Need an HJT log read

Kattar

Kattar

EXCESSIVE FLUTTERCUSSING

Join Date: Mar 2007

SMS (lolgw2placeholder)

Me/

29 Apr 2009 at 17:45 - 1
Right,

So I know the PC has the Trojan.Vundo.H trojan. But MalwareBytes won't get rid of it.

I've done everything in Tarun's kit, so now I'm up to HijackThis. Here's the log:
Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:48 PM, on 4/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ron.000\Desktop\Download\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thecenter.utk.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O2 - BHO: (no name) - {174F2A5A-F283-428A-80C2-1D4ECE50DE6C} - c:\windows\system32\gejpahv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: (no name) - {b9e823be-6401-93d5-30a0-b1cdf477b1d8} - C:\WINDOWS\uqilifetahef.dll (file missing)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StandardKeyboard] C:\WINDOWS\Wireless\Wireless.exe
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171313974343
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://netsimplicity.webex.com/client/T25L/nbr/ieatgpc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O20 - Winlogon Notify: fxlcpnzs - C:\WINDOWS\SYSTEM32\gejpahv.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) -   - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 17124 bytes
Thanks in advance.

Snograt

Snograt

rattus rattus

Join Date: Jan 2006

London, UK GMT??0 ??1hr DST

[GURU]GW [wiki]GW2

R/

29 Apr 2009 at 18:45 - 2
If you don't get a response soon, Kat - try posting it on the Spybot S&D Safer Networking forums: http://forums.spybot.info/forumdisplay.php?f=22. I can see them helping several people with Vundo/Virtumonde deletion

As an aside, wow - what a lot of crap they shovel into Thinkpads

Kattar

Kattar

EXCESSIVE FLUTTERCUSSING

Join Date: Mar 2007

SMS (lolgw2placeholder)

Me/

29 Apr 2009 at 18:56 - 3
Thanks for the heads up Snog. Yeah, loads of bloatware.

It's pretty annoying since I've run everything else I can think of to run and it won't find it. Malwarebytes has been the only thing, but even then it can't remove it, even in safe mode. Blah.

Snograt

Snograt

rattus rattus

Join Date: Jan 2006

London, UK GMT??0 ??1hr DST

[GURU]GW [wiki]GW2

R/

29 Apr 2009 at 20:38 - 4
No - it's a stubborn bugger, apparently. They use a combination of log interpretation and specialised programs to remove all traces of it - I'm sure Tarun's likely to pop by to add his insight soon

Tarun

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

29 Apr 2009 at 22:38 - 5
It'll take a bit to go through all of this log... Wow.

Did you pay for McAfee or Ad-Aware? Because both are garbage to be honest.

Sun Fired Blank

Jungle Guide

Join Date: Apr 2007

29 Apr 2009 at 22:55 - 6
As I remember, Malwarebytes' Anti-Malware is unable to complete removal in Safe Mode. You have to restart into a normal environment.

The only things that immediately stand out are these:

O2 - BHO: (no name) - {174F2A5A-F283-428A-80C2-1D4ECE50DE6C} - c:\windows\system32\gejpahv.dll
O2 - BHO: (no name) - {b9e823be-6401-93d5-30a0-b1cdf477b1d8} - C:\WINDOWS\uqilifetahef.dll (file missing)
O20 - Winlogon Notify: fxlcpnzs - C:\WINDOWS\SYSTEM32\gejpahv.dll

Vundo likes to create randomly-named .dlls, and these don't have any function that I'm aware of.

Tarun

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

29 Apr 2009 at 23:07 - 7
Okay so here's the log. I've got some recommendations for you to do too following the log. Malwarebytes does it's best in normal mode where it has full access to the malware. They have some really good methods for malware removal.

<i><b><font color=blue>Generated by <a href="http://www.lunarsoft.net/">Tarun</a> of <a href="http://www.lunarsoft.net">Lunarsoft</a>'s HijackThis Converter v0.53 Beta.</b></i></font>

Default-color items are optional, <b><font color=red>red</font></b> are known to be malicious.

<u><b><font color=blue>Created registry value</u></b></font>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

<u><b><font color=blue>Changed registry value</u></b></font>
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

<u><b><font color=blue>Created registry value</u></b></font>
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

<u><b><font color=blue>Enumeration of existing IE's BHO's</u></b></font>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
<b><font color=red>O2 - BHO: (no name) - {174F2A5A-F283-428A-80C2-1D4ECE50DE6C} - c:\windows\system32\gejpahv.dll</font></b>
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
<b><font color=red>O2 - BHO: (no name) - {b9e823be-6401-93d5-30a0-b1cdf477b1d8} - C:\WINDOWS\uqilifetahef.dll (file missing)</font></b>
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

<u><b><font color=blue>Enumeration of existing IE's toolbars</u></b></font>
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

<u><b><font color=blue>Enumeration of suspicious auto-loading registry entries</u></b></font>
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

<u><b><font color=blue>Extra IE context menu items</u></b></font>
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

<u><b><font color=blue>Extra "Tools" menu items and buttons</u></b></font>
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe

<u><b><font color=blue>Broken Internet access. To fix these you will need LSPFix</u></b></font>
To fix these you will need <a href="http://www.cexx.org/lspfix.zip">LSPFix</a>
O10 - Unknown file in Winsock LSP: bmnet.dll

<u><b><font color=blue>Extra options in IE's "Advanced" settings tab</u></b></font>
O11 - Options group: [JAVA_IBM] Java (IBM)

<u><b><font color=blue>Changing of IERESET.INF</u></b></font>
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/

<u><b><font color=blue>Downloaded Program Files item</u></b></font>
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://netsimplicity.webex.com/clie...br/ieatgpc.cab

<u><b><font color=blue>Enumeration of existing protocols and filters</u></b></font>
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

<u><b><font color=blue>AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys</u></b></font>
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
<b><font color=red>O20 - Winlogon Notify: fxlcpnzs - C:\WINDOWS\SYSTEM32\gejpahv.dll</font></b>


Download and run SDFix, be sure to follow the directions from here

Recommendations:
  • Uninstall any/all toolbars. Toolbars are just bad. Really bad. Especially in IE.
  • Uninstall your Java, it's waaay out of date. Download the latest Java from Sun and install it, then run JavaRa.
  • Uninstall McAfee via Control Panel, then use the Removal Tool for it in the Anti-Malware Toolkit. Replace it with avast.
  • Update to Internet Explorer 8 (more security, etc).
  • Drop Adobe Acrobat, it's slow and adds a lot of items that are not needed. Foxit PDF Reader is a great replacement.
  • Slim down all those startups by using StartUpLite.
  • If you don't need the Language Bar in Windows you can disable CTFMon.

Snograt

Snograt

rattus rattus

Join Date: Jan 2006

London, UK GMT??0 ??1hr DST

[GURU]GW [wiki]GW2

R/

29 Apr 2009 at 23:32 - 8
That unknown file in Winsock LSP:

Component Name: bmnet.dll

Description of : ByteMobile Optimization Client, from ByteMobile, is an application designed to maximize data transfer speeds to mobile phones.

Kattar

Kattar

EXCESSIVE FLUTTERCUSSING

Join Date: Mar 2007

SMS (lolgw2placeholder)

Me/

30 Apr 2009 at 12:00 - 9
Quote:
Originally Posted by Sun Fired Blank
As I remember, Malwarebytes' Anti-Malware is unable to complete removal in Safe Mode.
Yeah. I had run it in normal mode twice and it hadn't been able to fix the issue, so I gave safe mode a shot. No dice there either.

I was able to locate these files and registry keys before I posted here, but was unable to manually delete them, even in safe mode or when using File Assassin. I figured going into the registry and deleting them manually was the nuclear option, but apparently I was wrong, as I can't delete them.

SDFix found nothing. But when I run Malwarebytes again, the same things show up. From the research I've done on the internet, I haven't been able to find anyone that has a good solution to this, other than reformatting. That's what I'm leaning towards right now, unless anyone else has any ideas.

Oh, and as regards software: this is an institutional computer, so there are some software packages we're required to use. Don't worry, none of you are liable for anything if any of the fixes I try go wrong. The guy has already written this one off pretty much, he just gave it to me to salvage it if I could before a reinstall.

Thanks again gents. If anyone else has any ideas, let me know.

Edit: HJT was able to delete one of the three, but the other two remain, both tied to the gejphav.dll. HJT can't get the other two, even when using the "delete on reboot" option.

Sun Fired Blank

Jungle Guide

Join Date: Apr 2007

30 Apr 2009 at 14:19 - 10
See if you can use the Avenger to delete the DLLs in question (and only the DLLs in question). If you're still having obvious malware symptoms even after that, ComboFix is probably the next step.

Wanted to add: ComboFix is not a casual use tool, and unless the computer is still demonstrating serious malware symptoms after MBAM, SAS, AV, and trying to remove stuff with HJT, you really shouldn't touch it.

Second note: You didn't actually mention how bad your degradation is after trying to remove stuff.

Tarun

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

30 Apr 2009 at 14:37 - 11
Go ahead and post your Malwarebytes log as well.

Kattar

Kattar

EXCESSIVE FLUTTERCUSSING

Join Date: Mar 2007

SMS (lolgw2placeholder)

Me/

30 Apr 2009 at 15:01 - 12
@ Sun:

There haven't been any symptoms of obvious malware infection for a good little while now. From all reports, some fixes will get the other malicious software the Vundo trojan downloads and kills it, but it leaves the main Vundo trojan. After a few reboots or a few days it downloads more malicious software, causing the system to act unstable. I haven't let it get to that point, so there hasn't been much degradation at all. Plus the only times I've had the machine up and running have been to run scans, etc, so it's difficult to tell. The main Vundo files are still there though, which is my problem at present.

I'd say we're a little past casual tools at this point.

Full scan report incoming.

I appreciate you all taking a look at this, by the way. Our main IT department tends to...drag their feet...on issues like this.

Sun Fired Blank

Jungle Guide

Join Date: Apr 2007

30 Apr 2009 at 15:46 - 13
It's entirely possible and likely that the DLL in question is hooked to explorer, which is causing the re-installation of Vundo related crap. There are lots of ways you can try to delete such a DLL: you can do it manually from the Windows recovery console, KillBox (as I remember) can usually do it on restart, HiJackThis can usually do it, Unlocker can usually do it, the Avenger can usually do it, and you can order ComboFix to do it (regardless of circumstances) by targeting the file with a script. The tool you use is less important than the end result; if you delete the DLL (through one of a number of increasingly forceful methods), the problem will probably stop. At that point when you run HJT the DLL should show up in registry but as missing, and you should be able to delete the entries.


I chose the Avenger because it has basic rootkit detection, and unlike ComboFix, it shouldn't perform any removal or system alterations beyond what you ask it to perform, while being one of the more powerful tools available. Obviously the potential ramifications of obliterating DLLs and altering your registry is pretty high, which is why generally you shouldn't do it, and why just about any program that lets you do these things comes rightfully with tons of disclaimers. In this case, we know that we just want this file and maybe the secondary crap surrounding it, so we should be fine.

I'd be a little surprised (and maybe concerned) if you couldn't delete the file from the Windows Recovery Console or with the Avenger, or if it reinstalled itself after deletion.

Kattar

Kattar

EXCESSIVE FLUTTERCUSSING

Join Date: Mar 2007

SMS (lolgw2placeholder)

Me/

30 Apr 2009 at 15:51 - 14
MalwareBytes Logs:

Quote:
Malwarebytes' Anti-Malware 1.36
Database version: 2058
Windows 5.1.2600 Service Pack 3

4/30/2009 11:45:08 AM
mbam-log-2009-04-30 (11-45-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 195375
Time elapsed: 43 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{174f2a5a-f283-428a-80c2-1d4ece50de6c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fxlcpnzs (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{174f2a5a-f283-428a-80c2-1d4ece50de6c} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\gejpahv.dll (Trojan.Vundo.H) -> Delete on reboot.
Basically all the stuff we already knew about. It says it'll delete it on reboot, but it doesn't. I'd assume that's because it's tied to Winlogon, which happens before the Malwarebytes runs.

I'll give Avenger a shot and see what that does. Any particular script I need for that?

Sun Fired Blank

Jungle Guide

Join Date: Apr 2007

30 Apr 2009 at 16:14 - 15
Files to delete:
c:\windows\system32\gejpahv.dll

Tarun

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

30 Apr 2009 at 16:23 - 16
You'll need more than just the above...

You can use Unlocker on the file as well or use FileASSASSIN which is part of MBAM to delete locked files. If you want you can zip that file and submit it to Malwarebytes.

You'll need to run this for Avenger. Be careful, since VB is retarded it might split up long strings in the wrong places.
Code:
Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{174f2a5a-f283-428a-80c2-1d4ece50de6c}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fxlcpnzs
HKEY_CLASSES_ROOT\CLSID\{174f2a5a-f283-428a-80c2-1d4ece50de6c}

Files to Delete:
C:\WINDOWS\system32\gejpahv.dll

Sun Fired Blank

Jungle Guide

Join Date: Apr 2007

30 Apr 2009 at 16:35 - 17
FileASSASSIN didn't work apparently, was mentioned above. :\

Also:

Objects scanned: 195375
Time elapsed: 43 minute(s), 36 second(s)

Really?

Kattar

Kattar

EXCESSIVE FLUTTERCUSSING

Join Date: Mar 2007

SMS (lolgw2placeholder)

Me/

30 Apr 2009 at 16:46 - 18
Yeah, the file is locked, Sun, as Tarun mentioned. The registry keys are the same way, can't delete them manually.

FileASSASSIN was unable to delete the files as well. Avenger wasn't able to delete them either: "STATUS_ACCESS_DENIED."

Lol.

Quote:
Really!
Too slow or too fast?

Tarun

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

30 Apr 2009 at 17:58 - 19
@Sun,
you totally missed it though.

Scan type: <font color="#FF0000">Full Scan</font> (C:\|)
Objects scanned: 195375
Time elapsed: 43 minute(s), 36 second(s)

@Kat,
Did Unlocker have any success? If not, may have to go with Combofix. I'm looking into this right now.

Sun Fired Blank

Jungle Guide

Join Date: Apr 2007

30 Apr 2009 at 18:06 - 20
Try the GMER rootkit (edit: remover) before ComboFix.

Kattar

Kattar

EXCESSIVE FLUTTERCUSSING

Join Date: Mar 2007

SMS (lolgw2placeholder)

Me/

30 Apr 2009 at 19:54 - 21
Combofix log:
Code:
ComboFix 09-04-30.02 - ron 04/30/2009 15:35.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2038.1415 [GMT -4:00]
Running from: c:\documents and settings\ron.000\Desktop\Download\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ThinkPad\ConnectUtilities\ACGina.dll

.
(((((((((((((((((((((((((   Files Created from 2009-03-28 to 2009-04-30  )))))))))))))))))))))))))))))))
.

2009-04-30 18:54 . 2009-04-30 18:54	--------	d-----w	C:\VundoFix Backups
2009-04-30 11:23 . 2009-04-30 11:23	578560	----a-w	c:\windows\system32\dllcache\user32.dll
2009-04-30 11:21 . 2009-04-30 11:21	--------	d-----w	c:\windows\ERUNT
2009-04-30 11:02 . 2009-04-30 11:35	--------	d-----w	C:\SDFix
2009-04-29 17:31 . 2009-04-29 17:31	--------	d-----w	c:\program files\CCleaner
2009-04-29 17:29 . 2009-04-29 17:29	--------	d-----w	c:\documents and settings\All Users\Application Data\TEMP
2009-04-29 17:29 . 2009-04-29 17:29	--------	d-----w	c:\program files\SpywareBlaster
2009-04-29 17:23 . 2009-04-29 17:23	--------	d-----w	c:\documents and settings\ron.000\Local Settings\Application Data\Lunarsoft
2009-04-29 17:23 . 2009-04-29 17:23	--------	d-----w	c:\program files\Lunarsoft
2009-04-29 13:38 . 2009-04-29 13:38	--------	d-----w	c:\documents and settings\ron.000\Application Data\Malwarebytes
2009-04-29 13:38 . 2009-04-06 19:32	15504	----a-w	c:\windows\system32\drivers\mbam.sys
2009-04-29 13:38 . 2009-04-06 19:32	38496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 13:37 . 2009-04-29 13:37	--------	d-----w	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-29 13:37 . 2009-04-29 13:38	--------	d-----w	c:\program files\Malwarebytes' Anti-Malware
2009-04-28 11:42 . 2009-04-28 11:42	--------	d-----w	c:\documents and settings\ron.000\Local Settings\Application Data\{28A921AB-63DC-478E-A466-4D691B23078E}
2009-04-27 12:54 . 2009-04-27 13:23	--------	d-----w	C:\d567253cdd60ed7b1addeabc9b96
2009-04-27 12:49 . 2009-04-27 13:23	--------	d-----w	c:\windows\SxsCaPendDel
2009-04-27 12:27 . 2009-04-27 12:27	--------	d-----w	C:\d96e93f2ec6a41bbe79a
2009-04-27 12:27 . 2009-04-27 12:27	--------	d-----w	C:\3f6e7c7de7c7dc1b5cb6d99a525aa216
2009-04-23 11:59 . 2009-04-29 13:36	0	----a-w	c:\windows\Nhucoxagij.bin
2009-04-23 11:59 . 2009-04-23 17:56	300	----a-w	c:\windows\Dxuxowetoh.dat
2009-04-16 15:42 . 2009-04-16 15:59	--------	d-----w	c:\documents and settings\ron.000\Application Data\OfficeUpdate12
2009-04-16 15:35 . 2006-10-26 23:56	32592	----a-w	c:\windows\system32\msonpmon.dll
2009-04-16 15:31 . 2009-04-16 15:31	--------	d-----w	c:\program files\Microsoft Works
2009-04-16 15:29 . 2009-04-16 15:29	--------	d-----w	c:\program files\Microsoft.NET
2009-04-16 15:23 . 2009-04-16 15:23	--------	d-----w	c:\program files\Microsoft Visual Studio 8
2009-04-16 15:22 . 2009-04-16 15:22	--------	d-----w	c:\documents and settings\ron.000\Local Settings\Application Data\Microsoft Help
2009-04-16 15:22 . 2009-04-29 12:16	--------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-15 03:57 . 2009-03-06 14:22	284160	------w	c:\windows\system32\dllcache\pdh.dll
2009-04-15 03:57 . 2009-02-06 10:39	35328	------w	c:\windows\system32\dllcache\sc.exe
2009-04-15 03:57 . 2009-02-09 12:10	401408	------w	c:\windows\system32\dllcache\rpcss.dll
2009-04-15 03:57 . 2009-02-06 11:11	110592	------w	c:\windows\system32\dllcache\services.exe
2009-04-15 03:57 . 2009-02-09 12:10	473600	------w	c:\windows\system32\dllcache\fastprox.dll
2009-04-15 03:57 . 2009-02-06 10:10	227840	------w	c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 03:57 . 2009-02-09 12:10	453120	------w	c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 03:57 . 2009-02-09 12:10	729088	------w	c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 03:57 . 2009-02-09 12:10	617472	------w	c:\windows\system32\dllcache\advapi32.dll
2009-04-15 03:57 . 2009-02-09 12:10	714752	------w	c:\windows\system32\dllcache\ntdll.dll
2009-04-15 03:56 . 2008-05-03 11:55	2560	------w	c:\windows\system32\xpsp4res.dll
2009-04-15 03:56 . 2008-04-21 12:08	215552	------w	c:\windows\system32\dllcache\wordpad.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 12:51 . 2007-03-01 16:45	97496	----a-w	c:\documents and settings\ron.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 15:31 . 2007-02-12 21:58	--------	d-----w	c:\program files\MSBuild
2009-04-08 21:33 . 2007-02-12 20:07	--------	d-----w	c:\program files\Spybot - Search & Destroy
2009-03-31 17:22 . 2007-03-05 16:06	--------	d-----w	c:\program files\SipV7
2009-03-20 11:46 . 2007-02-20 14:55	--------	d-----w	c:\program files\Calendar Creator
2009-03-16 22:42 . 2009-03-16 22:42	524288	----a-w	c:\windows\opuc.dll
2009-03-06 14:22 . 1980-01-01 08:00	284160	----a-w	c:\windows\system32\pdh.dll
2009-03-03 13:39 . 2009-03-03 13:39	--------	d-----w	c:\program files\Windows Desktop Search
2009-03-03 00:18 . 1980-01-01 08:00	826368	----a-w	c:\windows\system32\wininet.dll
2009-02-20 18:09 . 1980-01-01 08:00	78336	------w	c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 1980-01-01 08:00	729088	------w	c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 1980-01-01 08:00	714752	------w	c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 1980-01-01 08:00	617472	------w	c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 1980-01-01 08:00	401408	----a-w	c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 1980-01-01 08:00	1846784	------w	c:\windows\system32\win32k.sys
2009-02-06 11:11 . 1980-01-01 08:00	110592	------w	c:\windows\system32\services.exe
2009-02-06 11:06 . 1980-01-01 08:00	2145280	------w	c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 1980-01-01 08:00	35328	------w	c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 06:59	2023936	------w	c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 1980-01-01 08:00	56832	----a-w	c:\windows\system32\secur32.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{174F2A5A-F283-428A-80C2-1D4ECE50DE6C}]
2004-08-04 13:00	103424	----a-w	c:\windows\system32\gejpahv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-24 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-03-23 106496]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-10-19 69632]
"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 1996336]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-03-01 196710]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-08 169472]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-12-25 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-12-25 110592]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-03-23 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-03-23 208896]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-17 111952]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 503808]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-05-02 33280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-03-23 10:03	49152	----a-w	c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-12-25 15:29	32768	----a-w	c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fxlcpnzs]
2004-08-04 13:00	103424	----a-w	c:\windows\system32\gejpahv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 04:45	28672	----a-w	c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 04:16	24576	----a-w	c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages	REG_MULTI_SZ   	msv1_0 nwv1_0 nwprovau
Notification Packages	REG_MULTI_SZ   	scecli csspwntfy

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SAP\\FrontEnd\\SAPgui\\saplgpad.exe"=
"c:\\Program Files\\Adobe\\Contribute 4\\Contribute.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"47315:TCP"= 47315:TCP:@xpsp2res.dll,-22009
"1044:TCP"= 1044:TCP:@xpsp2res.dll,-22009

R1 nipplpt;Novell iCapture Lpt Redirector;c:\windows\system32\drivers\nipplpt.sys [2003-02-24 18493]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-03-06 106496]
R3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\DRIVERS\swnc8u56.sys [2007-06-27 101248]
R3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\DRIVERS\swumx56.sys [2007-06-27 73856]
S0 Shockprf;Shockprf; [x]
S0 sjyfkuwl;sjyfkuwl;c:\windows\system32\drivers\sjyfkuwl.sys [2004-08-04 23424]
S1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2005-11-08 11520]
S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\Drivers\IBMBLDID.sys [2006-01-13 6016]
S1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2003-02-24 18493]
S1 ShockMgr;ShockMgr; [x]
S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2006-03-23 4442]
S2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-22 12544]
S2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\PrivateDiskM.sys [2005-11-15 46142]
S2 smi2;smi2;c:\program files\SMI2\smi2.sys [2005-12-22 3968]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
vodytxom

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27cf2478-f77c-11dd-b6be-0018de1a147a}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d85cced-67a0-11dd-b67f-0018de1a147a}]
\Shell\AutoRun\command - e:\win\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b2d009f-c7f1-11db-b581-0016d32b7970}]
\Shell\AutoRun\command - E:\EMP_UDSe.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\At1.job
- c:\windows\system32\gejpahv.dll [1980-01-01 13:00]

2009-04-30 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-10-08 09:13]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-StandardKeyboard - c:\windows\Wireless\Wireless.exe
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thecenter.utk.edu/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 15:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(992)
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll
c:\windows\system32\bmnet.dll

- - - - - - - > 'Explorer.exe'(5840)
c:\windows\system32\PROCHLP.DLL
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\bmwebcfg.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\lotus\notes\ntmulti.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\searchindexer.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-04-30 15:50 - machine was rebooted
ComboFix-quarantined-files.txt  2009-04-30 19:49

Pre-Run: 35,105,206,272 bytes free
Post-Run: 36,364,980,224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

295	--- E O F ---	2009-04-29 12:16
Code tags to save space.

Tarun

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

30 Apr 2009 at 20:26 - 22
Save this as CFScript.txt

Code:
Collect::
c:\windows\Nhucoxagij.bin
c:\windows\Dxuxowetoh.dat
c:\windows\system32\gejpahv.dll
c:\windows\system32\drivers\sjyfkuwl.sys

Driver::
sjyfkuwl

KillAll::

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{174f2a5a-f283-428a-80c2-1d4ece50de6c}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fxlcpnzs]
[-HKEY_CLASSES_ROOT\CLSID\{174f2a5a-f283-428a-80c2-1d4ece50de6c}]

Suspect::


Referring to the picture above, drag CFScript.txt onto ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

When CF finishes running the ComboFix log will open along with a message box. With the above script, ComboFix will capture files to submit for analysis. Make sure you are connected to the Internet and click OK on the message box.

Kattar

Kattar

EXCESSIVE FLUTTERCUSSING

Join Date: Mar 2007

SMS (lolgw2placeholder)

Me/

01 May 2009 at 11:47 - 23
CFScript log:

Code:
ComboFix 09-04-30.05 - ron 05/01/2009  7:27.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2038.1463 [GMT -4:00]
Running from: c:\documents and settings\ron.000\Desktop\Download\ComboFix.exe
Command switches used :: c:\documents and settings\ron.000\Desktop\Download\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

file zipped: c:\windows\Nhucoxagij.bin
file zipped: c:\windows\system32\drivers\sjyfkuwl.sys
file zipped: c:\windows\system32\gejpahv.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Dxuxowetoh.dat
c:\windows\Nhucoxagij.bin
c:\windows\system32\drivers\sjyfkuwl.sys
c:\windows\system32\gejpahv.dll
c:\windows\Tasks\At1.job

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SJYFKUWL
-------\Service_sjyfkuwl


(((((((((((((((((((((((((   Files Created from 2009-04-01 to 2009-05-01  )))))))))))))))))))))))))))))))
.

2009-04-30 18:54 . 2009-04-30 18:54	--------	d-----w	C:\VundoFix Backups
2009-04-30 11:23 . 2009-04-30 11:23	578560	----a-w	c:\windows\system32\dllcache\user32.dll
2009-04-30 11:21 . 2009-04-30 11:21	--------	d-----w	c:\windows\ERUNT
2009-04-30 11:02 . 2009-04-30 11:35	--------	d-----w	C:\SDFix
2009-04-29 17:31 . 2009-04-29 17:31	--------	d-----w	c:\program files\CCleaner
2009-04-29 17:29 . 2009-04-29 17:29	--------	d-----w	c:\documents and settings\All Users\Application Data\TEMP
2009-04-29 17:29 . 2009-04-29 17:29	--------	d-----w	c:\program files\SpywareBlaster
2009-04-29 17:23 . 2009-04-29 17:23	--------	d-----w	c:\documents and settings\ron.000\Local Settings\Application Data\Lunarsoft
2009-04-29 17:23 . 2009-04-29 17:23	--------	d-----w	c:\program files\Lunarsoft
2009-04-29 13:38 . 2009-04-29 13:38	--------	d-----w	c:\documents and settings\ron.000\Application Data\Malwarebytes
2009-04-29 13:38 . 2009-04-06 19:32	15504	----a-w	c:\windows\system32\drivers\mbam.sys
2009-04-29 13:38 . 2009-04-06 19:32	38496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 13:37 . 2009-04-29 13:37	--------	d-----w	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-29 13:37 . 2009-04-29 13:38	--------	d-----w	c:\program files\Malwarebytes' Anti-Malware
2009-04-28 11:42 . 2009-04-28 11:42	--------	d-----w	c:\documents and settings\ron.000\Local Settings\Application Data\{28A921AB-63DC-478E-A466-4D691B23078E}
2009-04-27 12:54 . 2009-04-27 13:23	--------	d-----w	C:\d567253cdd60ed7b1addeabc9b96
2009-04-27 12:49 . 2009-04-27 13:23	--------	d-----w	c:\windows\SxsCaPendDel
2009-04-27 12:27 . 2009-04-27 12:27	--------	d-----w	C:\d96e93f2ec6a41bbe79a
2009-04-27 12:27 . 2009-04-27 12:27	--------	d-----w	C:\3f6e7c7de7c7dc1b5cb6d99a525aa216
2009-04-16 15:42 . 2009-04-16 15:59	--------	d-----w	c:\documents and settings\ron.000\Application Data\OfficeUpdate12
2009-04-16 15:35 . 2006-10-26 23:56	32592	----a-w	c:\windows\system32\msonpmon.dll
2009-04-16 15:31 . 2009-04-16 15:31	--------	d-----w	c:\program files\Microsoft Works
2009-04-16 15:29 . 2009-04-16 15:29	--------	d-----w	c:\program files\Microsoft.NET
2009-04-16 15:23 . 2009-04-16 15:23	--------	d-----w	c:\program files\Microsoft Visual Studio 8
2009-04-16 15:22 . 2009-04-16 15:22	--------	d-----w	c:\documents and settings\ron.000\Local Settings\Application Data\Microsoft Help
2009-04-16 15:22 . 2009-04-29 12:16	--------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-15 03:57 . 2009-03-06 14:22	284160	------w	c:\windows\system32\dllcache\pdh.dll
2009-04-15 03:57 . 2009-02-06 10:39	35328	------w	c:\windows\system32\dllcache\sc.exe
2009-04-15 03:57 . 2009-02-09 12:10	401408	------w	c:\windows\system32\dllcache\rpcss.dll
2009-04-15 03:57 . 2009-02-06 11:11	110592	------w	c:\windows\system32\dllcache\services.exe
2009-04-15 03:57 . 2009-02-09 12:10	473600	------w	c:\windows\system32\dllcache\fastprox.dll
2009-04-15 03:57 . 2009-02-06 10:10	227840	------w	c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 03:57 . 2009-02-09 12:10	453120	------w	c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 03:57 . 2009-02-09 12:10	729088	------w	c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 03:57 . 2009-02-09 12:10	617472	------w	c:\windows\system32\dllcache\advapi32.dll
2009-04-15 03:57 . 2009-02-09 12:10	714752	------w	c:\windows\system32\dllcache\ntdll.dll
2009-04-15 03:56 . 2008-05-03 11:55	2560	------w	c:\windows\system32\xpsp4res.dll
2009-04-15 03:56 . 2008-04-21 12:08	215552	------w	c:\windows\system32\dllcache\wordpad.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 11:27 . 1980-01-01 08:00	23424	----a-w	c:\windows\system32\drivers\qcfjqhtt.sys
2009-04-28 12:51 . 2007-03-01 16:45	97496	----a-w	c:\documents and settings\ron.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 15:31 . 2007-02-12 21:58	--------	d-----w	c:\program files\MSBuild
2009-04-08 21:33 . 2007-02-12 20:07	--------	d-----w	c:\program files\Spybot - Search & Destroy
2009-03-31 17:22 . 2007-03-05 16:06	--------	d-----w	c:\program files\SipV7
2009-03-20 11:46 . 2007-02-20 14:55	--------	d-----w	c:\program files\Calendar Creator
2009-03-16 22:42 . 2009-03-16 22:42	524288	----a-w	c:\windows\opuc.dll
2009-03-06 14:22 . 1980-01-01 08:00	284160	----a-w	c:\windows\system32\pdh.dll
2009-03-03 13:39 . 2009-03-03 13:39	--------	d-----w	c:\program files\Windows Desktop Search
2009-03-03 00:18 . 1980-01-01 08:00	826368	----a-w	c:\windows\system32\wininet.dll
2009-02-20 18:09 . 1980-01-01 08:00	78336	------w	c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 1980-01-01 08:00	729088	------w	c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 1980-01-01 08:00	714752	------w	c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 1980-01-01 08:00	617472	------w	c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 1980-01-01 08:00	401408	----a-w	c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 1980-01-01 08:00	1846784	------w	c:\windows\system32\win32k.sys
2009-02-06 11:11 . 1980-01-01 08:00	110592	------w	c:\windows\system32\services.exe
2009-02-06 11:06 . 1980-01-01 08:00	2145280	------w	c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 1980-01-01 08:00	35328	------w	c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 06:59	2023936	------w	c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 1980-01-01 08:00	56832	----a-w	c:\windows\system32\secur32.dll
.

(((((((((((((((((((((((((((((   [email protected]_19.46.01   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-01 11:33 . 2009-05-01 11:33	16384              c:\windows\temp\Perflib_Perfdata_568.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-24 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-03-23 106496]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-10-19 69632]
"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 1996336]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-03-01 196710]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-08 169472]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-12-25 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-12-25 110592]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-03-23 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-03-23 208896]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-17 111952]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 503808]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-05-02 33280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-03-23 10:03	49152	----a-w	c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-12-25 15:29	32768	----a-w	c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 04:45	28672	----a-w	c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 04:16	24576	----a-w	c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages	REG_MULTI_SZ   	msv1_0 nwv1_0 nwprovau
Notification Packages	REG_MULTI_SZ   	scecli csspwntfy

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SAP\\FrontEnd\\SAPgui\\saplgpad.exe"=
"c:\\Program Files\\Adobe\\Contribute 4\\Contribute.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"47315:TCP"= 47315:TCP:@xpsp2res.dll,-22009
"1044:TCP"= 1044:TCP:@xpsp2res.dll,-22009

R1 nipplpt;Novell iCapture Lpt Redirector;c:\windows\system32\drivers\nipplpt.sys [2003-02-24 18493]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-03-06 106496]
S0 Shockprf;Shockprf; [x]
S1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2005-11-08 11520]
S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\Drivers\IBMBLDID.sys [2006-01-13 6016]
S1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2003-02-24 18493]
S1 ShockMgr;ShockMgr; [x]
S2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-22 12544]
S2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\PrivateDiskM.sys [2005-11-15 46142]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - SJYFKUWL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
vodytxom

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27cf2478-f77c-11dd-b6be-0018de1a147a}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d85cced-67a0-11dd-b67f-0018de1a147a}]
\Shell\AutoRun\command - e:\win\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b2d009f-c7f1-11db-b581-0016d32b7970}]
\Shell\AutoRun\command - E:\EMP_UDSe.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-01 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-10-08 09:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thecenter.utk.edu/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 07:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(996)
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll
c:\windows\system32\bmnet.dll

- - - - - - - > 'Explorer.exe'(4772)
c:\windows\system32\PROCHLP.DLL
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\bmwebcfg.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\lotus\notes\ntmulti.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\searchindexer.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-01  7:40 - machine was rebooted
ComboFix-quarantined-files.txt  2009-05-01 11:40
ComboFix2.txt  2009-04-30 19:50

Pre-Run: 36,357,214,208 bytes free
Post-Run: 36,353,724,416 bytes free

291	--- E O F ---	2009-04-29 12:16
Going to run Malwarebytes again and see what it comes up with.

Edit: Quick and Full scans in Malwarebytes come up with nothing. Looks like that got it. I hope.

Tarun

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

01 May 2009 at 16:46 - 24
Now it's time to run Avenger.

Code:
Files to delete:
c:\windows\Dxuxowetoh.dat
c:\windows\Nhucoxagij.bin
c:\windows\system32\drivers\sjyfkuwl.sys
c:\windows\system32\drivers\qcfjqhtt.sys
c:\windows\system32\gejpahv.dll
c:\windows\Tasks\At1.job

Drivers to delete:
sjyfkuwl
qcfjqhtt
Post your Avenger log, a new HijackThis log and run Combofix again and post a log.

Kattar

Kattar

EXCESSIVE FLUTTERCUSSING

Join Date: Mar 2007

SMS (lolgw2placeholder)

Me/

01 May 2009 at 17:51 - 25
Nothing I can see on the logs.

Avenger
Code:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  file "c:\windows\Dxuxowetoh.dat" not found!
Deletion of file "c:\windows\Dxuxowetoh.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "c:\windows\Nhucoxagij.bin" not found!
Deletion of file "c:\windows\Nhucoxagij.bin" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "c:\windows\system32\drivers\sjyfkuwl.sys" not found!
Deletion of file "c:\windows\system32\drivers\sjyfkuwl.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "c:\windows\system32\drivers\qcfjqhtt.sys" deleted successfully.

Error:  file "c:\windows\system32\gejpahv.dll" not found!
Deletion of file "c:\windows\system32\gejpahv.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "c:\windows\Tasks\At1.job" not found!
Deletion of file "c:\windows\Tasks\At1.job" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\sjyfkuwl" not found!
Deletion of driver "sjyfkuwl" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\qcfjqhtt" not found!
Deletion of driver "qcfjqhtt" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.
HJT
Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:23 PM, on 5/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\ron.000\Desktop\Download\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thecenter.utk.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\Contribute 4\contributeieplugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171313974343
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://netsimplicity.webex.com/client/T25L/nbr/ieatgpc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) -   - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 16761 bytes
Combofix
Code:
ComboFix 09-04-30.05 - ron 05/01/2009 13:35.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2038.1480 [GMT -4:00]
Running from: c:\documents and settings\ron.000\Desktop\Download\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
.

(((((((((((((((((((((((((   Files Created from 2009-04-01 to 2009-05-01  )))))))))))))))))))))))))))))))
.

2009-05-01 11:59 . 2009-05-01 11:59	410984	----a-w	c:\windows\system32\deploytk.dll
2009-05-01 11:59 . 2009-05-01 11:59	--------	d-----w	c:\program files\Java
2009-04-30 18:54 . 2009-04-30 18:54	--------	d-----w	C:\VundoFix Backups
2009-04-30 11:23 . 2009-04-30 11:23	578560	----a-w	c:\windows\system32\dllcache\user32.dll
2009-04-30 11:21 . 2009-04-30 11:21	--------	d-----w	c:\windows\ERUNT
2009-04-30 11:02 . 2009-04-30 11:35	--------	d-----w	C:\SDFix
2009-04-29 17:31 . 2009-04-29 17:31	--------	d-----w	c:\program files\CCleaner
2009-04-29 17:29 . 2009-04-29 17:29	--------	d-----w	c:\documents and settings\All Users\Application Data\TEMP
2009-04-29 17:29 . 2009-04-29 17:29	--------	d-----w	c:\program files\SpywareBlaster
2009-04-29 17:23 . 2009-04-29 17:23	--------	d-----w	c:\documents and settings\ron.000\Local Settings\Application Data\Lunarsoft
2009-04-29 17:23 . 2009-04-29 17:23	--------	d-----w	c:\program files\Lunarsoft
2009-04-29 13:38 . 2009-04-29 13:38	--------	d-----w	c:\documents and settings\ron.000\Application Data\Malwarebytes
2009-04-29 13:38 . 2009-04-06 19:32	15504	----a-w	c:\windows\system32\drivers\mbam.sys
2009-04-29 13:38 . 2009-04-06 19:32	38496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 13:37 . 2009-04-29 13:37	--------	d-----w	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-29 13:37 . 2009-04-29 13:38	--------	d-----w	c:\program files\Malwarebytes' Anti-Malware
2009-04-28 11:42 . 2009-04-28 11:42	--------	d-----w	c:\documents and settings\ron.000\Local Settings\Application Data\{28A921AB-63DC-478E-A466-4D691B23078E}
2009-04-27 12:54 . 2009-04-27 13:23	--------	d-----w	C:\d567253cdd60ed7b1addeabc9b96
2009-04-27 12:49 . 2009-04-27 13:23	--------	d-----w	c:\windows\SxsCaPendDel
2009-04-27 12:27 . 2009-04-27 12:27	--------	d-----w	C:\d96e93f2ec6a41bbe79a
2009-04-27 12:27 . 2009-04-27 12:27	--------	d-----w	C:\3f6e7c7de7c7dc1b5cb6d99a525aa216
2009-04-16 15:42 . 2009-04-16 15:59	--------	d-----w	c:\documents and settings\ron.000\Application Data\OfficeUpdate12
2009-04-16 15:35 . 2006-10-26 23:56	32592	----a-w	c:\windows\system32\msonpmon.dll
2009-04-16 15:31 . 2009-04-16 15:31	--------	d-----w	c:\program files\Microsoft Works
2009-04-16 15:29 . 2009-04-16 15:29	--------	d-----w	c:\program files\Microsoft.NET
2009-04-16 15:23 . 2009-04-16 15:23	--------	d-----w	c:\program files\Microsoft Visual Studio 8
2009-04-16 15:22 . 2009-04-16 15:22	--------	d-----w	c:\documents and settings\ron.000\Local Settings\Application Data\Microsoft Help
2009-04-16 15:22 . 2009-04-29 12:16	--------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-15 03:57 . 2009-03-06 14:22	284160	------w	c:\windows\system32\dllcache\pdh.dll
2009-04-15 03:57 . 2009-02-06 10:39	35328	------w	c:\windows\system32\dllcache\sc.exe
2009-04-15 03:57 . 2009-02-09 12:10	401408	------w	c:\windows\system32\dllcache\rpcss.dll
2009-04-15 03:57 . 2009-02-06 11:11	110592	------w	c:\windows\system32\dllcache\services.exe
2009-04-15 03:57 . 2009-02-09 12:10	473600	------w	c:\windows\system32\dllcache\fastprox.dll
2009-04-15 03:57 . 2009-02-06 10:10	227840	------w	c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 03:57 . 2009-02-09 12:10	453120	------w	c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 03:57 . 2009-02-09 12:10	729088	------w	c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 03:57 . 2009-02-09 12:10	617472	------w	c:\windows\system32\dllcache\advapi32.dll
2009-04-15 03:57 . 2009-02-09 12:10	714752	------w	c:\windows\system32\dllcache\ntdll.dll
2009-04-15 03:56 . 2008-05-03 11:55	2560	------w	c:\windows\system32\xpsp4res.dll
2009-04-15 03:56 . 2008-04-21 12:08	215552	------w	c:\windows\system32\dllcache\wordpad.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 12:51 . 2007-03-01 16:45	97496	----a-w	c:\documents and settings\ron.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 15:31 . 2007-02-12 21:58	--------	d-----w	c:\program files\MSBuild
2009-04-08 21:33 . 2007-02-12 20:07	--------	d-----w	c:\program files\Spybot - Search & Destroy
2009-03-31 17:22 . 2007-03-05 16:06	--------	d-----w	c:\program files\SipV7
2009-03-20 11:46 . 2007-02-20 14:55	--------	d-----w	c:\program files\Calendar Creator
2009-03-16 22:42 . 2009-03-16 22:42	524288	----a-w	c:\windows\opuc.dll
2009-03-06 14:22 . 1980-01-01 08:00	284160	----a-w	c:\windows\system32\pdh.dll
2009-03-03 13:39 . 2009-03-03 13:39	--------	d-----w	c:\program files\Windows Desktop Search
2009-03-03 00:18 . 1980-01-01 08:00	826368	----a-w	c:\windows\system32\wininet.dll
2009-02-20 18:09 . 1980-01-01 08:00	78336	------w	c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 1980-01-01 08:00	729088	------w	c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 1980-01-01 08:00	714752	------w	c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 1980-01-01 08:00	617472	------w	c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 1980-01-01 08:00	401408	----a-w	c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 1980-01-01 08:00	1846784	------w	c:\windows\system32\win32k.sys
2009-02-06 11:11 . 1980-01-01 08:00	110592	------w	c:\windows\system32\services.exe
2009-02-06 11:06 . 1980-01-01 08:00	2145280	------w	c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 1980-01-01 08:00	35328	------w	c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 06:59	2023936	------w	c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 1980-01-01 08:00	56832	----a-w	c:\windows\system32\secur32.dll
.

(((((((((((((((((((((((((((((   [email protected]_19.46.01   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-01 17:28 . 2009-05-01 17:28	16384              c:\windows\temp\Perflib_Perfdata_588.dat
+ 2009-05-01 17:40 . 2009-05-01 17:40	16384              c:\windows\temp\Perflib_Perfdata_4c4.dat
+ 2009-05-01 17:40 . 2009-05-01 17:40	16384              c:\windows\temp\Perflib_Perfdata_348.dat
+ 2007-02-13 06:38 . 2009-05-01 13:41	32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-02-13 06:38 . 2009-04-27 13:26	32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-13 06:38 . 2009-05-01 13:41	32768              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-02-13 06:38 . 2009-04-27 13:26	32768              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-02-13 06:38 . 2009-04-27 13:26	32768              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-02-13 06:38 . 2009-05-01 13:41	32768              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-05-01 11:59 . 2009-05-01 11:59	148888              c:\windows\system32\javaws.exe
+ 2009-05-01 11:59 . 2009-05-01 11:59	144792              c:\windows\system32\javaw.exe
+ 2009-05-01 11:59 . 2009-05-01 11:59	144792              c:\windows\system32\java.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-24 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-03-23 106496]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-10-19 69632]
"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 1996336]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-03-01 196710]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-08 169472]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-12-25 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-12-25 110592]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-03-23 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-03-23 208896]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-17 111952]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 503808]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-05-02 33280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-01 148888]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-03-23 10:03	49152	----a-w	c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-12-25 15:29	32768	----a-w	c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 04:45	28672	----a-w	c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 04:16	24576	----a-w	c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages	REG_MULTI_SZ   	msv1_0 nwv1_0 nwprovau
Notification Packages	REG_MULTI_SZ   	scecli csspwntfy

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SAP\\FrontEnd\\SAPgui\\saplgpad.exe"=
"c:\\Program Files\\Adobe\\Contribute 4\\Contribute.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"47315:TCP"= 47315:TCP:@xpsp2res.dll,-22009
"1044:TCP"= 1044:TCP:@xpsp2res.dll,-22009

R1 nipplpt;Novell iCapture Lpt Redirector;c:\windows\system32\drivers\nipplpt.sys [2003-02-24 18493]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-03-06 106496]
R3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\DRIVERS\swnc8u56.sys [2007-06-27 101248]
R3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\DRIVERS\swumx56.sys [2007-06-27 73856]
S0 Shockprf;Shockprf; [x]
S1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2005-11-08 11520]
S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\Drivers\IBMBLDID.sys [2006-01-13 6016]
S1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2003-02-24 18493]
S1 ShockMgr;ShockMgr; [x]
S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2006-03-23 4442]
S2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-22 12544]
S2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\PrivateDiskM.sys [2005-11-15 46142]
S2 smi2;smi2;c:\program files\SMI2\smi2.sys [2005-12-22 3968]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
vodytxom

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27cf2478-f77c-11dd-b6be-0018de1a147a}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d85cced-67a0-11dd-b67f-0018de1a147a}]
\Shell\AutoRun\command - e:\win\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b2d009f-c7f1-11db-b581-0016d32b7970}]
\Shell\AutoRun\command - E:\EMP_UDSe.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-01 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-10-08 09:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thecenter.utk.edu/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 13:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(992)
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll
c:\windows\system32\bmnet.dll

- - - - - - - > 'Explorer.exe'(3772)
c:\windows\system32\PROCHLP.DLL
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
c:\windows\System32\DLA\DLASHX_W.DLL
c:\windows\system32\DLAAPI_W.DLL
c:\windows\System32\DLA\DLACResW.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
c:\program files\McAfee\VirusScan Enterprise\scriptcl.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\bmwebcfg.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\lotus\notes\ntmulti.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\searchindexer.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2009-05-01 13:49 - machine was rebooted
ComboFix-quarantined-files.txt  2009-05-01 17:48
ComboFix2.txt  2009-05-01 11:40
ComboFix3.txt  2009-04-30 19:50

Pre-Run: 36,162,424,832 bytes free
Post-Run: 36,128,235,520 bytes free

301	--- E O F ---	2009-04-29 12:16

Tarun

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

01 May 2009 at 19:30 - 26
Okay we took care of
Code:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
vodytxom
Now we'll need to run CCleaner and ATFCleaner.

CCleaner is fine by default, but here's ATFCleaner:
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Next we'll run Malwarebytes Anti Malware in Quick Scan mode. Post the log in the next post.


Download <b><a href="http://rootrepeal.googlepages.com/RootRepeal.zip" rel="nofollow" target="_blank"><!--coloro:#FF0000--><span style="color: rgb(255, 0, 0);"><!--/coloro-->RootRepeal.zip<!--colorc--></span><!--/colorc--></a></b> and unzip it to your Desktop.<ul><li>Double click <b>RootRepeal.exe</b> to start the program</li><li>Click on the <b>Report</b> tab at the bottom of the program window</li><li>Click the <b>Scan</b> button</li><li>In the <b>Select Scan</b> dialog, check:<ul><b></b><li><b>Drivers</b></li><li><b>Files</b></li><li><b>Processes</b></li><li><b>SSDT</b></li><li><b>Stealth Objects</b></li><li><b>Hidden Services</b></li></ul></li><li>Click the <b>OK</b> button</li><li>In the next dialog, select <b>all drives</b> showing</li><li>Click <b>OK</b> to start the scan<br><blockquote><i>Note: The scan can take some time. <b><!--coloro:red--><span style="color: red;"><!--/coloro-->DO NOT<!--colorc--></span><!--/colorc--></b> run any other programs while the scan is running</i></blockquote></li><li>When the scan is complete, the <b>Save Report</b> button will become available</li><li>Click this and save the report to your Desktop as RootRepeal.txt</li>

Snograt

Snograt

rattus rattus

Join Date: Jan 2006

London, UK GMT??0 ??1hr DST

[GURU]GW [wiki]GW2

R/

01 May 2009 at 21:45 - 27
>>>>>intermission<<<<<

Whilst Tarun walks Katsumi through this morass of checks and fixes, have a look at your own systems. Are you using a highly-rated AV suite? Are you using a decent firewall? Are you using a browser that doesn't begin with "I"?

This virus is fairly non-lethal but it is, as you can see, a right pain to get rid of. Next time it could be a nasty one that turns your PC into part of a botnet or stels all your credit card details.

Remember folks - this could be you.

We now return you to your regular transmission

Kattar

Kattar

EXCESSIVE FLUTTERCUSSING

Join Date: Mar 2007

SMS (lolgw2placeholder)

Me/

04 May 2009 at 11:42 - 28
MalwareBytes log:
Code:
Malwarebytes' Anti-Malware 1.36
Database version: 2058
Windows 5.1.2600 Service Pack 3

5/4/2009 7:29:44 AM
mbam-log-2009-05-04 (07-29-44).txt

Scan type: Quick Scan
Objects scanned: 101421
Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Rootrepeal log:

Code:
ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time:			2009/05/04 07:32
Program Version:		Version 1.2.3.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9C2CA000	Size: 876544	File Visible: No
Status: -

Name: nwfilter.sys
Image Path: nwfilter.sys
Address: 0xBA4C8000	Size: 15680	File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9B65C000	Size: 45056	File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\RRbackups
Status: Locked to the Windows API!

Path: \\?\C:\RRbackups\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings
Status: Invisible to the Windows API!

Path: C:\RRbackups\hints.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\osfilter.txt
Status: Invisible to the Windows API!

Path: C:\RRbackups\regcerts.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\rr.log
Status: Invisible to the Windows API!

Path: C:\RRbackups\SAM
Status: Invisible to the Windows API!

Path: C:\RRbackups\system
Status: Invisible to the Windows API!

Path: C:\RRbackups\system.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\tvt.txt
Status: Invisible to the Windows API!

Path: C:\RRbackups\usersids.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\Documents and Settings\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\LocalService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Ron
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\ron.000
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Tis Admin
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\ron.000\Recent
Status: Locked to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Ron\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Ron\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\ron.000\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\ron.000\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Tis Admin\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Tis Admin\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\Documents and Settings\ron.000\Recent\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Ron\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Ron\Application Data\ThinkVantage
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\ron.000\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\ThinkVantage
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Tis Admin\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Tis Admin\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Tis Admin\Application Data\ThinkVantage
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Ron\Application Data\ThinkVantage\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Ron\Application Data\ThinkVantage\Client Security
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\ron.000\Application Data\ThinkVantage\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\ThinkVantage\Client Security
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Tis Admin\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Tis Admin\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Tis Admin\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Tis Admin\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Tis Admin\Application Data\ThinkVantage\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Tis Admin\Application Data\ThinkVantage\Client Security
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3549068214-3021636257-3242902241-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3923117766-2444937865-3196067341-500
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3549068214-3021636257-3242902241-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3923117766-2444937865-3196067341-500
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Protect\S-1-5-21-1145842898-545744170-2072831958-1007
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Protect\S-1-5-21-3549068214-3021636257-3242902241-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Protect\S-1-5-21-3923117766-2444937865-3196067341-500
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Ron\Application Data\ThinkVantage\Client Security\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Ron\Application Data\ThinkVantage\Client Security\hibernation.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\Protect\S-1-5-21-1145842898-545744170-2072831958-1007
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\Protect\S-1-5-21-3549068214-3021636257-3242902241-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\Protect\S-1-5-21-3923117766-2444937865-3196067341-500
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\ron.000\Application Data\ThinkVantage\Client Security\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\ThinkVantage\Client Security\hibernation.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Tis Admin\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Tis Admin\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Tis Admin\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Tis Admin\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Tis Admin\Application Data\Microsoft\Protect\S-1-5-21-1145842898-545744170-2072831958-1005
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Tis Admin\Application Data\Microsoft\Protect\S-1-5-21-3549068214-3021636257-3242902241-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Tis Admin\Application Data\Microsoft\Protect\S-1-5-21-3923117766-2444937865-3196067341-500
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Tis Admin\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Tis Admin\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Tis Admin\Application Data\ThinkVantage\Client Security\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Tis Admin\Application Data\ThinkVantage\Client Security\hibernation.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3549068214-3021636257-3242902241-500\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3549068214-3021636257-3242902241-500\e7d933fa-b934-4273-81e4-1e278441e61e
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3549068214-3021636257-3242902241-500\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3923117766-2444937865-3196067341-500\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3923117766-2444937865-3196067341-500\efc7d020-6dd9-46dc-a9b6-a786e260856e
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3923117766-2444937865-3196067341-500\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3549068214-3021636257-3242902241-500\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3549068214-3021636257-3242902241-500\e7d933fa-b934-4273-81e4-1e278441e61e
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3549068214-3021636257-3242902241-500\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3923117766-2444937865-3196067341-500\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3923117766-2444937865-3196067341-500\efc7d020-6dd9-46dc-a9b6-a786e260856e
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3923117766-2444937865-3196067341-500\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Crypto\RSA\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1145842898-545744170-2072831958-1007
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Protect\S-1-5-21-1145842898-545744170-2072831958-1007\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Protect\S-1-5-21-1145842898-545744170-2072831958-1007\d2d66a3b-884c-4340-89f1-511d7cc005a5
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Protect\S-1-5-21-1145842898-545744170-2072831958-1007\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Protect\S-1-5-21-3549068214-3021636257-3242902241-500\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Protect\S-1-5-21-3549068214-3021636257-3242902241-500\e7d933fa-b934-4273-81e4-1e278441e61e
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Protect\S-1-5-21-3549068214-3021636257-3242902241-500\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Protect\S-1-5-21-3923117766-2444937865-3196067341-500\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Protect\S-1-5-21-3923117766-2444937865-3196067341-500\efc7d020-6dd9-46dc-a9b6-a786e260856e
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\Protect\S-1-5-21-3923117766-2444937865-3196067341-500\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Ron\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\Crypto\RSA\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1145842898-545744170-2072831958-1007
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\Protect\S-1-5-21-1145842898-545744170-2072831958-1007\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\Protect\S-1-5-21-1145842898-545744170-2072831958-1007\27110fad-dfa1-4f20-bc64-7e2effdcf553
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\Protect\S-1-5-21-1145842898-545744170-2072831958-1007\300b4304-2c73-4b09-998b-10bad7153b07
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\ron.000\Application Data\Microsoft\Protect\S-1-5-21-1145842898-545744170-2072831958-1007\528e163e-618e-4171-af19-0535559089f7
Status: Invisible
RRbackups is the IBM ThinkVantage backup utility.

Tarun

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

04 May 2009 at 23:26 - 29
Looks like everything is clean. You may want to run MBAM and SAS in full once more.

Kattar

Kattar

EXCESSIVE FLUTTERCUSSING

Join Date: Mar 2007

SMS (lolgw2placeholder)

Me/

05 May 2009 at 00:12 - 30
Thanks Tarun. I appreciate all your work on this.

As Snograt said, make sure you have quality antivirus/anti-malware software, not just up to date antivirus/anti-malware software.

Spiritz

Forge Runner

Join Date: Apr 2007

DMFC

06 May 2009 at 14:05 - 31
There was a gd vundo remover vundofix i think was its name.
When i managed to catch a vundo virus it did the job and touch wood ive never had another vundo since.
What i find with vundo is its annoying capability of cloning itself - both in registry and in system folders.
Once it digs in it can take a while to search for its clones , remove them and hunt any registry entries.Just finding the clones dont work as they often replicate at bootup ( ty registry grrr ) or replicate on removal.

Someone shud invest in making 1 antivirus company not the loads we have as they all have their flaws - macaffee and norton have their issues and macaffee has reported that many fake virsus when i used it i gave up - it said virus and online scan said clean ( ran 6 diff antivirus and all said clean ).