.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\ACHelper.dll
-> C:\WINDOWS\system32\Ati2evxx.dll
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
Completion time: 2008-06-04 19:52:37
ComboFix-quarantined-files.txt 2008-06-04 23:52:23
ComboFix2.txt 2008-06-02 02:55:48

Pre-Run: 62,846,599,168 bytes free
Post-Run: 62,920,589,312 bytes free

212