problems with malware

twigdip · 12:51 PM

Hi techsupportguys!

Having problem with my system. Website redirections, and malware (weird programs running in my processes: Omutya.exe, otx.exe). NOD32 has brought up a couple of trojans so I know there is something going wrong.

I am running Windows XP, Service pack 2

Would be very grateful is someone could help me out,
I have pasted the hijackthis log below. Let me know if there is anything else I should paste/write.

many thanks
twigdip

EDIT: Oh, and now my laptop has decided to randomly go into Standby mode every 10-15 minutes, for absolutely no reason. I have to restart the system every time. I am plugged to the wall with 'always on' as a power setting, so it's definitely something to do with malware.....
HELP!

--------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:48:23 PM, on 6/15/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\GNU\GnuPG\dirmngr.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Nepali Calendar\Calendar.exe
C:\WINDOWS\Omutya.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\IANFIT~1\LOCALS~1\Temp\Otx.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [setupupdater0000.exe] C:\Documents and Settings\Ian Fitzpatrick\Application Data\4DCAFA68486C83F00607E3FD45D36A5C\setupupdater0000.exe
O4 - HKCU\..\Run: [M5T8QL3YW3] C:\DOCUME~1\IANFIT~1\LOCALS~1\Temp\Otx.exe
O4 - S-1-5-18 Startup: Antimalware Doctor.lnk = C:\Documents and Settings\Ian Fitzpatrick\Application Data\4DCAFA68486C83F00607E3FD45D36A5C\setupupdater0000.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Dual Calendar.Lnk = C:\Program Files\Nepali Calendar\Calendar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Antimalware Doctor.lnk = C:\Documents and Settings\Ian Fitzpatrick\Application Data\4DCAFA68486C83F00607E3FD45D36A5C\setupupdater0000.exe (User 'Default user')
O4 - .DEFAULT Startup: Dual Calendar.Lnk = C:\Program Files\Nepali Calendar\Calendar.exe (User 'Default user')
O4 - Startup: Antimalware Doctor.lnk = C:\Documents and Settings\Ian Fitzpatrick\Application Data\4DCAFA68486C83F00607E3FD45D36A5C\setupupdater0000.exe
O4 - Startup: Dual Calendar.Lnk = C:\Program Files\Nepali Calendar\Calendar.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program FilesVPN Client\vpngui.exe
O4 - Global Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Program Files\Lenovo\System Update\sulauncher.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/thinkpad
O16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{75CB3293-F75B-40D9-980D-42F3932CDECD}: NameServer = 93.188.162.60,93.188.161.190
O17 - HKLM\System\CCS\Services\Tcpip\..\{E331360D-8FB8-45D9-8E05-4171BB0FCA42}: NameServer = 93.188.162.60,93.188.161.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.60,93.188.161.190
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.60,93.188.161.190
O18 - Protocol: biblioscape - (no CLSID) - (no file)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\IANFIT~1\LOCALS~1\temp\WZSE0.TMP\installservice.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Unknown owner - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (file missing)
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 13282 bytes

twigdip · 16-Jun-2010, 07:53 AM #2

Now I can't use websites like www.guardian.co.uk without the page being redirected to a cnet survey. And the program antimalware doctor seems to be lurking on the site.

Would be grateful for help!
thanks.

**Cookiegal** · 17-Jun-2010, 01:37 PM #3

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

twigdip · 18-Jun-2010, 04:35 AM #4

Many thanks for your help.

Combofix and HiJackThis logs below:

ComboFix 10-06-17.02 - Ian Fitzpatrick 06/18/2010 8:13.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1308 [GMT 1:00]
Running from: c:\documents and settings\Ian Fitzpatrick\My Documents\Downloads\puppy.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\data
c:\data\test.ttf
c:\documents and settings\Ian Fitzpatrick\Application Data\4DCAFA68486C83F00607E3FD45D36A5C
c:\documents and settings\Ian Fitzpatrick\Application Data\4DCAFA68486C83F00607E3FD45D36A5C\enemies-names.txt
c:\documents and settings\Ian Fitzpatrick\Application Data\4DCAFA68486C83F00607E3FD45D36A5C\local.ini
c:\documents and settings\Ian Fitzpatrick\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk
c:\documents and settings\Ian Fitzpatrick\Start Menu\Antimalware Doctor.lnk
c:\documents and settings\Ian Fitzpatrick\Start Menu\Programs\Startup\Antimalware Doctor.lnk
c:\program files\WinConfig
c:\windows\system32\ernel32.dll
c:\windows\system32\Ijl11.dll
c:\windows\system32\spool\prtprocs\w32x86\1q9317.dll
c:\windows\system32\spool\prtprocs\w32x86\3kU9317k.dll
c:\windows\system32\spool\prtprocs\w32x86\5m55w.dll
c:\windows\system32\spool\prtprocs\w32x86\A1k9317c.dll
c:\windows\system32\spool\prtprocs\w32x86\A9kU7mY.dll
c:\windows\system32\spool\prtprocs\w32x86\EI7931q9.dll
c:\windows\system32\spool\prtprocs\w32x86\kU7mY179.dll
c:\windows\system32\spool\prtprocs\w32x86\s931793.dll
c:\windows\system32\win.com
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

.
((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))
.

2010-06-15 13:47 . 2010-06-15 13:47 388096 ----a-r- c:\documents and settings\Ian Fitzpatrick\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-15 13:47 . 2010-06-15 13:47 -------- d-----w- c:\program files\Trend Micro
2010-06-15 12:06 . 2010-06-15 12:06 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2010-06-14 16:27 . 2010-06-14 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-06-14 16:27 . 2010-06-14 16:28 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\BitDefender
2010-06-14 16:27 . 2010-06-14 16:27 -------- d-----w- c:\program files\BitDefender
2010-06-14 16:25 . 2010-06-14 17:53 -------- d-----w- c:\program files\Common Files\BitDefender
2010-06-14 15:48 . 2010-06-14 16:33 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\QuickScan
2010-06-14 15:48 . 2010-05-31 15:34 702120 ----a-w- c:\documents and settings\Ian Fitzpatrick\Application Data\Mozilla\Firefox\Profiles\xsrub3pm.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-06-14 15:48 . 2010-05-31 15:34 868456 ----a-w- c:\documents and settings\Ian Fitzpatrick\Application Data\Mozilla\Firefox\Profiles\xsrub3pm.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-06-14 14:38 . 2004-08-03 21:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-06-14 14:38 . 2004-08-03 21:59 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-06-14 14:38 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-06-14 14:38 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-06-14 14:37 . 2010-06-14 14:37 74752 ----a-w- c:\documents and settings\Ian Fitzpatrick\Application Data\ff3def98.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-18 07:25 . 2010-04-23 18:02 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\stickies
2010-06-18 07:15 . 2008-11-08 09:14 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-14 14:38 . 2008-08-10 22:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-14 13:14 . 2007-06-10 02:58 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\uTorrent
2010-06-13 19:08 . 2007-11-03 10:41 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\Skype
2010-06-13 17:18 . 2010-01-06 10:50 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\skypePM
2010-06-13 07:12 . 2007-02-25 10:09 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-05-14 12:11 . 2010-05-14 11:27 -------- d-----w- c:\program files\PDF Password Remover 3.1 Portable by LP
2010-05-13 20:09 . 2007-06-10 02:57 321328 -c--a-w- c:\program files\utorrent.exe
2010-04-29 13:21 . 2009-01-21 12:40 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\gtk-2.0
2010-04-28 18:10 . 2008-10-06 10:24 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\SmartDraw
2010-04-24 14:22 . 2010-04-24 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco
2010-04-23 18:04 . 2010-04-23 17:53 -------- d-----w- c:\program files\Sticky Notes Manager 1.0
2010-04-23 18:02 . 2010-04-23 18:02 496 -c--a-w- c:\windows\uninstallstickies.bat
2010-04-23 18:02 . 2010-04-23 18:02 -------- d-----w- c:\program files\stickies
2010-04-01 17:50 . 2010-04-01 17:50 77824 -c--a-w- c:\documents and settings\Ian Fitzpatrick\Application Data\XMind\configuration-cathy\org.eclipse.osgi\bundles\178\1\.cp\swt-gdip-win32-3555.dll
2010-04-01 17:50 . 2010-04-01 17:50 348160 -c--a-w- c:\documents and settings\Ian Fitzpatrick\Application Data\XMind\configuration-cathy\org.eclipse.osgi\bundles\178\1\.cp\swt-win32-3555.dll
2010-03-29 23:46 . 2008-08-10 20:59 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2008-08-10 20:59 20824 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 12:02 . 2010-03-26 12:02 375162 -c--a-r- c:\documents and settings\Ian Fitzpatrick\Application Data\Microsoft\Installer\{1F1C4668-7767-4109-9B5E-19AD056F2CA0}\_62C7126616B954B0A3B534.exe
2010-03-26 12:02 . 2010-03-26 12:02 375162 -c--a-r- c:\documents and settings\Ian Fitzpatrick\Application Data\Microsoft\Installer\{1F1C4668-7767-4109-9B5E-19AD056F2CA0}\_0F7A346F42AC9EA04D958A.exe
2010-03-26 12:00 . 2010-03-26 12:00 5161984 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\VodBu rner.exe
2010-03-26 12:00 . 2010-03-26 12:00 29696 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\sl_wm f.dll
2010-03-26 12:00 . 2010-03-26 12:00 17920 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\sl_as f.dll
2010-03-26 12:00 . 2010-03-26 12:00 626688 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\msvcr 80.dll
2010-03-26 12:00 . 2010-03-26 12:00 620032 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\SLHoo k.dll
2010-03-26 12:00 . 2010-03-26 12:00 603648 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\refin e.exe
2010-03-26 12:00 . 2010-03-26 12:00 1700352 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\GdiPl us.dll
2010-03-26 12:00 . 2010-03-26 12:00 826880 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\slplugin.dll
2010-03-26 12:00 . 2010-03-26 12:00 428032 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\rubit.exe
2010-03-26 12:00 . 2010-03-26 12:00 2608128 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\Desk. exe
2009-12-30 08:22 . 2010-05-14 11:26 1917188 ----a-w- c:\program files\PDF Password Remover v3.1.exe
2009-03-24 13:33 . 2009-03-24 13:33 408216 -c--a-w- c:\program files\14458-utorrent.564c.dmp
2009-02-16 11:42 . 2009-02-16 11:42 383651 -c--a-w- c:\program files\14458-utorrent.f80e.dmp
2009-02-09 17:19 . 2009-02-09 17:19 351449 -c--a-w- c:\program files\14458-utorrent.2c3a.dmp
2008-12-23 11:34 . 2008-12-23 11:33 520192 -c--a-w- c:\program files\WinDjView-0.5.exe
2008-07-22 17:06 . 2008-07-22 17:06 604 -c-ha-w- c:\program files\STLL Notifier
2007-02-22 20:08 . 2007-02-22 20:08 925696 -c--a-w- c:\program files\fileinfo.exe
2007-02-19 15:28 . 2007-02-19 15:28 117974 -c--a-r- c:\program files\GSpot27.dat
2006-03-20 22:37 . 2007-06-01 18:35 5689344 -c--a-w- c:\program files\Mplayer.exe
2007-12-10 17:40 . 2007-12-10 17:40 6275816 -c--a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2008-01-22 15:14 . 2008-01-22 15:14 198 -csh--r- c:\windows\system32\TithiMiti.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 151552]
"TpShocks"="TpShocks.exe" [2006-03-16 106496]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-11-03 949376]

c:\documents and settings\Ian Fitzpatrick\Start Menu\Programs\Startup\
Dual Calendar.Lnk - c:\program files\Nepali Calendar\Calendar.exe [2007-6-5 1640448]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoNetSetup"= 0 (0x0)
"NoPrinters"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-04-26 03:20 40448 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 11:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKLM\~\startupfolder\C:^Documents and Settings^Ian Fitzpatrick^Start Menu^Programs^Startup^Dual Calendar.Lnk]
backup=c:\windows\pss\Dual Calendar.LnkStartup
path=c:\documents and settings\Ian Fitzpatrick\Start Menu\Programs\Startup\Dual Calendar.Lnk

[HKLM\~\startupfolder\C:^Documents and Settings^Ian Fitzpatrick^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2005-09-24 05:30 483328 -c--a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
2006-05-25 16:13 208896 -c--a-w- c:\progra~1\ThinkPad\UTILIT~1\BATLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 19:02 31016 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 15:09 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Radio Downloader]
2010-03-19 15:43 468320 -c--a-w- c:\program files\Radio Downloader\Radio Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 01:11 132496 -c--a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-07-19 15:01 185896 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-05-13 20:09 321328 -c--a-w- c:\program files\utorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)
"CVPND"=2 (0x2)
"ArcGIS License Manager"=2 (0x2)
"UleadBurningHelper"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\utorrent.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\EndNote X1\\EndNote.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\WinHTTrack\\WinHTTrack.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\MP3 Skype Recorder\\MP3 Skype Recorder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"42377:TCP"= 42377:TCP:utorrent
"42377:UDP"= 42377:UDP:utorrent
"17503:TCP"= 17503:TCP:BitComet 17503 TCP
"17503:UDP"= 17503:UDP:BitComet 17503 UDP
"64514:TCP"= 64514:TCP:Utorrent
"64514:UDP"= 64514:UDP:Utorrent

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [11/3/2007 10:47 AM 15424]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/28/2008 10:33 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 55024]
R2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [2/3/2010 1:13 PM 242176]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/8/2009 11:31 AM 210216]
R2 MSSQL$QSRNVIVO8;SQL Server (QSRNVIVO8);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 6:29 AM 29178224]
R2 PrivateDisk;PrivateDisk;c:\program files\Lenovo\SafeGuard PrivateDisk\privatediskm.sys [3/14/2006 1:05 AM 58368]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/15/2006 12:55 AM 3968]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [4/26/2006 4:00 AM 3456]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2/25/2007 10:42 AM 13840]
S2 gafwload;Eicon Networks USB ADSL Loader;c:\windows\system32\DRIVERS\gafwload.sys --> c:\windows\system32\DRIVERS\gafwload.sys [?]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\Drivers\ICDSX.sys --> c:\windows\system32\Drivers\ICDSX.sys [?]
S4 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [1/30/2008 12:35 PM 467968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\MSWD-ff3def98.job
- c:\documents and settings\Ian Fitzpatrick\Application Data\ff3def98.exe [2010-06-14 14:37]

2010-06-18 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-02-25 16:13]

2010-06-18 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\progra~1\SmartDraw 7\Messages\SDNotify.exe [2008-10-06 09:09]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\imon.dll
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
FF - ProfilePath - c:\documents and settings\Ian Fitzpatrick\Application Data\Mozilla\Firefox\Profiles\xsrub3pm.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Ian Fitzpatrick\Application Data\Mozilla\Firefox\Profiles\xsrub3pm.default\extensions\zoteroWinWordInte gration@zotero.org\components\zoteroWinWordIntegration.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-setupupdater0000.exe - c:\documents and settings\Ian Fitzpatrick\Application Data\4DCAFA68486C83F00607E3FD45D36A5C\setupupdater0000.exe
MSConfigStartUp-Sticky Notes Manager 1 - c:\program files\Sticky Notes Manager 1.0\StickyNotesManager.exe

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\SetID\Internal]
@Denied: (A 2) (LocalSystem)
"DATA"="<settings expireTime=\"0\" productStatus=\"1\" obSize=\"0\" InstallSTD=\"2145870353\" isSubsc=\"0\" version=\"12.0.1\" timeDiff=\"1\" oldDevice=\"\" authStatus_av=\"0\" />"
"Device"="xr3Pxr2+yLnPx87MzrzMy8y7zcs="

[HKEY_USERS\S-1-5-21-2878861388-2346302239-923548273-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{26F21ECC-291C-0724-B8F5-1CA67BEE7387}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abmbaihdccgoneimojifmcjenjopiajioh"=hex:61,62,6b,61,66,6f,63,65,6f,61,6d,6 3,
6d,6c,6a,6c,67,65,6e,69,66,62,65,65,6e,6a,6d,67,67,70,6c,62,6d,6d,00,77
"bbmbaihdccgoneimojpfdchcnihhlohgigba"=hex:61,62,70,6f,62,68,6d,6c,66,6d,70 ,70,
64,6f,64,6e,65,68,6c,6e,61,66,61,64,64,67,6c,67,65,65,68,70,70,64,00,77
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(432)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(488)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

- - - - - - - > 'explorer.exe'(3444)
c:\windows\system32\PROCHLP.DLL
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL
c:\progra~1\ThinkPad\UTILIT~1\US\PWRMGRRT.DLL
c:\progra~1\ThinkPad\UTILIT~1\PWRMGRIF.DLL
c:\windows\system32\Sensor.dll
c:\windows\system32\igfxdev.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\IPSSVC.EXE
c:\windows\system32\acs.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Eset\nod32krn.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\TpShocks.exe
c:\program files\stickies\stickies.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-06-18 08:30:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-18 07:30

Pre-Run: 5,161,795,584 bytes free
Post-Run: 4,991,934,464 bytes free

- - End Of File - - 329F5E17B0B1D1CF6E5E4860EAB78429

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:35:22 AM, on 6/18/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\GNU\GnuPG\dirmngr.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Nepali Calendar\Calendar.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - S-1-5-18 Startup: Dual Calendar.Lnk = C:\Program Files\Nepali Calendar\Calendar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Dual Calendar.Lnk = C:\Program Files\Nepali Calendar\Calendar.exe (User 'Default user')
O4 - Startup: Dual Calendar.Lnk = C:\Program Files\Nepali Calendar\Calendar.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program FilesVPN Client\vpngui.exe
O4 - Global Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Program Files\Lenovo\System Update\sulauncher.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/thinkpad
O16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
O18 - Protocol: biblioscape - (no CLSID) - (no file)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\IANFIT~1\LOCALS~1\temp\WZSE0.TMP\installservice.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Unknown owner - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (file missing)
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 11978 bytes

**Cookiegal** · 19-Jun-2010, 03:27 PM #5

Click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files and Hide extensions for known file types. Now click Apply to all folders. Click Apply then OK.

Then go to the link below and upload the following file(s) for analysis and post the results please:

http://virusscan.jotti.org/

c:\documents and settings\Ian Fitzpatrick\Application Data\ff3def98.exe
c:\windows\system32\TithiMiti.sys

twigdip · 20-Jun-2010, 02:34 PM #6

Thanks again.
I have done as you said.
Below are the results.
These are the permalinks:
http://virusscan.jotti.org/en/scanre...15fe715f93508d

Jotti's malware scan

Filename: ff3def98.exe Status: Scan finished. 9 out of 19 scanners reported malware.
Scan taken on: Sun 20 Jun 2010 19:17:07 (CET) Permalink

Additional info

File size: 74752 bytes Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: 9cc251fc083c9890455609e95390c077 SHA1: 94706d908291d788b78ee277ac5d1447dd07cfc1

Scanners

2010-06-20 Found nothing

2010-06-20 Trojan.Generic.4164368

2010-06-20 Win32:Malware-gen

2010-06-20 Trojan.SuspectCRC

2010-06-20 Crypt.WUX

2010-06-20 Found nothing

2010-06-18 TR/Spy.74752.34

2010-06-20 Found nothing

2010-06-20 Trojan.Generic.4164368

2010-06-20 Found nothing

2010-06-18 Found nothing

2010-06-20 Found nothing

2010-06-20 Sus/UnkPack-C

2010-06-20 Trojan.PWS.IpDiscover.11

2010-06-18 Found nothing

2010-06-19 Found nothing

2010-06-20 Trojan.Alureon.QYB

2010-06-20 Found nothing

Filename: TithiMiti.sys Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Sun 20 Jun 2010 19:26:35 (CET) Permalink

Additional info

File size: 198 bytes Filetype: DBase 3 data file with memo(s) MD5: a2d89fea677312748f255c644c07215d SHA1: 0496e1ce3ac71381f95e8eccfcc95d7c7f87319e

Scanners

FOUND NOTHING ON ALL OF THEM.

2010-06-20 Found nothing
2010-06-20 Found nothing
2010-06-20 Found nothing
2010-06-20 Found nothing
2010-06-20 Found nothing
2010-06-20 Found nothing
2010-06-18 Found nothing
2010-06-20 Found nothing
2010-06-20 Found nothing
2010-06-20 Found nothing
2010-06-18 Found nothing

2010-06-20 Found nothing
2010-06-20 Found nothing
2010-06-18 Found nothing
2010-06-19 Found nothing
2010-06-20 Found nothing
2010-06-20 Found nothing

**Cookiegal** · 20-Jun-2010, 05:47 PM #7

I'd like to have one of those files analyzed by a colleague so please go to the forum here and upload this file:

c:\documents and settings\Ian Fitzpatrick\Application Data\ff3def98.exe

Here are the directions for uploading the file:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.

twigdip · 21-Jun-2010, 04:58 AM #8

Link to the file upload

**Cookiegal** · 21-Jun-2010, 12:37 PM #9

Open Notepad and copy and paste the text in the code box below into it:

Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

Code:

http://forums.techguy.org/virus-othe...ml#post7454049

Collect::
c:\documents and settings\Ian Fitzpatrick\Application Data\ff3def98.exe

File::
c:\windows\Tasks\MSWD-ff3def98.job

RegLock::
[HKEY_USERS\.Default\Software\SetID\Internal]

RegNull:
[HKEY_USERS\S-1-5-21-2878861388-2346302239-923548273-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{26F21ECC-291C-0724-B8F5-1CA67BEE7387}*]

RegLockDel::
[HKEY_USERS\S-1-5-21-2878861388-2346302239-923548273-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{26F21ECC-291C-0724-B8F5-1CA67BEE7387}*]

twigdip · 10:34 AM

MANY THANKS!

ComboFix 10-06-21.01 - Ian Fitzpatrick 06/22/2010 14:05:27.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1225 [GMT 1:00]
Running from: c:\documents and settings\Ian Fitzpatrick\Desktop\ComboFix.exe
Command switches used :: c:\docume~1\IANFIT~1\Desktop\CFScript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point
* Resident AV is active

FILE ::
"c:\windows\Tasks\MSWD-ff3def98.job"

file zipped: c:\documents and settings\Ian Fitzpatrick\Application Data\ff3def98.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ian Fitzpatrick\Application Data\ff3def98.exe
c:\windows\Tasks\MSWD-ff3def98.job

.
((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))
.

2010-06-18 07:11 . 2010-06-18 07:30 -------- d-----w- C:\puppy
2010-06-15 13:47 . 2010-06-15 13:47 388096 ----a-r- c:\documents and settings\Ian Fitzpatrick\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-15 13:47 . 2010-06-15 13:47 -------- d-----w- c:\program files\Trend Micro
2010-06-15 12:06 . 2010-06-15 12:06 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2010-06-14 16:27 . 2010-06-14 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-06-14 16:27 . 2010-06-14 16:28 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\BitDefender
2010-06-14 16:27 . 2010-06-14 16:27 -------- d-----w- c:\program files\BitDefender
2010-06-14 16:25 . 2010-06-14 17:53 -------- d-----w- c:\program files\Common Files\BitDefender
2010-06-14 15:48 . 2010-06-14 16:33 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\QuickScan
2010-06-14 15:48 . 2010-05-31 15:34 702120 ----a-w- c:\documents and settings\Ian Fitzpatrick\Application Data\Mozilla\Firefox\Profiles\xsrub3pm.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-06-14 15:48 . 2010-05-31 15:34 868456 ----a-w- c:\documents and settings\Ian Fitzpatrick\Application Data\Mozilla\Firefox\Profiles\xsrub3pm.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-06-14 14:38 . 2004-08-03 21:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-06-14 14:38 . 2004-08-03 21:59 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-06-14 14:38 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-06-14 14:38 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\dllcache\changer.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-21 07:44 . 2010-04-23 18:02 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\stickies
2010-06-20 17:07 . 2007-02-25 10:09 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-06-18 07:15 . 2008-11-08 09:14 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-14 14:38 . 2008-08-10 22:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-14 13:14 . 2007-06-10 02:58 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\uTorrent
2010-06-13 19:08 . 2007-11-03 10:41 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\Skype
2010-06-13 17:18 . 2010-01-06 10:50 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\skypePM
2010-05-14 12:11 . 2010-05-14 11:27 -------- d-----w- c:\program files\PDF Password Remover 3.1 Portable by LP
2010-05-13 20:09 . 2007-06-10 02:57 321328 -c--a-w- c:\program files\utorrent.exe
2010-04-29 13:21 . 2009-01-21 12:40 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\gtk-2.0
2010-04-28 18:10 . 2008-10-06 10:24 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\SmartDraw
2010-04-24 14:22 . 2010-04-24 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco
2010-04-23 18:04 . 2010-04-23 17:53 -------- d-----w- c:\program files\Sticky Notes Manager 1.0
2010-04-23 18:02 . 2010-04-23 18:02 496 -c--a-w- c:\windows\uninstallstickies.bat
2010-04-23 18:02 . 2010-04-23 18:02 -------- d-----w- c:\program files\stickies
2010-04-01 17:50 . 2010-04-01 17:50 77824 -c--a-w- c:\documents and settings\Ian Fitzpatrick\Application Data\XMind\configuration-cathy\org.eclipse.osgi\bundles\178\1\.cp\swt-gdip-win32-3555.dll
2010-04-01 17:50 . 2010-04-01 17:50 348160 -c--a-w- c:\documents and settings\Ian Fitzpatrick\Application Data\XMind\configuration-cathy\org.eclipse.osgi\bundles\178\1\.cp\swt-win32-3555.dll
2010-03-29 23:46 . 2008-08-10 20:59 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2008-08-10 20:59 20824 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 12:02 . 2010-03-26 12:02 375162 -c--a-r- c:\documents and settings\Ian Fitzpatrick\Application Data\Microsoft\Installer\{1F1C4668-7767-4109-9B5E-19AD056F2CA0}\_62C7126616B954B0A3B534.exe
2010-03-26 12:02 . 2010-03-26 12:02 375162 -c--a-r- c:\documents and settings\Ian Fitzpatrick\Application Data\Microsoft\Installer\{1F1C4668-7767-4109-9B5E-19AD056F2CA0}\_0F7A346F42AC9EA04D958A.exe
2010-03-26 12:00 . 2010-03-26 12:00 5161984 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\VodBu rner.exe
2010-03-26 12:00 . 2010-03-26 12:00 29696 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\sl_wm f.dll
2010-03-26 12:00 . 2010-03-26 12:00 17920 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\sl_as f.dll
2010-03-26 12:00 . 2010-03-26 12:00 626688 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\msvcr 80.dll
2010-03-26 12:00 . 2010-03-26 12:00 620032 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\SLHoo k.dll
2010-03-26 12:00 . 2010-03-26 12:00 603648 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\refin e.exe
2010-03-26 12:00 . 2010-03-26 12:00 1700352 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\GdiPl us.dll
2010-03-26 12:00 . 2010-03-26 12:00 826880 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\slplugin.dll
2010-03-26 12:00 . 2010-03-26 12:00 428032 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\rubit.exe
2010-03-26 12:00 . 2010-03-26 12:00 2608128 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\Desk. exe
2009-12-30 08:22 . 2010-05-14 11:26 1917188 ----a-w- c:\program files\PDF Password Remover v3.1.exe
2009-03-24 13:33 . 2009-03-24 13:33 408216 -c--a-w- c:\program files\14458-utorrent.564c.dmp
2009-02-16 11:42 . 2009-02-16 11:42 383651 -c--a-w- c:\program files\14458-utorrent.f80e.dmp
2009-02-09 17:19 . 2009-02-09 17:19 351449 -c--a-w- c:\program files\14458-utorrent.2c3a.dmp
2008-12-23 11:34 . 2008-12-23 11:33 520192 -c--a-w- c:\program files\WinDjView-0.5.exe
2008-07-22 17:06 . 2008-07-22 17:06 604 -c-ha-w- c:\program files\STLL Notifier
2007-02-22 20:08 . 2007-02-22 20:08 925696 -c--a-w- c:\program files\fileinfo.exe
2007-02-19 15:28 . 2007-02-19 15:28 117974 -c--a-r- c:\program files\GSpot27.dat
2006-03-20 22:37 . 2007-06-01 18:35 5689344 -c--a-w- c:\program files\Mplayer.exe
2007-12-10 17:40 . 2007-12-10 17:40 6275816 -c--a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2008-01-22 15:14 . 2008-01-22 15:14 198 -csh--r- c:\windows\system32\TithiMiti.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-06-18_07.24.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-21 07:44 . 2010-06-21 07:44 16384 c:\windows\Temp\Perflib_Perfdata_6cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 151552]
"TpShocks"="TpShocks.exe" [2006-03-16 106496]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-11-03 949376]

c:\documents and settings\Ian Fitzpatrick\Start Menu\Programs\Startup\
Dual Calendar.Lnk - c:\program files\Nepali Calendar\Calendar.exe [2007-6-5 1640448]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoNetSetup"= 0 (0x0)
"NoPrinters"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-04-26 03:20 40448 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 11:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKLM\~\startupfolder\C:^Documents and Settings^Ian Fitzpatrick^Start Menu^Programs^Startup^Dual Calendar.Lnk]
backup=c:\windows\pss\Dual Calendar.LnkStartup
path=c:\documents and settings\Ian Fitzpatrick\Start Menu\Programs\Startup\Dual Calendar.Lnk

[HKLM\~\startupfolder\C:^Documents and Settings^Ian Fitzpatrick^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2005-09-24 05:30 483328 -c--a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
2006-05-25 16:13 208896 -c--a-w- c:\progra~1\ThinkPad\UTILIT~1\BATLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 19:02 31016 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 15:09 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Radio Downloader]
2010-03-19 15:43 468320 -c--a-w- c:\program files\Radio Downloader\Radio Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 01:11 132496 -c--a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-07-19 15:01 185896 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-05-13 20:09 321328 -c--a-w- c:\program files\utorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)
"CVPND"=2 (0x2)
"ArcGIS License Manager"=2 (0x2)
"UleadBurningHelper"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\utorrent.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\EndNote X1\\EndNote.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\WinHTTrack\\WinHTTrack.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\MP3 Skype Recorder\\MP3 Skype Recorder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"42377:TCP"= 42377:TCP:utorrent
"42377:UDP"= 42377:UDP:utorrent
"17503:TCP"= 17503:TCP:BitComet 17503 TCP
"17503:UDP"= 17503:UDP:BitComet 17503 UDP
"64514:TCP"= 64514:TCP:Utorrent
"64514:UDP"= 64514:UDP:Utorrent

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [11/3/2007 10:47 AM 15424]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/28/2008 10:33 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/8/2009 11:31 AM 210216]
R2 MSSQL$QSRNVIVO8;SQL Server (QSRNVIVO8);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 6:29 AM 29178224]
R2 PrivateDisk;PrivateDisk;c:\program files\Lenovo\SafeGuard PrivateDisk\privatediskm.sys [3/14/2006 1:05 AM 58368]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/15/2006 12:55 AM 3968]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [4/26/2006 4:00 AM 3456]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2/25/2007 10:42 AM 13840]
S2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [2/3/2010 1:13 PM 242176]
S2 gafwload;Eicon Networks USB ADSL Loader;c:\windows\system32\DRIVERS\gafwload.sys --> c:\windows\system32\DRIVERS\gafwload.sys [?]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\Drivers\ICDSX.sys --> c:\windows\system32\Drivers\ICDSX.sys [?]
S4 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [1/30/2008 12:35 PM 467968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-06-22 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-02-25 16:13]

2010-06-21 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\progra~1\SmartDraw 7\Messages\SDNotify.exe [2008-10-06 09:09]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\imon.dll
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
FF - ProfilePath - c:\documents and settings\Ian Fitzpatrick\Application Data\Mozilla\Firefox\Profiles\xsrub3pm.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Ian Fitzpatrick\Application Data\Mozilla\Firefox\Profiles\xsrub3pm.default\extensions\zoteroWinWordInte gration@zotero.org\components\zoteroWinWordIntegration.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-22 14:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2878861388-2346302239-923548273-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{26F21ECC-291C-0724-B8F5-1CA67BEE7387}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abmbaihdccgoneimojifmcjenjopiajioh"=hex:61,62,6b,61,66,6f,63,65,6f,61,6d,6 3,
6d,6c,6a,6c,67,65,6e,69,66,62,65,65,6e,6a,6d,67,67,70,6c,62,6d,6d,00,77
"bbmbaihdccgoneimojpfdchcnihhlohgigba"=hex:61,62,70,6f,62,68,6d,6c,66,6d,70 ,70,
64,6f,64,6e,65,68,6c,6e,61,66,61,64,64,67,6c,67,65,65,68,70,70,64,00,77
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(412)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(468)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
.
Completion time: 2010-06-22 14:13:28
ComboFix-quarantined-files.txt 2010-06-22 13:13
ComboFix2.txt 2010-06-18 07:30

Pre-Run: 4,802,408,448 bytes free
Post-Run: 4,788,686,848 bytes free

- - End Of File - - C5A0DE7C1F30CE4DC48B00FE37D1736E
Upload was successful

-----------------------------------------------
------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:33:52 PM, on 6/22/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\stickies\stickies.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - S-1-5-18 Startup: Dual Calendar.Lnk = C:\Program Files\Nepali Calendar\Calendar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Dual Calendar.Lnk = C:\Program Files\Nepali Calendar\Calendar.exe (User 'Default user')
O4 - Startup: Dual Calendar.Lnk = C:\Program Files\Nepali Calendar\Calendar.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program FilesVPN Client\vpngui.exe
O4 - Global Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Program Files\Lenovo\System Update\sulauncher.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/thinkpad
O16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
O18 - Protocol: biblioscape - (no CLSID) - (no file)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\IANFIT~1\LOCALS~1\temp\WZSE0.TMP\installservice.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Unknown owner - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (file missing)
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 11473 bytes

**Cookiegal** · 23-Jun-2010, 05:34 PM **#11**

Open Notepad and copy and paste the text in the code box below into it:

Code:

RegNull:
[HKEY_USERS\S-1-5-21-2878861388-2346302239-923548273-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{26F21ECC-291C-0724-B8F5-1CA67BEE7387}*]

RegLockDel::
[HKEY_USERS\S-1-5-21-2878861388-2346302239-923548273-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{26F21ECC-291C-0724-B8F5-1CA67BEE7387}*]

Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

twigdip · 24-Jun-2010, 05:52 AM **#12**

ComboFix 10-06-21.01 - Ian Fitzpatrick 06/24/2010 9:43.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1413 [GMT 1:00]
Running from: c:\documents and settings\Ian Fitzpatrick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ian Fitzpatrick\Desktop\CFScript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-05-24 to 2010-06-24 )))))))))))))))))))))))))))))))
.

2010-06-18 07:11 . 2010-06-18 07:30 -------- d-----w- C:\puppy
2010-06-15 13:47 . 2010-06-15 13:47 388096 ----a-r- c:\documents and settings\Ian Fitzpatrick\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-15 13:47 . 2010-06-15 13:47 -------- d-----w- c:\program files\Trend Micro
2010-06-15 12:06 . 2010-06-15 12:06 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2010-06-14 16:27 . 2010-06-14 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-06-14 16:27 . 2010-06-14 16:28 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\BitDefender
2010-06-14 16:27 . 2010-06-14 16:27 -------- d-----w- c:\program files\BitDefender
2010-06-14 16:25 . 2010-06-14 17:53 -------- d-----w- c:\program files\Common Files\BitDefender
2010-06-14 15:48 . 2010-06-14 16:33 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\QuickScan
2010-06-14 15:48 . 2010-05-31 15:34 702120 ----a-w- c:\documents and settings\Ian Fitzpatrick\Application Data\Mozilla\Firefox\Profiles\xsrub3pm.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-06-14 15:48 . 2010-05-31 15:34 868456 ----a-w- c:\documents and settings\Ian Fitzpatrick\Application Data\Mozilla\Firefox\Profiles\xsrub3pm.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-06-14 14:38 . 2004-08-03 21:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-06-14 14:38 . 2004-08-03 21:59 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-06-14 14:38 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-06-14 14:38 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\dllcache\changer.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-24 08:41 . 2007-11-03 10:41 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\Skype
2010-06-24 07:41 . 2010-01-06 10:50 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\skypePM
2010-06-22 17:08 . 2008-11-08 09:14 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-21 07:44 . 2010-04-23 18:02 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\stickies
2010-06-20 17:07 . 2007-02-25 10:09 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-06-14 14:38 . 2008-08-10 22:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-14 13:14 . 2007-06-10 02:58 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\uTorrent
2010-05-14 12:11 . 2010-05-14 11:27 -------- d-----w- c:\program files\PDF Password Remover 3.1 Portable by LP
2010-05-13 20:09 . 2007-06-10 02:57 321328 -c--a-w- c:\program files\utorrent.exe
2010-04-29 13:21 . 2009-01-21 12:40 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\gtk-2.0
2010-04-28 18:10 . 2008-10-06 10:24 -------- d-----w- c:\documents and settings\Ian Fitzpatrick\Application Data\SmartDraw
2010-04-23 18:02 . 2010-04-23 18:02 496 -c--a-w- c:\windows\uninstallstickies.bat
2010-04-01 17:50 . 2010-04-01 17:50 77824 -c--a-w- c:\documents and settings\Ian Fitzpatrick\Application Data\XMind\configuration-cathy\org.eclipse.osgi\bundles\178\1\.cp\swt-gdip-win32-3555.dll
2010-04-01 17:50 . 2010-04-01 17:50 348160 -c--a-w- c:\documents and settings\Ian Fitzpatrick\Application Data\XMind\configuration-cathy\org.eclipse.osgi\bundles\178\1\.cp\swt-win32-3555.dll
2010-03-29 23:46 . 2008-08-10 20:59 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2008-08-10 20:59 20824 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 12:02 . 2010-03-26 12:02 375162 -c--a-r- c:\documents and settings\Ian Fitzpatrick\Application Data\Microsoft\Installer\{1F1C4668-7767-4109-9B5E-19AD056F2CA0}\_62C7126616B954B0A3B534.exe
2010-03-26 12:02 . 2010-03-26 12:02 375162 -c--a-r- c:\documents and settings\Ian Fitzpatrick\Application Data\Microsoft\Installer\{1F1C4668-7767-4109-9B5E-19AD056F2CA0}\_0F7A346F42AC9EA04D958A.exe
2010-03-26 12:00 . 2010-03-26 12:00 5161984 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\VodBu rner.exe
2010-03-26 12:00 . 2010-03-26 12:00 29696 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\sl_wm f.dll
2010-03-26 12:00 . 2010-03-26 12:00 17920 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\sl_as f.dll
2010-03-26 12:00 . 2010-03-26 12:00 626688 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\msvcr 80.dll
2010-03-26 12:00 . 2010-03-26 12:00 620032 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\SLHoo k.dll
2010-03-26 12:00 . 2010-03-26 12:00 603648 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\refin e.exe
2010-03-26 12:00 . 2010-03-26 12:00 1700352 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\GdiPl us.dll
2010-03-26 12:00 . 2010-03-26 12:00 826880 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\slplugin.dll
2010-03-26 12:00 . 2010-03-26 12:00 428032 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\rubit.exe
2010-03-26 12:00 . 2010-03-26 12:00 2608128 -c--a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\Desk. exe
2009-12-30 08:22 . 2010-05-14 11:26 1917188 ----a-w- c:\program files\PDF Password Remover v3.1.exe
2009-03-24 13:33 . 2009-03-24 13:33 408216 -c--a-w- c:\program files\14458-utorrent.564c.dmp
2009-02-16 11:42 . 2009-02-16 11:42 383651 -c--a-w- c:\program files\14458-utorrent.f80e.dmp
2009-02-09 17:19 . 2009-02-09 17:19 351449 -c--a-w- c:\program files\14458-utorrent.2c3a.dmp
2008-12-23 11:34 . 2008-12-23 11:33 520192 -c--a-w- c:\program files\WinDjView-0.5.exe
2008-07-22 17:06 . 2008-07-22 17:06 604 -c-ha-w- c:\program files\STLL Notifier
2007-02-22 20:08 . 2007-02-22 20:08 925696 -c--a-w- c:\program files\fileinfo.exe
2007-02-19 15:28 . 2007-02-19 15:28 117974 -c--a-r- c:\program files\GSpot27.dat
2006-03-20 22:37 . 2007-06-01 18:35 5689344 -c--a-w- c:\program files\Mplayer.exe
2007-12-10 17:40 . 2007-12-10 17:40 6275816 -c--a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2008-01-22 15:14 . 2008-01-22 15:14 198 -csh--r- c:\windows\system32\TithiMiti.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-06-18_07.24.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-21 07:44 . 2010-06-21 07:44 16384 c:\windows\Temp\Perflib_Perfdata_6cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 151552]
"TpShocks"="TpShocks.exe" [2006-03-16 106496]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-11-03 949376]

c:\documents and settings\Ian Fitzpatrick\Start Menu\Programs\Startup\
Dual Calendar.Lnk - c:\program files\Nepali Calendar\Calendar.exe [2007-6-5 1640448]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoNetSetup"= 0 (0x0)
"NoPrinters"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-04-26 03:20 40448 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 11:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKLM\~\startupfolder\C:^Documents and Settings^Ian Fitzpatrick^Start Menu^Programs^Startup^Dual Calendar.Lnk]
backup=c:\windows\pss\Dual Calendar.LnkStartup
path=c:\documents and settings\Ian Fitzpatrick\Start Menu\Programs\Startup\Dual Calendar.Lnk

[HKLM\~\startupfolder\C:^Documents and Settings^Ian Fitzpatrick^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2005-09-24 05:30 483328 -c--a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
2006-05-25 16:13 208896 -c--a-w- c:\progra~1\ThinkPad\UTILIT~1\BATLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 19:02 31016 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 15:09 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Radio Downloader]
2010-03-19 15:43 468320 -c--a-w- c:\program files\Radio Downloader\Radio Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 01:11 132496 -c--a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-07-19 15:01 185896 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-05-13 20:09 321328 -c--a-w- c:\program files\utorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)
"CVPND"=2 (0x2)
"ArcGIS License Manager"=2 (0x2)
"UleadBurningHelper"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\utorrent.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\EndNote X1\\EndNote.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\WinHTTrack\\WinHTTrack.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\MP3 Skype Recorder\\MP3 Skype Recorder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"42377:TCP"= 42377:TCP:utorrent
"42377:UDP"= 42377:UDP:utorrent
"17503:TCP"= 17503:TCP:BitComet 17503 TCP
"17503:UDP"= 17503:UDP:BitComet 17503 UDP
"64514:TCP"= 64514:TCP:Utorrent
"64514:UDP"= 64514:UDP:Utorrent

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [11/3/2007 10:47 AM 15424]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/28/2008 10:33 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/8/2009 11:31 AM 210216]
R2 MSSQL$QSRNVIVO8;SQL Server (QSRNVIVO8);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 6:29 AM 29178224]
R2 PrivateDisk;PrivateDisk;c:\program files\Lenovo\SafeGuard PrivateDisk\privatediskm.sys [3/14/2006 1:05 AM 58368]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/15/2006 12:55 AM 3968]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [4/26/2006 4:00 AM 3456]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2/25/2007 10:42 AM 13840]
S2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [2/3/2010 1:13 PM 242176]
S2 gafwload;Eicon Networks USB ADSL Loader;c:\windows\system32\DRIVERS\gafwload.sys --> c:\windows\system32\DRIVERS\gafwload.sys [?]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\Drivers\ICDSX.sys --> c:\windows\system32\Drivers\ICDSX.sys [?]
S4 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [1/30/2008 12:35 PM 467968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-06-22 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-02-25 16:13]

2010-06-21 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\progra~1\SmartDraw 7\Messages\SDNotify.exe [2008-10-06 09:09]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\imon.dll
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
FF - ProfilePath - c:\documents and settings\Ian Fitzpatrick\Application Data\Mozilla\Firefox\Profiles\xsrub3pm.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Ian Fitzpatrick\Application Data\Mozilla\Firefox\Profiles\xsrub3pm.default\extensions\zoteroWinWordInte gration@zotero.org\components\zoteroWinWordIntegration.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-24 09:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2878861388-2346302239-923548273-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{26F21ECC-291C-0724-B8F5-1CA67BEE7387}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abmbaihdccgoneimojifmcjenjopiajioh"=hex:61,62,6b,61,66,6f,63,65,6f,61,6d,6 3,
6d,6c,6a,6c,67,65,6e,69,66,62,65,65,6e,6a,6d,67,67,70,6c,62,6d,6d,00,77
"bbmbaihdccgoneimojpfdchcnihhlohgigba"=hex:61,62,70,6f,62,68,6d,6c,66,6d,70 ,70,
64,6f,64,6e,65,68,6c,6e,61,66,61,64,64,67,6c,67,65,65,68,70,70,64,00,77
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(412)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(468)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

- - - - - - - > 'explorer.exe'(3540)
c:\windows\system32\PROCHLP.DLL
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-24 09:50:52
ComboFix-quarantined-files.txt 2010-06-24 08:50
ComboFix2.txt 2010-06-22 13:23
ComboFix3.txt 2010-06-18 07:30

Pre-Run: 4,724,039,680 bytes free
Post-Run: 4,706,357,248 bytes free

- - End Of File - - 76BAB4526C85C1112D0226F4CBD75511

**Cookiegal** · 25-Jun-2010, 02:38 PM **#13**

Since you already have MalwareBytes installed, please update it and run a full scan and then post the log.

twigdip · 26-Jun-2010, 09:09 AM **#14**

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4243

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

6/26/2010 1:09:41 PM
mbam-log-2010-06-26 (13-09-41).txt

Scan type: Full scan (C:\|)
Objects scanned: 305611
Time elapsed: 1 hour(s), 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\ernel32.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\1q9317.dll.vi r (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\3kU9317k.dll. vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\5m55w.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\A1k9317c.dll. vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\A9kU7mY.dll.v ir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\EI7931q9.dll. vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\kU7mY179.dll. vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\s931793.dll.v ir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0001176.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0001178.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0001179.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0001180.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0001181.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0001182.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0001183.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0001184.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP1\A0001185.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

**Cookiegal** · 26-Jun-2010, 01:44 PM **#15**

Download GMER from: http://gmer.net/index.php

Click on the Download exe button and save it on your desktop. It will create a oddly named exe file on your desktop. Double click that file to run it and select the rootkit tab and then press scan. When the scan is done, click Save and save the log in Notepad then copy and paste the log report back here please.

Note: It's important that all other windows be closed and that you don't touch the mouse or anything during the scan as it may cause it to freeze.

Similar Threads
Title	Thread Starter	Forum	Replies	Last Post
suspected malware problem with DCON shutdown	DrEvel	Virus & Other Malware Removal	0	31-Jan-2010 02:05 AM
Malware & Adware problems with Hijackthis log.	Hughiemac	Virus & Other Malware Removal	0	15-Jan-2010 06:56 PM
Problem with vista	nycwiseguy91	All Other Software	2	17-Jul-2009 03:48 AM
Problem with n1 vision belkin router & acer laptop unable to access network	PFWIN	General Security	0	06-Apr-2009 06:33 AM
help with malware!!! plzz!!	XElixX	Virus & Other Malware Removal	1	14-Jul-2008 11:01 PM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!