Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infostealer 2 different types and some sort of Trojan [RESOLVED]

Started by owainb , Aug 27 2008 02:32 PM

  • This topic is locked This topic is locked

#1
owainb
Posted 27 August 2008 - 02:32 PM

owainb

    Member

  • Member
  • PipPip
  • 63 posts
Hi,

I've got 3 severe files, I've got noadware and everytime I scan it brings up 3 files and says they're severe, it says removed then I restart my laptop. When I connect to internet they come straight back. Causing other problems like nothing loads when I click icons. I've done a hijackthis log please could somebody have a look and get back to me with advise on how to remove. Many thanks in advance. Owain


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:26:56, on 27/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\WINDOWS\system32\ctfnom.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\d1.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://sitedirector....8...30&vendtag=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\PROGRA~1\SPEEDB~1\vaproxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C85BD9F1-5B95-46DA-9F39-979DB6B58484} - C:\WINDOWS\system32\khfFVNef.dll
O2 - BHO: Rmn plugin - {D21D9540-6415-4288-BDD0-4453088D9D38} - smb32.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SpeedBitVideoAccelerator] "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\RunServices: [ctfmom] C:\WINDOWS\system32\ctfnom.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [ctfmom] C:\WINDOWS\system32\ctfnom.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...shUKActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160964812199
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valu...OCX/flashax.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: khfFVNef - C:\WINDOWS\SYSTEM32\khfFVNef.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe

--
End of file - 15965 bytes
  • 0

Advertisements

#2
Rorschach112
Posted 27 August 2008 - 03:04 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.



Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
owainb
Posted 27 August 2008 - 04:03 PM

owainb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Hi thanks for getting back to me so soon. Please logs requested

SDFix report


SDFix: Version 1.219
Run by IBM USER on 27/08/2008 at 22:30

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\khfFVNef.dll - Deleted
C:\-86247~1 - Deleted
C:\d.exe - Deleted
C:\d1.exe - Deleted
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\win32.exe - Deleted
C:\WINDOWS\inform.dat - Deleted
C:\WINDOWS\system32\ctfnom.exe - Deleted
C:\WINDOWS\system32\dpl.txt - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll.cla - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll - Deleted
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted



Folder C:\WINDOWS\system32\wsnpoem - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 22:41:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000000dd

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Support.com\\Bin\\tgcmd.exe"="C:\\Program Files\\Support.com\\Bin\\tgcmd.exe:*:Enabled:Support.com Scheduler and Command Dispatcher"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe:*:Disabled:Football Manager 2008"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"="C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 10 Dec 2007 6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Sat 28 Jun 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 4 Apr 2001 28,738 A..H. --- "C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP95\A0042295.DLL"
Wed 28 May 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT4.tmp"

Finished!

the ComboFix Report

Hi I was unable to install THE RECOVERY CONSOLE as I don't have the xp disk!!!

ComboFix 08-08-27.01 - IBM USER 2008-08-27 22:47:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.508 [GMT 1:00]
Running from: C:\Documents and Settings\IBM USER\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\563.exe
C:\Documents and Settings\LocalService\Application Data\wsnpoem
C:\Documents and Settings\NetworkService\Application Data\wsnpoem
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\byXPGVlK.dll
C:\WINDOWS\system32\nnnliFxw.dll
C:\WINDOWS\system32\vtUmKASK.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.

2008-08-27 22:23 . 2008-08-27 22:24 <DIR> d----c--- C:\WINDOWS\ERUNT
2008-08-27 22:10 . 2008-08-27 22:43 <DIR> d----c--- C:\SDFix
2008-08-27 21:26 . 2008-08-27 21:26 <DIR> d----c--- C:\Program Files\Trend Micro
2008-08-27 14:05 . 2008-08-27 14:34 <DIR> d----c--- C:\Program Files\NoAdware5.0
2008-08-27 13:36 . 2008-08-27 22:05 52,736 --a--c--- C:\wnon.exe
2008-08-27 12:59 . 2008-08-27 12:59 52,736 --a--c--- C:\dtpv.exe
2008-08-27 11:31 . 2007-02-20 16:04 2,463,976 --a--c--- C:\WINDOWS\system32\NPSWF32.dll
2008-08-27 11:31 . 2007-02-20 16:04 190,696 --a--c--- C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-08-26 17:25 . 2008-08-27 10:32 <DIR> d----c--- C:\Program Files\Common Files\Macromedia
2008-08-26 16:08 . 2008-08-26 16:08 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-26 16:03 . 2008-08-26 16:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\ALM
2008-08-26 15:49 . 2008-08-26 15:49 <DIR> d----c--- C:\Program Files\Bonjour
2008-08-26 15:34 . 2008-08-26 15:34 <DIR> d----c--- C:\Program Files\Common Files\Macrovision Shared
2008-08-25 14:17 . 2008-08-25 14:17 1,633 --a--c--- C:\SpeedBit Video Accelerator.lnk
2008-08-21 21:34 . 2008-08-21 21:34 376 --a--c--- C:\WINDOWS\ODBC.INI
2008-08-21 21:32 . 2008-08-21 21:32 <DIR> d----c--- C:\Program Files\Microsoft ActiveSync
2008-08-21 21:30 . 2008-08-21 21:32 <DIR> d----c--- C:\WINDOWS\ShellNew
2008-08-21 21:30 . 2008-08-21 21:30 <DIR> d----c--- C:\Program Files\Common Files\L&H
2008-08-17 23:13 . 2008-08-17 23:13 <DIR> d----c--- C:\Program Files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 21:46 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-27 21:45 --------- dc----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-27 20:43 --------- dc----w C:\Program Files\Common Files\Symantec Shared
2008-08-27 11:37 --------- dc----w C:\Documents and Settings\IBM USER\Application Data\LimeWire
2008-08-27 10:57 --------- dc----w C:\Program Files\Common Files\Adobe
2008-08-27 10:19 --------- dc----w C:\Program Files\SpeedBit Video Accelerator
2008-08-27 09:26 --------- dc----w C:\Program Files\Championship Manager 01-02
2008-08-21 20:27 --------- dc----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-08-21 20:24 --------- dc----w C:\Documents and Settings\IBM USER\Application Data\OpenOffice.org2
2008-08-18 21:26 --------- dc----w C:\Program Files\LimeWire
2008-08-11 18:27 --------- dc----w C:\Program Files\Java
2008-07-30 16:42 23,888 -c--a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 16:28 706 -c--a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 16:28 10,537 -c--a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-08 18:42 --------- dc----w C:\Documents and Settings\IBM USER\Application Data\Snapfish
2008-07-07 20:32 253,952 -c--a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 -c--a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 -c--a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 -c--a-w C:\WINDOWS\system32\mswsock.dll
2008-05-31 21:33 60,800 -c--a-w C:\WINDOWS\system32\S32EVNT1.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-01-07 22:52 495616]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 22:17 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 22:16 512000]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 18:19 94208]
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2005-10-29 03:04 45056]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 10:23 237568]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 05:00 344064]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2002-10-16 09:59 1622016]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-01-07 22:52 495616]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 17:11 1388544]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 09:38 110592]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 09:38 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 09:38 396288]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 09:38 208896]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 20:59 98304]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 03:04 864256]
"TPKBDLED"="C:\WINDOWS\System32\TpScrLk.exe" [2002-10-09 06:28 40960]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-07 00:08 86016]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"SpeedBitVideoAccelerator"="C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2008-08-25 14:16 2705008]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 06:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 08:56 380416 C:\WINDOWS\system32\irprops.cpl]
"TP4EX"="tp4ex.exe" [2005-10-17 09:11 65536 C:\WINDOWS\system32\TP4EX.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 16:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"TpShocks"="TpShocks.exe" [2005-11-07 19:14 106496 C:\WINDOWS\system32\TpShocks.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-08-27 11:40:45 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-06-27 04:42:49 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 21:01 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 07:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 04:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qwd30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wbf48.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Support.com\\Bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-11-30 23:58]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 17:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\Drivers\IBMBLDID.sys [2006-01-13 08:33]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 20:18]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 09:38]
R2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2008-03-30 15:37]
R2 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe [2008-08-25 14:16]
S0 Qwd30;Qwd30;C:\WINDOWS\system32\Drivers\Qwd30.sys []
S0 Wbf48;Wbf48;C:\WINDOWS\system32\Drivers\Wbf48.sys []
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2003-07-03 02:28]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys [2006-11-10 18:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setup.now.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06ae4071-5ca1-11db-82b7-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77424dd0-2516-11dc-a7d1-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2006-10-16 C:\WINDOWS\Tasks\BMMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 09:38]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
HKLM-Run-UC_SMB - (no file)
HKLM-RunServices-ctfmom - C:\WINDOWS\system32\ctfnom.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\IBM USER\Application Data\Mozilla\Firefox\Profiles\xyqptzep.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 22:49:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\ThinkPad\ConnectUtilities\AcSvcStub.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\AcLocSettings.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\ACHelper.dll
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-08-27 22:51:07
ComboFix-quarantined-files.txt 2008-08-27 21:50:51

Pre-Run: 15,590,780,928 bytes free
Post-Run: 15,580,798,976 bytes free

192 --- E O F --- 2008-08-27 13:30:38


and last but least the Hijackthis log after I'd done the other 2.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:54:06, on 27/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\SPEEDB~1\VideoAccelerator.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://sitedirector....8...30&vendtag=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\PROGRA~1\SPEEDB~1\vaproxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SpeedBitVideoAccelerator] "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...shUKActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160964812199
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valu...OCX/flashax.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe

--
End of file - 14360 bytes


Many Thanks again for helping me. Owain
  • 0

#4
Rorschach112
Posted 27 August 2008 - 04:11 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Don't put the logs in colour


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\wnon.exe
C:\dtpv.exe

KillAll::
SysRst::

Folder::

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qwd30.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wbf48.sys]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06ae4071-5ca1-11db-82b7-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77424dd0-2516-11dc-a7d1-806d6172696f}]

Driver::
Qwd30
Wbf48


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#5
owainb
Posted 27 August 2008 - 04:50 PM

owainb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
hi as requested new combo log file

ComboFix 08-08-27.01 - IBM USER 2008-08-27 23:31:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.643 [GMT 1:00]
Running from: C:\Documents and Settings\IBM USER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\IBM USER\Desktop\CFScript.txt.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\dtpv.exe
C:\wnon.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\dtpv.exe
C:\wnon.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Qwd30
-------\Service_Wbf48


((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.

2008-08-27 22:23 . 2008-08-27 22:24 <DIR> d----c--- C:\WINDOWS\ERUNT
2008-08-27 22:10 . 2008-08-27 22:43 <DIR> d----c--- C:\SDFix
2008-08-27 21:26 . 2008-08-27 21:26 <DIR> d----c--- C:\Program Files\Trend Micro
2008-08-27 14:05 . 2008-08-27 23:26 <DIR> d----c--- C:\Program Files\NoAdware5.0
2008-08-27 11:31 . 2007-02-20 16:04 2,463,976 --a--c--- C:\WINDOWS\system32\NPSWF32.dll
2008-08-27 11:31 . 2007-02-20 16:04 190,696 --a--c--- C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-08-26 17:25 . 2008-08-27 10:32 <DIR> d----c--- C:\Program Files\Common Files\Macromedia
2008-08-26 16:08 . 2008-08-26 16:08 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-26 16:03 . 2008-08-26 16:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\ALM
2008-08-26 15:49 . 2008-08-26 15:49 <DIR> d----c--- C:\Program Files\Bonjour
2008-08-26 15:34 . 2008-08-26 15:34 <DIR> d----c--- C:\Program Files\Common Files\Macrovision Shared
2008-08-25 14:17 . 2008-08-25 14:17 1,633 --a--c--- C:\SpeedBit Video Accelerator.lnk
2008-08-21 21:34 . 2008-08-21 21:34 376 --a--c--- C:\WINDOWS\ODBC.INI
2008-08-21 21:32 . 2008-08-21 21:32 <DIR> d----c--- C:\Program Files\Microsoft ActiveSync
2008-08-21 21:30 . 2008-08-21 21:32 <DIR> d----c--- C:\WINDOWS\ShellNew
2008-08-21 21:30 . 2008-08-21 21:30 <DIR> d----c--- C:\Program Files\Common Files\L&H
2008-08-17 23:13 . 2008-08-17 23:13 <DIR> d----c--- C:\Program Files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 22:05 --------- dc----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-27 21:46 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-27 20:43 --------- dc----w C:\Program Files\Common Files\Symantec Shared
2008-08-27 11:37 --------- dc----w C:\Documents and Settings\IBM USER\Application Data\LimeWire
2008-08-27 10:57 --------- dc----w C:\Program Files\Common Files\Adobe
2008-08-27 10:19 --------- dc----w C:\Program Files\SpeedBit Video Accelerator
2008-08-27 09:26 --------- dc----w C:\Program Files\Championship Manager 01-02
2008-08-21 20:27 --------- dc----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-08-21 20:24 --------- dc----w C:\Documents and Settings\IBM USER\Application Data\OpenOffice.org2
2008-08-18 21:26 --------- dc----w C:\Program Files\LimeWire
2008-08-11 18:27 --------- dc----w C:\Program Files\Java
2008-07-30 16:42 23,888 -c--a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 16:28 706 -c--a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 16:28 10,537 -c--a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-08 18:42 --------- dc----w C:\Documents and Settings\IBM USER\Application Data\Snapfish
.

((((((((((((((((((((((((((((( snapshot@2008-08-27_22.50.30.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 -c--a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\563.exe
2008-08-27 14:13 9216 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP101\A0049128.exe
2008-08-27 22:05 9216 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP104\A0049517.exe

C:\8e019d526a28d33bcbba68fee6c5f2\amd64\filterpipelineprintproc.dll
2007-03-22 20:54 35840 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032068.dll

C:\8e019d526a28d33bcbba68fee6c5f2\amd64\mxdwdrv.dll
2007-03-22 20:53 746496 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032067.dll

C:\8e019d526a28d33bcbba68fee6c5f2\amd64\xpssvcs.dll
2007-03-22 20:59 2932224 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032066.dll

C:\8e019d526a28d33bcbba68fee6c5f2\filterpipelineprintproc.dll
2007-03-22 20:24 28160 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032089.dll

C:\8e019d526a28d33bcbba68fee6c5f2\i386\filterpipelineprintproc.dll
2007-03-22 20:24 28160 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032061.dll

C:\8e019d526a28d33bcbba68fee6c5f2\i386\mxdwdrv.dll
2007-03-22 20:24 762880 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032060.dll

C:\8e019d526a28d33bcbba68fee6c5f2\i386\xpssvcs.dll
2007-03-23 06:07 1683280 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032059.dll

C:\8e019d526a28d33bcbba68fee6c5f2\mxdwdrv.dll
2007-03-22 20:24 762880 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032088.dll

C:\8e019d526a28d33bcbba68fee6c5f2\mxdwdui.dll
2007-03-22 20:24 131584 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032087.dll

C:\8e019d526a28d33bcbba68fee6c5f2\printfilterpipelinesvc.exe
2007-03-22 20:25 677376 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032079.exe

C:\8e019d526a28d33bcbba68fee6c5f2\prntvpt.dll
2007-03-22 20:25 124928 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032086.dll

C:\8e019d526a28d33bcbba68fee6c5f2\spmsg2.dll
2006-06-29 13:07 14048 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032085.dll

C:\8e019d526a28d33bcbba68fee6c5f2\spuninst.exe
2006-06-29 13:07 213216 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032078.exe

C:\8e019d526a28d33bcbba68fee6c5f2\spupdsvc.exe
2006-06-29 13:07 22752 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032077.exe

C:\8e019d526a28d33bcbba68fee6c5f2\unidrv.dll
2007-03-22 20:24 376832 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032084.dll

C:\8e019d526a28d33bcbba68fee6c5f2\unidrvui.dll
2007-03-22 21:03 749568 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032083.dll

C:\8e019d526a28d33bcbba68fee6c5f2\unires.dll
2007-03-22 21:03 761344 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032082.dll

C:\8e019d526a28d33bcbba68fee6c5f2\update\spcustom.dll
2006-06-29 13:07 22752 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032054.dll

C:\8e019d526a28d33bcbba68fee6c5f2\update\update.exe
2006-06-29 13:07 716000 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032052.exe

C:\8e019d526a28d33bcbba68fee6c5f2\update\updspapi.dll
2006-06-29 13:07 371424 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032053.dll

C:\8e019d526a28d33bcbba68fee6c5f2\xpsshhdr.dll
2007-03-23 06:07 583504 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032081.dll

C:\8e019d526a28d33bcbba68fee6c5f2\xpssvcs.dll
2007-03-23 06:07 1683280 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032080.dll

C:\926cbd7875beb162467b5c\DeleteTemp.exe
2007-11-07 16:26 97280 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032100.exe

C:\926cbd7875beb162467b5c\dlmgr.dll
2007-11-07 16:26 276472 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032097.dll

C:\926cbd7875beb162467b5c\DW20.EXE
2007-11-07 19:39 633848 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032181.EXE

C:\926cbd7875beb162467b5c\DWINTL20.DLL
2007-11-07 19:39 111616 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032182.DLL

C:\926cbd7875beb162467b5c\gencomp.dll
2007-11-07 16:26 1059328 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032096.dll

C:\926cbd7875beb162467b5c\HtmlLite.dll
2007-11-07 16:26 177152 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032103.dll

C:\926cbd7875beb162467b5c\setup.exe
2007-11-07 16:26 269304 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032128.exe

C:\926cbd7875beb162467b5c\setupres.1025.dll
2007-11-07 16:26 112128 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032104.dll

C:\926cbd7875beb162467b5c\setupres.1028.dll
2007-11-07 16:26 84992 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032105.dll

C:\926cbd7875beb162467b5c\setupres.1029.dll
2007-11-07 16:26 124416 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032106.dll

C:\926cbd7875beb162467b5c\setupres.1030.dll
2007-11-07 16:26 125440 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032107.dll

C:\926cbd7875beb162467b5c\setupres.1031.dll
2007-11-07 16:26 129536 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032108.dll

C:\926cbd7875beb162467b5c\setupres.1032.dll
2007-11-07 16:26 136192 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032109.dll

C:\926cbd7875beb162467b5c\setupres.1035.dll
2007-11-07 16:26 120832 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032111.dll

C:\926cbd7875beb162467b5c\setupres.1036.dll
2007-11-07 16:26 132096 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032112.dll

C:\926cbd7875beb162467b5c\setupres.1037.dll
2007-11-07 16:26 110080 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032113.dll

C:\926cbd7875beb162467b5c\setupres.1038.dll
2007-11-07 16:26 131072 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032114.dll

C:\926cbd7875beb162467b5c\setupres.1040.dll
2007-11-07 16:26 127488 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032115.dll

C:\926cbd7875beb162467b5c\setupres.1041.dll
2007-11-07 16:26 96768 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032116.dll

C:\926cbd7875beb162467b5c\setupres.1042.dll
2007-11-07 16:26 93696 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032117.dll

C:\926cbd7875beb162467b5c\setupres.1043.dll
2007-11-07 16:26 127488 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032118.dll

C:\926cbd7875beb162467b5c\setupres.1044.dll
2007-11-07 16:26 120320 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032119.dll

C:\926cbd7875beb162467b5c\setupres.1045.dll
2007-11-07 16:26 126976 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032120.dll

C:\926cbd7875beb162467b5c\setupres.1046.dll
2007-11-07 16:26 121856 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032121.dll

C:\926cbd7875beb162467b5c\setupres.1049.dll
2007-11-07 16:26 122368 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032122.dll

C:\926cbd7875beb162467b5c\setupres.1053.dll
2007-11-07 16:26 120320 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032123.dll

C:\926cbd7875beb162467b5c\setupres.1055.dll
2007-11-07 16:26 119808 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032124.dll

C:\926cbd7875beb162467b5c\setupres.2052.dll
2007-11-07 16:26 83456 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032125.dll

C:\926cbd7875beb162467b5c\setupres.2070.dll
2007-11-07 16:26 130048 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032126.dll

C:\926cbd7875beb162467b5c\setupres.3082.dll
2007-11-07 16:26 130560 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032127.dll

C:\926cbd7875beb162467b5c\setupres.dll
2007-11-07 16:26 109568 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032110.dll

C:\926cbd7875beb162467b5c\SITSetup.dll
2007-11-07 16:26 1361920 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032129.dll

C:\926cbd7875beb162467b5c\vs_setup.dll
2007-11-07 16:26 1045504 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032102.dll

C:\926cbd7875beb162467b5c\vs70uimgr.dll
2007-11-07 16:26 627712 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032101.dll

C:\926cbd7875beb162467b5c\vsbasereqs.dll
2007-11-07 16:26 411136 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032098.dll

C:\926cbd7875beb162467b5c\vsscenario.dll
2007-11-07 16:26 687104 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032099.dll

C:\926cbd7875beb162467b5c\WapRes.1025.dll
2007-11-07 16:26 102904 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032131.dll

C:\926cbd7875beb162467b5c\WapRes.1028.dll
2007-11-07 16:26 90104 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032132.dll

C:\926cbd7875beb162467b5c\WapRes.1029.dll
2007-11-07 16:26 108536 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032133.dll

C:\926cbd7875beb162467b5c\WapRes.1030.dll
2007-11-07 16:26 108536 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032134.dll

C:\926cbd7875beb162467b5c\WapRes.1031.dll
2007-11-07 16:26 111608 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032135.dll

C:\926cbd7875beb162467b5c\WapRes.1032.dll
2007-11-07 16:26 113656 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032136.dll

C:\926cbd7875beb162467b5c\WapRes.1035.dll
2007-11-07 16:26 106488 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032138.dll

C:\926cbd7875beb162467b5c\WapRes.1036.dll
2007-11-07 16:26 112120 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032139.dll

C:\926cbd7875beb162467b5c\WapRes.1037.dll
2007-11-07 16:26 101368 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032140.dll

C:\926cbd7875beb162467b5c\WapRes.1038.dll
2007-11-07 16:26 111096 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032141.dll

C:\926cbd7875beb162467b5c\WapRes.1040.dll
2007-11-07 16:26 110072 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032142.dll

C:\926cbd7875beb162467b5c\WapRes.1041.dll
2007-11-07 16:26 95736 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032143.dll

C:\926cbd7875beb162467b5c\WapRes.1042.dll
2007-11-07 16:26 92664 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032144.dll

C:\926cbd7875beb162467b5c\WapRes.1043.dll
2007-11-07 16:26 108536 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032145.dll

C:\926cbd7875beb162467b5c\WapRes.1044.dll
2007-11-07 16:26 106488 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032146.dll

C:\926cbd7875beb162467b5c\WapRes.1045.dll
2007-11-07 16:26 109048 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032147.dll

C:\926cbd7875beb162467b5c\WapRes.1046.dll
2007-11-07 16:26 107512 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032148.dll

C:\926cbd7875beb162467b5c\WapRes.1049.dll
2007-11-07 16:26 107000 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032149.dll

C:\926cbd7875beb162467b5c\WapRes.1053.dll
2007-11-07 16:26 105976 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032150.dll

C:\926cbd7875beb162467b5c\WapRes.1055.dll
2007-11-07 16:26 106488 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032151.dll

C:\926cbd7875beb162467b5c\WapRes.2052.dll
2007-11-07 16:26 89080 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032152.dll

C:\926cbd7875beb162467b5c\WapRes.2070.dll
2007-11-07 16:26 110072 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032153.dll

C:\926cbd7875beb162467b5c\WapRes.3082.dll
2007-11-07 16:26 111096 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032154.dll

C:\926cbd7875beb162467b5c\WapRes.dll
2007-11-07 16:26 107512 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032137.dll

C:\926cbd7875beb162467b5c\WapUI.dll
2007-11-07 16:26 982008 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP81\A0032130.dll

C:\d.exe
2008-08-27 14:12 705 {14157744-4FA2-4CAF-BAFB-72CC49941087}\RP101\A0049126.exe

C:\System Volume Info
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-01-07 22:52 495616]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 22:17 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 22:16 512000]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 18:19 94208]
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2005-10-29 03:04 45056]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 10:23 237568]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 05:00 344064]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2002-10-16 09:59 1622016]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-01-07 22:52 495616]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 17:11 1388544]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 09:38 110592]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 09:38 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 09:38 396288]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 09:38 208896]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 20:59 98304]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 03:04 864256]
"TPKBDLED"="C:\WINDOWS\System32\TpScrLk.exe" [2002-10-09 06:28 40960]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-07 00:08 86016]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"SpeedBitVideoAccelerator"="C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2008-08-25 14:16 2705008]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 06:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 08:56 380416 C:\WINDOWS\system32\irprops.cpl]
"TP4EX"="tp4ex.exe" [2005-10-17 09:11 65536 C:\WINDOWS\system32\TP4EX.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 16:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"TpShocks"="TpShocks.exe" [2005-11-07 19:14 106496 C:\WINDOWS\system32\TpShocks.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-08-27 11:40:45 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-06-27 04:42:49 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 21:01 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 07:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 04:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Support.com\\Bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-11-30 23:58]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 17:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\System32\Drivers\IBMBLDID.sys [2006-01-13 08:33]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 20:18]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 09:38]
R2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2008-03-30 15:37]
R2 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe [2008-08-25 14:16]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2003-07-03 02:28]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys [2006-11-10 18:23]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2006-10-16 C:\WINDOWS\Tasks\BMMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 09:38]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 23:39:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\ThinkPad\ConnectUtilities\AcSvcStub.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\AcLocSettings.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\ACHelper.dll
-> C:\WINDOWS\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-08-27 23:47:25 - machine was rebooted [IBM USER]
ComboFix-quarantined-files.txt 2008-08-27 22:47:11
ComboFix2.txt 2008-08-27 21:51:08

Pre-Run: 15,584,813,056 bytes free
Post-Run: 15,515,111,424 bytes free

374 --- E O F --- 2008-08-27 13:30:38


Many Thanks Owain
  • 0

#6
Rorschach112
Posted 27 August 2008 - 04:55 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\563.exe
C:\d.exe
purity 
EmptyTemp
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please download and unzip Icesword to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks
  • 0

#7
owainb
Posted 27 August 2008 - 05:32 PM

owainb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
OTMOVEIT Log

Explorer killed successfully
File/Folder C:\563.exe not found.
File/Folder C:\d.exe not found.
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\IBMUSE~1\LOCALS~1\Temp\~DFB123.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\JET5681.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\JET56E6.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08272008_235818

Files moved on Reboot...
C:\DOCUME~1\IBMUSE~1\LOCALS~1\Temp\~DFB123.tmp moved successfully.
File C:\WINDOWS\temp\JET5681.tmp not found!
File C:\WINDOWS\temp\JET56E6.tmp not found!

Process:

System Idle Process
System
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\WINDOWS\system32\alg.exe
C:\Documents and Settings\IBM USER\Desktop\IceSword122en\IceSword.exe
C:\Program Files\Support.com\Bin\tgcmd.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

Started Service:

Service Name:AcPrfMgrSvc Display Name:Ac Profile Manager Service
Service Name:ACS Display Name:ACU Configuration Service
Service Name:AcSvc Display Name:Access Connections Main Service
Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:Ati HotKey Poller Display Name:Ati HotKey Poller
Service Name:AudioSrv Display Name:Windows Audio
Service Name:BITS Display Name:Background Intelligent Transfer Service
Service Name:Bonjour Service Display Name:##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##
Service Name:Browser Display Name:Computer Browser
Service Name:ccEvtMgr Display Name:Symantec Event Manager
Service Name:ccSetMgr Display Name:Symantec Settings Manager
Service Name:CLTNetCnService Display Name:Symantec Lic NetConnect service
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:FLEXnet Licensing Service Display Name:FLEXnet Licensing Service
Service Name:helpsvc Display Name:Help and Support
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:IBMPMSVC Display Name:ThinkPad PM Service
Service Name:Irmon Display Name:Infrared Monitor
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LiveUpdate Notice Ex Display Name:LiveUpdate Notice Service Ex
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:MDM Display Name:Machine Debug Manager
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RegSrvc Display Name:RegSrvc
Service Name:RemoteRegistry Display Name:Remote Registry
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:S24EventMonitor Display Name:Spectrum24 Event Monitor
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:SoundMAX Agent Service (default) Display Name:SoundMAX Agent Service
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TPHDEXLGSVC Display Name:ThinkPad HDD APS Logging Service
Service Name:TpKmpSVC Display Name:IBM KCU Service
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:VideoAcceleratorService Display Name:VideoAcceleratorService
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:wscsvc Display Name:Security Center
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WZCSVC Display Name:Wireless Zero Configuration


Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
S3TRAY2
S3Tray2.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPLpr
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPEnh
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BluetoothAuthenticationAgent
rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TPHOTKEY
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TPKMAPMN
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TP4EX
tp4ex.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EZEJMNAP
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ATIPTA
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
tgcmd
"C:\Program Files\Support.com\bin\tgcmd.exe" /server

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ibmmessages
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMAXPnP
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BMMGAG
RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BMMLREF
C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BMMMONWND
rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BLOG
rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ACWLIcon
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AGRSMMSG
AGRSMMSG.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TPKMAPHELPER
C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TPKBDLED
C:\WINDOWS\System32\TpScrLk.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PRONoMgrWired
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TpShocks
TpShocks.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec PIF AlertEng
"C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SpeedBitVideoAccelerator
"C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Acrobat Assistant 8.0
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe_ID0EYTHM
C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ibmmessages
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Acrobat Speed Launcher.lnk
C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe (Remark£º)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Acrobat Synchronizer.lnk
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe (Remark£º)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Digital Line Detect.lnk
C:\Program Files\Digital Line Detect\DLG.exe (Remark£º)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office10\OSA.EXE (Remark£ºMicrosoft Office StartUp)

C:\Documents and Settings\IBM USER\Start Menu\Programs\Startup
desktop.ini


SSDT Red KMODUKE NAMES

Unknown
Unknown
Unknown
Unknown
\??\C:\Windows\system32\drivers\symevent.sys
Unknown
Unknown
\??\C:\Windows\system32\drivers\symevent.sys
\??\C:\Windows\system32\drivers\symevent.sys
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
\??\C:\Windows\system32\drivers\symevent.sys
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown

MESSAGE HOOKS

Nothing In Red


Many Thanks Owain
  • 0

#8
Rorschach112
Posted 27 August 2008 - 05:38 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Great :)

Delete IceSword there


Please do an online scan with Kaspersky WebScanner

Make sure you are using Internet Explorer for this. Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#9
owainb
Posted 28 August 2008 - 03:09 AM

owainb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 28, 2008 00:40:20
Records in database: 1152478
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 136795
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 03:35:54


File name / Threat name / Threats count
C:\Documents and Settings\IBM USER\Desktop\MP3 Files\Rozzella - Everybody's Free.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\QooBox\Quarantine\C\563.exe.vir Infected: Trojan.Win32.Inject.gjr 1
C:\SDFix\backups\backups.zip Infected: Trojan.Win32.Inject.gjr 1

The selected area was scanned.


Many Thanks again for all this help.

Owain
  • 0

#10
Rorschach112
Posted 28 August 2008 - 07:16 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Delete this file

C:\Documents and Settings\IBM USER\Desktop\MP3 Files\Rozzella - Everybody's Free.mp3


Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#11
owainb
Posted 29 August 2008 - 02:15 AM

owainb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Hi,

Just like to say thank you for all your help. I've followed all your advice, my computer is running much better now. I'll be making a donation aswell. Please close this topic as RESOLVED. Owain
  • 0

#12
Rorschach112
Posted 29 August 2008 - 10:29 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP