1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Computer's slowing and frauds keep coming

Discussion in 'Virus & Other Malware Removal' started by sylixe, Oct 8, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. sylixe

    sylixe Thread Starter

    Joined:
    Jul 9, 2008
    Messages:
    67
    Ok,I think I've picked up some virus that I cannot detect with Spyware Terminator..
    Sometimes a new firefox/internet window just opens and those fraud AV stuffs appear.. some examples are Micro AntiVirus and AntiVirus 2009

    Here is the HJT Log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:16, on 2008-10-09
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Aventail\Connect\as32svc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\lotus\notes\ntmulti.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
    C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
    C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
    C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\igfxext.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    D:\Documents and Settings\chewhockchye\Desktop\IDMan\IDMan.exe
    C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Garena\Garena.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [IDMan] D:\Documents and Settings\chewhockchye\Desktop\IDMan\IDMan.exe /onboot
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Download all links with IDM - D:\Documents and Settings\chewhockchye\Desktop\IDMan\IEGetAll.htm
    O8 - Extra context menu item: Download FLV video content with IDM - D:\Documents and Settings\chewhockchye\Desktop\IDMan\IEGetVL.htm
    O8 - Extra context menu item: Download with IDM - D:\Documents and Settings\chewhockchye\Desktop\IDMan\IEExt.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O14 - IERESET.INF: START_PAGE_URL=http://intranet.home.capitaland.com/
    O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {377FF862-62E0-4F33-B6E5-F58E0BC0F209} (NlsComm Component Class) - http://login.hanbiton.com/cab/NLSnSSO.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail.capitaland.com/iNotes6W.cab
    O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} - https://secura.capitaland.com/postauthI/epi.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cfl.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dc.capitaland.com
    O17 - HKLM\Software\..\Telephony: DomainName = dc.capitaland.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dc.capitaland.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = dc.capitaland.com
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O18 - Protocol: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - C:\Program Files\QlikView\QvProtocol\qvp.dll
    O20 - AppInit_DLLs: lxtndo.dll
    O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
    O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
    O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
    O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

    --
    End of file - 9797 bytes
     
  2. sylixe

    sylixe Thread Starter

    Joined:
    Jul 9, 2008
    Messages:
    67
    I just did a MBAM full scan and this is the log..
    I clicked remove already..

    Malwarebytes' Anti-Malware 1.28
    Database version: 1244
    Windows 5.1.2600 Service Pack 2

    2008-10-09 11:14:17
    mbam-log-2008-10-09 (11-14-17).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 134540
    Time elapsed: 45 minute(s), 57 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 4
    Registry Keys Infected: 11
    Registry Values Infected: 1
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 13

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\system32\hgGVpmMf.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\vtUnkiIC.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\ddcCttrR.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\lxtndo.dll (Trojan.Vundo.H) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1cf2cd8a-46c0-45f1-9085-ad07a966151e} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{1cf2cd8a-46c0-45f1-9085-ad07a966151e} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a11c5aa1-0522-4e2c-8b55-61ec322a00bb} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtunkiic (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{a11c5aa1-0522-4e2c-8b55-61ec322a00bb} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{da455502-ed87-44e1-b132-b46bec4dff29} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{da455502-ed87-44e1-b132-b46bec4dff29} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a11c5aa1-0522-4e2c-8b55-61ec322a00bb} (Trojan.Vundo) -> Delete on reboot.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\hggvpmmf -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\hggvpmmf -> Delete on reboot.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\hgGVpmMf.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\fMmpVGgh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\fMmpVGgh.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\vtUnkiIC.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\lxtndo.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\fqqnijpj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\jpjinqqf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ddcCttrR.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\uvkqsvld.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\geBqPJBq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\efcCtqQI.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    D:\Documents and Settings\chewhockchye\Local Settings\Temporary Internet Files\Content.IE5\M907QZGL\nd82m0[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    D:\Documents and Settings\chewhockchye\Local Settings\Temporary Internet Files\Content.IE5\NH7KB9FB\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    reboot again then

    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
     
  4. sylixe

    sylixe Thread Starter

    Joined:
    Jul 9, 2008
    Messages:
    67
    Thanks for replying..

    Alright. This is the ComboFix log

    ComboFix 08-10-11.02 - chewhockchye 2008-10-12 19:19:13.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.116 [GMT 8:00]
    Running from: D:\Documents and Settings\chewhockchye\Desktop\ComboFix.exe
    Command switches used :: D:\Documents and Settings\chewhockchye\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    * Created a new restore point
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\IE4 Error Log.txt
    D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    D:\Documents and Settings\chewhockchye\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat

    ----- BITS: Possible infected sites -----

    hxxp://www.graboid.com
    .
    ((((((((((((((((((((((((( Files Created from 2008-09-12 to 2008-10-12 )))))))))))))))))))))))))))))))
    .

    2008-10-11 21:36 . 2008-10-11 21:51 <DIR> d-------- C:\Eagle Eye 2008 cam XviD-KingBen (Kingdom-Release)
    2008-10-11 21:36 . 2008-10-11 21:50 <DIR> d-------- C:\Disaster Movie CAM XVID .STG
    2008-10-09 09:48 . 2008-10-09 09:48 <DIR> d-------- C:\Program Files\NHN USA
    2008-10-09 09:48 . 2008-06-17 19:28 710,064 --a------ C:\WINDOWS\system32\ijjiSetup.exe
    2008-10-09 09:48 . 2008-04-23 14:02 157,152 --a------ C:\WINDOWS\system32\PubPlugin.dll
    2008-10-09 09:48 . 2008-06-11 23:01 58,800 --a------ C:\WINDOWS\system32\ijjiPlugin2.dll
    2008-10-09 09:33 . 2008-10-09 09:33 <DIR> d-------- C:\ijji
    2008-10-07 17:38 . 2008-10-07 17:38 95,288 --ah----- C:\WINDOWS\system32\mlfcache.dat
    2008-10-07 16:25 . 2008-10-07 16:26 <DIR> d-------- C:\Program Files\Safari
    2008-10-07 15:47 . 2008-10-07 15:47 <DIR> d-------- C:\NDOORS
    2008-09-21 21:29 . 2008-09-21 21:29 34,308 --a------ C:\WINDOWS\system32\Chip.dll
    2008-09-21 21:29 . 2008-09-21 21:29 22,004 --a------ C:\WINDOWS\system32\Pvt.tmp
    2008-09-21 21:29 . 2008-09-21 21:29 224 --a------ C:\WINDOWS\mixstrings.ini
    2008-09-21 21:27 . 2008-09-21 21:27 <DIR> d-------- D:\Documents and Settings\chewhockchye\Application Data\Acoustica
    2008-09-21 21:26 . 2008-09-21 21:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Acoustica
    2008-09-21 21:26 . 2008-09-21 21:26 <DIR> d-------- C:\Program Files\Acoustica Shared Effects
    2008-09-21 21:26 . 2008-09-21 21:29 <DIR> d-------- C:\Program Files\Acoustica Mixcraft 4
    2008-09-21 21:26 . 2007-08-07 11:32 57,344 --a------ C:\WINDOWS\system32\Wnaspint.dll
    2008-09-21 21:00 . 2008-09-21 21:03 <DIR> d-------- C:\Easy Music Composer
    2008-09-21 20:39 . 2008-09-21 20:39 <DIR> d-------- C:\Program Files\Musicnotes

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-12 11:20 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\BitTorrent
    2008-10-12 11:14 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\DNA
    2008-10-12 04:47 --------- d-----w C:\Program Files\Garena
    2008-10-11 16:01 15,442 ----a-w C:\WINDOWS\system32\Fxxplfnt.tmp
    2008-10-11 16:00 5,427 ----a-w C:\WINDOWS\system32\EGATHDRV.SYS
    2008-10-10 12:25 --------- d-----w D:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-10-10 10:17 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\U3
    2008-10-10 09:40 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\Spyware Terminator
    2008-10-10 09:40 --------- d-----w C:\Program Files\Spyware Terminator
    2008-10-09 13:07 --------- d-----w C:\Program Files\Windows Live Safety Center
    2008-10-09 06:15 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\DMCache
    2008-10-09 02:26 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-09 02:13 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
    2008-10-09 02:13 --------- d-----w C:\Program Files\Spyware Doctor
    2008-10-09 02:12 --------- d-----w C:\Program Files\Graboid
    2008-10-09 01:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-10-09 01:45 --------- d--h--w D:\Documents and Settings\chewhockchye\Application Data\ijjigame
    2008-10-08 16:45 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spyware Terminator
    2008-10-08 13:22 --------- d-----w C:\Program Files\WinClamAVShield
    2008-10-07 08:39 --------- d-----w C:\Program Files\XoftSpySE
    2008-10-07 08:27 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\Apple Computer
    2008-10-07 07:45 --------- d-----w C:\Program Files\SpywareBlaster
    2008-09-19 13:26 --------- d-----w C:\Program Files\DNA
    2008-09-09 16:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-09 16:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-03 12:26 --------- d-----w C:\Program Files\Messenger Plus! Live
    2008-08-27 07:30 24 ----a-w D:\Documents and Settings\chewhockchye\jagex_runescape_preferences.dat
    2008-08-25 09:41 --------- d-----w C:\Program Files\CyberPower Audio Editing Lab
    2008-08-25 09:41 --------- d-----w C:\Program Files\Advanced System Optimizer
    2008-08-25 09:23 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\Uniblue
    2008-08-25 09:21 --------- d-----w C:\Program Files\Uniblue
    2008-08-24 02:47 --------- d-----w C:\Program Files\Incomplete
    2008-08-24 02:40 --------- d-----w C:\Program Files\LimeWire
    2008-08-24 02:38 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\LimeWire
    2008-08-23 00:09 141,312 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
    2008-08-22 06:06 --------- d-----w C:\Program Files\Microsoft Silverlight
    2008-08-19 10:34 --------- d-----w C:\Program Files\Softnyx
    2008-08-16 08:31 --------- d-----w C:\Program Files\BitTorrent
    2008-08-15 09:16 --------- d-----w C:\Program Files\UPHClean
    2008-08-14 11:05 --------- d-----w C:\Program Files\Google
    2008-08-13 13:47 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\NCH Swift Sound
    2008-08-13 13:47 --------- d-----w C:\Program Files\NCH Swift Sound
    2008-08-13 13:42 --------- d-----w C:\Program Files\Blubster
    2008-08-13 10:42 --------- d-----w C:\Program Files\MSECACHE
    2008-08-12 13:46 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\gtk-2.0
    2008-08-11 02:55 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
    2008-07-18 14:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-18 14:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-18 14:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-18 14:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-18 14:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-18 14:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-18 14:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
    2008-07-18 14:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
    2008-05-11 09:18 77,400 ----a-w D:\Documents and Settings\chewhockchye\Application Data\GDIPFONTCACHEV1.DAT
    2006-10-03 01:05 70,040 ----a-w D:\Documents and Settings\owweikuen\Application Data\GDIPFONTCACHEV1.DAT
    2008-04-22 23:49 544,800 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
    2008-04-22 23:49 31,776 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2008-06-02 5724184]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 1694208]
    "Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2008-04-02 9442584]
    "BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-09-19 289088]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-08-23 1783808]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
    2006-02-01 13:13 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2005-12-09 05:59 39936 C:\WINDOWS\system32\psqlpwd.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-12-01 11:16 24576 C:\WINDOWS\system32\tphklock.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=lxtndo.dll

    [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

    [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray]
    --------- 2006-02-01 13:19 409600 C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
    --------- 2006-02-01 13:12 98304 C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
    --------- 2005-12-07 16:12 208896 C:\PROGRA~1\ThinkPad\UTILIT~1\BATLOGEX.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
    --------- 2005-12-22 09:08 1996336 C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
    --------- 2005-11-30 01:55 196696 C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
    --a------ 2006-02-02 05:20 122940 C:\WINDOWS\system32\DLA\DLACTRLW.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
    --------- 2005-11-17 17:22 237568 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    --a------ 2005-12-15 08:27 77824 C:\WINDOWS\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    --a------ 2005-12-15 08:31 118784 C:\WINDOWS\system32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    --a------ 2005-12-15 08:30 98304 C:\WINDOWS\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    --------- 2004-08-04 20:00 208952 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPCCheck]
    --------- 2004-07-24 08:38 282624 C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    --a------ 2005-08-11 15:30 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    --a------ 2005-08-11 15:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
    --------- 2005-11-24 16:02 106496 C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
    --------- 2006-11-17 13:39 136768 C:\Program Files\McAfee\Common Framework\UdaterUI.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
    --a------ 2004-08-04 20:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\IMSCINST.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDService.exe]
    -r------- 2005-11-16 04:13 49152 C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    --a------ 2004-08-04 20:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    --a------ 2004-08-04 20:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
    --------- 2006-11-30 08:50 112216 C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
    --------- 2005-05-07 05:06 716800 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    --------- 2005-12-16 05:19 925696 C:\Program Files\Analog Devices\Core\smax4pnp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\suScheduler]
    --------- 2005-08-02 08:32 40960 C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
    --------- 2006-03-10 07:14 94208 C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]
    --------- 2005-10-29 10:04 864256 C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
    --a------ 2003-11-20 14:08 57344 C:\WINDOWS\system32\ico.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
    --a------ 2005-10-17 16:11 65536 C:\WINDOWS\system32\TP4EX.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
    --a------ 2005-11-08 02:14 106496 C:\WINDOWS\system32\TpShocks.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrackPointSrv]
    --a------ 2005-07-13 18:55 94208 C:\WINDOWS\system32\tp4serv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\DNA\\btdna.exe"=
    "C:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Softnyx\\WolfTeam\\Wolfteam.bin"=
    "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Garena\\Garena.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\ijji\\ENGLISH\\u_gunz.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6681:TCP"= 6681:TCP:a
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

    R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-12-01 85760]
    R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-09 11520]
    R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2006-01-13 6016]
    R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-21 4736]
    R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-08-23 141312]
    R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2005-12-07 4442]
    R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2005-12-22 12544]
    R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys [2006-08-17 15793]
    R2 PrivateDisk;PrivateDisk;C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\PrivateDiskM.sys [2005-11-16 46142]
    R2 smi2;smi2;C:\Program Files\SMI2\smi2.sys [2005-12-22 3968]
    R2 smihlp;SMI helper driver;C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys [2005-12-09 3328]
    R3 Astdi;Astdi;C:\Program Files\Aventail\Connect\asnttdi.sys [2005-07-29 126917]
    R3 Tp4Track;PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys [2005-07-13 13840]
    S3 Ascrypto;Ascrypto;C:\Program Files\Aventail\Connect\ascrypto.sys [2005-07-29 219299]
    S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 16384]
    S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 9216]
    S3 XDva181;XDva181;C:\WINDOWS\system32\XDva181.sys [ ]
    S3 XDva186;XDva186;C:\WINDOWS\system32\XDva186.sys [ ]
    S3 XDva187;XDva187;C:\WINDOWS\system32\XDva187.sys [ ]
    S3 XDva189;XDva189;C:\WINDOWS\system32\XDva189.sys [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bedf767-2e0c-11db-aa3b-001302526625}]
    \Shell\AutoRun\command - E:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{acab544d-6ddc-11dd-8d47-001302adcfae}]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{acab544e-6ddc-11dd-8d47-001302adcfae}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL systime.exe
    \shellLAuto\command - systime.exe

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder

    2008-10-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe []

    2008-10-11 C:\WINDOWS\Tasks\PMTask.job
    - C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-12-07 16:12]

    2008-10-07 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 09:50]

    2008-08-25 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 09:50]

    2008-10-12 C:\WINDOWS\Tasks\XoftSpySE 2.job
    - C:\Program Files\XoftSpySE\XoftSpy.exe [2008-08-07 03:25]

    2008-08-14 C:\WINDOWS\Tasks\XoftSpySE.job
    - C:\Program Files\XoftSpySE\XoftSpy.exe [2008-08-07 03:25]
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-BDAgent - C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
    MSConfigStartUp-BitDefender Antiphishing Helper - C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe
    MSConfigStartUp-IDMan - D:\Documents and Settings\chewhockchye\Desktop\IDMan\IDMan.exe
    MSConfigStartUp-Steam - C:\Valve\Steam\Steam.exe
    MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - D:\Documents and Settings\chewhockchye\Application Data\Mozilla\Firefox\Profiles\nzhetepn.default\
    FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
    FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
    FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmusicn.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-12 19:23:21
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\Program Files\ThinkPad\ConnectUtilities\AcSvcStub.dll
    -> C:\Program Files\ThinkPad\ConnectUtilities\AcLocSettings.dll
    -> C:\Program Files\ThinkPad\ConnectUtilities\ACHelper.dll
    -> C:\WINDOWS\system32\tphklock.dll
    .
    Completion time: 2008-10-12 19:27:14
    ComboFix-quarantined-files.txt 2008-10-12 11:27:07

    Pre-Run: 1,286,770,688 bytes free
    Post-Run: 1,268,977,664 bytes free

    302 --- E O F --- 2008-09-13 12:08:59
     
  5. sylixe

    sylixe Thread Starter

    Joined:
    Jul 9, 2008
    Messages:
    67
    Sorry had to break off into 2 parts.. if the 2 parts were together, it exceeds the 30k limit..

    Anyways, this is the HJT Log as requested :



    And this is HJT Log as requested:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:32, on 2008-10-12
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Aventail\Connect\as32svc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\IPSSVC.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\lotus\notes\ntmulti.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
    C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
    C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\BitTorrent\bittorrent.exe
    D:\DOCUME~1\template\LOCALS~1\Temp\Rar$EX00.391\AQ Elite [Lore3433]\AQ Elite.exe
    C:\Program Files\Garena\Garena.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O14 - IERESET.INF: START_PAGE_URL=http://intranet.home.capitaland.com/
    O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {377FF862-62E0-4F33-B6E5-F58E0BC0F209} (NlsComm Component Class) - http://login.hanbiton.com/cab/NLSnSSO.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail.capitaland.com/iNotes6W.cab
    O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} - https://secura.capitaland.com/postauthI/epi.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cfl.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dc.capitaland.com
    O17 - HKLM\Software\..\Telephony: DomainName = dc.capitaland.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dc.capitaland.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = dc.capitaland.com
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O18 - Protocol: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - C:\Program Files\QlikView\QvProtocol\qvp.dll
    O20 - AppInit_DLLs: lxtndo.dll
    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
    O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
    O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
    O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
    O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

    --
    End of file - 9066 bytes
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

    This will create a zip file inside C:\QooBox\ named something like [38][email protected]

    at the end it will pop up an alert & open your browser and ask you to send the zip file

    please follow those instructions. We need to see the zip file before we can carry on with the fix

    If there is no pop up alert or open browser then

    please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:
    the zip file inside C:\QooBox\ created by combofix named something like [38][email protected]
     

    Attached Files:

  7. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Is this a work computer?
     
  8. sylixe

    sylixe Thread Starter

    Joined:
    Jul 9, 2008
    Messages:
    67
    Alright done.. sent the zip file as requested..

    Oh and AcaCandy,Yes this is a company computer,but my father is not working for them anymore,so its inappropriate to send it back?


    this is the ComboFix Log as requested:
    ComboFix 08-10-11.04 - chewhockchye 2008-10-13 18:56:47.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.165 [GMT 8:00]
    Running from: D:\Documents and Settings\chewhockchye\Desktop\ComboFix.exe
    Command switches used :: D:\Documents and Settings\chewhockchye\Desktop\CFScript.txt
    * Created a new restore point
    * Resident AV is active

    .

    ((((((((((((((((((((((((( Files Created from 2008-09-13 to 2008-10-13 )))))))))))))))))))))))))))))))
    .

    2008-10-11 21:36 . 2008-10-11 21:51 <DIR> d-------- C:\Eagle Eye 2008 cam XviD-KingBen (Kingdom-Release)
    2008-10-11 21:36 . 2008-10-11 21:50 <DIR> d-------- C:\Disaster Movie CAM XVID .STG
    2008-10-09 09:48 . 2008-10-09 09:48 <DIR> d-------- C:\Program Files\NHN USA
    2008-10-09 09:48 . 2008-06-17 19:28 710,064 --a------ C:\WINDOWS\system32\ijjiSetup.exe
    2008-10-09 09:48 . 2008-04-23 14:02 157,152 --a------ C:\WINDOWS\system32\PubPlugin.dll
    2008-10-09 09:48 . 2008-06-11 23:01 58,800 --a------ C:\WINDOWS\system32\ijjiPlugin2.dll
    2008-10-09 09:33 . 2008-10-09 09:33 <DIR> d-------- C:\ijji
    2008-10-07 17:38 . 2008-10-07 17:38 95,288 --ah----- C:\WINDOWS\system32\mlfcache.dat
    2008-10-07 16:25 . 2008-10-07 16:26 <DIR> d-------- C:\Program Files\Safari
    2008-10-07 15:47 . 2008-10-07 15:47 <DIR> d-------- C:\NDOORS
    2008-09-21 21:29 . 2008-09-21 21:29 34,308 --a------ C:\WINDOWS\system32\Chip.dll
    2008-09-21 21:29 . 2008-09-21 21:29 22,004 --a------ C:\WINDOWS\system32\Pvt.tmp
    2008-09-21 21:29 . 2008-09-21 21:29 224 --a------ C:\WINDOWS\mixstrings.ini
    2008-09-21 21:27 . 2008-09-21 21:27 <DIR> d-------- D:\Documents and Settings\chewhockchye\Application Data\Acoustica
    2008-09-21 21:26 . 2008-09-21 21:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Acoustica
    2008-09-21 21:26 . 2008-09-21 21:26 <DIR> d-------- C:\Program Files\Acoustica Shared Effects
    2008-09-21 21:26 . 2008-09-21 21:29 <DIR> d-------- C:\Program Files\Acoustica Mixcraft 4
    2008-09-21 21:26 . 2007-08-07 11:32 57,344 --a------ C:\WINDOWS\system32\Wnaspint.dll
    2008-09-21 21:00 . 2008-09-21 21:03 <DIR> d-------- C:\Easy Music Composer
    2008-09-21 20:39 . 2008-09-21 20:39 <DIR> d-------- C:\Program Files\Musicnotes

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-13 10:51 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\DNA
    2008-10-13 10:51 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\BitTorrent
    2008-10-12 11:45 --------- d-----w C:\Program Files\Garena
    2008-10-11 16:01 15,442 ----a-w C:\WINDOWS\system32\Fxxplfnt.tmp
    2008-10-11 16:00 5,427 ----a-w C:\WINDOWS\system32\EGATHDRV.SYS
    2008-10-10 12:25 --------- d-----w D:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-10-10 10:20 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\U3
    2008-10-10 09:40 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\Spyware Terminator
    2008-10-10 09:40 --------- d-----w C:\Program Files\Spyware Terminator
    2008-10-09 13:07 --------- d-----w C:\Program Files\Windows Live Safety Center
    2008-10-09 06:15 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\DMCache
    2008-10-09 02:26 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-09 02:13 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
    2008-10-09 02:13 --------- d-----w C:\Program Files\Spyware Doctor
    2008-10-09 02:12 --------- d-----w C:\Program Files\Graboid
    2008-10-09 01:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-10-09 01:45 --------- d--h--w D:\Documents and Settings\chewhockchye\Application Data\ijjigame
    2008-10-08 16:45 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spyware Terminator
    2008-10-08 13:22 --------- d-----w C:\Program Files\WinClamAVShield
    2008-10-07 08:39 --------- d-----w C:\Program Files\XoftSpySE
    2008-10-07 08:27 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\Apple Computer
    2008-10-07 07:45 --------- d-----w C:\Program Files\SpywareBlaster
    2008-09-19 13:26 --------- d-----w C:\Program Files\DNA
    2008-09-09 16:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-09 16:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-03 12:26 --------- d-----w C:\Program Files\Messenger Plus! Live
    2008-08-27 07:30 24 ----a-w D:\Documents and Settings\chewhockchye\jagex_runescape_preferences.dat
    2008-08-25 09:41 --------- d-----w C:\Program Files\CyberPower Audio Editing Lab
    2008-08-25 09:41 --------- d-----w C:\Program Files\Advanced System Optimizer
    2008-08-25 09:23 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\Uniblue
    2008-08-25 09:21 --------- d-----w C:\Program Files\Uniblue
    2008-08-24 02:47 --------- d-----w C:\Program Files\Incomplete
    2008-08-24 02:40 --------- d-----w C:\Program Files\LimeWire
    2008-08-24 02:38 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\LimeWire
    2008-08-23 00:09 141,312 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
    2008-08-22 06:06 --------- d-----w C:\Program Files\Microsoft Silverlight
    2008-08-19 10:34 --------- d-----w C:\Program Files\Softnyx
    2008-08-16 08:31 --------- d-----w C:\Program Files\BitTorrent
    2008-08-15 09:16 --------- d-----w C:\Program Files\UPHClean
    2008-08-14 11:05 --------- d-----w C:\Program Files\Google
    2008-08-13 13:47 --------- d-----w D:\Documents and Settings\chewhockchye\Application Data\NCH Swift Sound
    2008-08-13 13:47 --------- d-----w C:\Program Files\NCH Swift Sound
    2008-08-13 13:42 --------- d-----w C:\Program Files\Blubster
    2008-08-13 10:42 --------- d-----w C:\Program Files\MSECACHE
    2008-08-11 02:55 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
    2008-07-26 09:36 4,224 ----a-w C:\WINDOWS\system32\dllcache\beep.sys
    2008-07-18 14:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
    2008-07-18 14:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-18 14:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-18 14:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
    2008-07-18 14:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-18 14:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
    2008-07-18 14:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-18 14:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
    2008-07-18 14:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-18 14:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
    2008-07-18 14:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-18 14:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
    2008-07-18 14:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
    2008-07-18 14:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
    2008-05-11 09:18 77,400 ----a-w D:\Documents and Settings\chewhockchye\Application Data\GDIPFONTCACHEV1.DAT
    2006-10-03 01:05 70,040 ----a-w D:\Documents and Settings\owweikuen\Application Data\GDIPFONTCACHEV1.DAT
    2008-04-22 23:49 544,800 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
    2008-04-22 23:49 31,776 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2008-06-02 5724184]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 1694208]
    "Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2008-04-02 9442584]
    "BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-09-19 289088]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-08-23 1783808]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
    2006-02-01 13:13 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2005-12-09 05:59 39936 C:\WINDOWS\system32\psqlpwd.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-12-01 11:16 24576 C:\WINDOWS\system32\tphklock.dll

    [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

    [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray]
    --------- 2006-02-01 13:19 409600 C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
    --------- 2006-02-01 13:12 98304 C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
    --------- 2005-12-07 16:12 208896 C:\PROGRA~1\ThinkPad\UTILIT~1\BATLOGEX.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
    --------- 2005-12-22 09:08 1996336 C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
    --------- 2005-11-30 01:55 196696 C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
    --a------ 2006-02-02 05:20 122940 C:\WINDOWS\system32\DLA\DLACTRLW.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
    --------- 2005-11-17 17:22 237568 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    --a------ 2005-12-15 08:27 77824 C:\WINDOWS\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    --a------ 2005-12-15 08:31 118784 C:\WINDOWS\system32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    --a------ 2005-12-15 08:30 98304 C:\WINDOWS\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    --------- 2004-08-04 20:00 208952 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPCCheck]
    --------- 2004-07-24 08:38 282624 C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    --a------ 2005-08-11 15:30 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    --a------ 2005-08-11 15:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
    --------- 2005-11-24 16:02 106496 C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
    --------- 2006-11-17 13:39 136768 C:\Program Files\McAfee\Common Framework\UdaterUI.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
    --a------ 2004-08-04 20:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\IMSCINST.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDService.exe]
    -r------- 2005-11-16 04:13 49152 C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    --a------ 2004-08-04 20:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    --a------ 2004-08-04 20:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
    --------- 2006-11-30 08:50 112216 C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
    --------- 2005-05-07 05:06 716800 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    --------- 2005-12-16 05:19 925696 C:\Program Files\Analog Devices\Core\smax4pnp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\suScheduler]
    --------- 2005-08-02 08:32 40960 C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
    --------- 2006-03-10 07:14 94208 C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]
    --------- 2005-10-29 10:04 864256 C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
    --a------ 2003-11-20 14:08 57344 C:\WINDOWS\system32\ico.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
    --a------ 2005-10-17 16:11 65536 C:\WINDOWS\system32\TP4EX.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
    --a------ 2005-11-08 02:14 106496 C:\WINDOWS\system32\TpShocks.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrackPointSrv]
    --a------ 2005-07-13 18:55 94208 C:\WINDOWS\system32\tp4serv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\DNA\\btdna.exe"=
    "C:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Softnyx\\WolfTeam\\Wolfteam.bin"=
    "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Garena\\Garena.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\ijji\\ENGLISH\\u_gunz.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6681:TCP"= 6681:TCP:a
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

    R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-12-01 85760]
    R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-09 11520]
    R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2006-01-13 6016]
    R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-21 4736]
    R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-08-23 141312]
    R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2005-12-07 4442]
    R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2005-12-22 12544]
    R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys [2006-08-17 15793]
    R2 PrivateDisk;PrivateDisk;C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\PrivateDiskM.sys [2005-11-16 46142]
    R2 smi2;smi2;C:\Program Files\SMI2\smi2.sys [2005-12-22 3968]
    R2 smihlp;SMI helper driver;C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys [2005-12-09 3328]
    R3 Astdi;Astdi;C:\Program Files\Aventail\Connect\asnttdi.sys [2005-07-29 126917]
    R3 Tp4Track;PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys [2005-07-13 13840]
    S3 Ascrypto;Ascrypto;C:\Program Files\Aventail\Connect\ascrypto.sys [2005-07-29 219299]
    S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 16384]
    S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 9216]
    S3 XDva181;XDva181;C:\WINDOWS\system32\XDva181.sys [ ]
    S3 XDva186;XDva186;C:\WINDOWS\system32\XDva186.sys [ ]
    S3 XDva187;XDva187;C:\WINDOWS\system32\XDva187.sys [ ]
    S3 XDva189;XDva189;C:\WINDOWS\system32\XDva189.sys [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bedf767-2e0c-11db-aa3b-001302526625}]
    \Shell\AutoRun\command - E:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{acab544d-6ddc-11dd-8d47-001302adcfae}]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder

    2008-10-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe []

    2008-10-11 C:\WINDOWS\Tasks\PMTask.job
    - C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-12-07 16:12]

    2008-10-07 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 09:50]

    2008-08-25 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
    - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 09:50]

    2008-10-12 C:\WINDOWS\Tasks\XoftSpySE 2.job
    - C:\Program Files\XoftSpySE\XoftSpy.exe [2008-08-07 03:25]

    2008-08-14 C:\WINDOWS\Tasks\XoftSpySE.job
    - C:\Program Files\XoftSpySE\XoftSpy.exe [2008-08-07 03:25]
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-13 18:59:51
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\Program Files\ThinkPad\ConnectUtilities\AcSvcStub.dll
    -> C:\Program Files\ThinkPad\ConnectUtilities\AcLocSettings.dll
    -> C:\Program Files\ThinkPad\ConnectUtilities\ACHelper.dll
    -> C:\WINDOWS\system32\tphklock.dll
    .
    Completion time: 2008-10-13 19:03:28
    ComboFix-quarantined-files.txt 2008-10-13 11:03:13
    ComboFix2.txt 2008-10-12 11:27:16

    Pre-Run: 1,255,436,288 bytes free
    Post-Run: 1,237,061,632 bytes free

    277 --- E O F --- 2008-09-13 12:08:59
     
  9. sylixe

    sylixe Thread Starter

    Joined:
    Jul 9, 2008
    Messages:
    67
    and the HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:08, on 2008-10-13
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Aventail\Connect\as32svc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\IPSSVC.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\lotus\notes\ntmulti.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
    C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
    C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\BitTorrent\bittorrent.exe
    C:\Program Files\Garena\Garena.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Safari\Safari.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O14 - IERESET.INF: START_PAGE_URL=http://intranet.home.capitaland.com/
    O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {377FF862-62E0-4F33-B6E5-F58E0BC0F209} (NlsComm Component Class) - http://login.hanbiton.com/cab/NLSnSSO.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail.capitaland.com/iNotes6W.cab
    O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} - https://secura.capitaland.com/postauthI/epi.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cfl.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dc.capitaland.com
    O17 - HKLM\Software\..\Telephony: DomainName = dc.capitaland.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dc.capitaland.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = dc.capitaland.com
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O18 - Protocol: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - C:\Program Files\QlikView\QvProtocol\qvp.dll
    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
    O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
    O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
    O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
    O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

    --
    End of file - 8955 bytes
     
  10. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    I was just wondering as this appears:

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dc.capitaland.com
    O17 - HKLM\Software\..\Telephony: DomainName = dc.capitaland.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dc.capitaland.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = dc.capitaland.com

    I guess Derek can help you get rid of those if you no longer need them.

    Also, the P2P programs for a work computer is unusual. You might do some research on those, as ISPs are really starting to come after folks using illegal file sharing.

    And the fact that it's a "portable" computer gets into tricky water as well...........
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    I think we have done all we can do now

    How is it
     
  12. sylixe

    sylixe Thread Starter

    Joined:
    Jul 9, 2008
    Messages:
    67
    AcaCandy,erm since i have not much use for it.. but,does it really matter?

    this computer, i think it has become a Media Platform..like downloading music and torrenting movies? Erm, if you put it that way.. I'll rid it..

    what do you mean by "Tricky Waters"?


    dvk01, well i think its alright.. thanks
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    *Follow these steps to uninstall Combofix and tools used in the removal of malware*
    * Click *START* then *RUN*
    * Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.
    [​IMG]


    then
    Turn off system restore by following instructions here
    for XP http://www.thespykiller.co.uk/index.php?page=8
    or for Vista http://www.bleepingcomputer.com/tutorials/tutorial143.html

    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable system restore & create a new restore point. Now Empty Recycle bin on desktop

    go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

    and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

    Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place
     
  14. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Yes, I mean "torrenting of movies" aka "stealing" copyrighted stuff ;)

    As to tricky waters, you said it "used" to be a work computer, the fact that it's portable, and your dad no longer works at the company, well, you can see where I'm going, the possibility of stolen laptops, etc.

    And as a general rule, we don't offer assistance on work computers, we refer folks to the IT dept. as us fixing things can break VPN networks, etc.
     
  15. sylixe

    sylixe Thread Starter

    Joined:
    Jul 9, 2008
    Messages:
    67
    AcaCandy, erm, this com has been purged of the company data if im not mistaken.. and i dont bring this laptop around.. it never leaves the house..
    alright, if this is the furthest you can guide me, then i think its considered solved.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Computer's slowing frauds
  1. Ken_RM
    Replies:
    17
    Views:
    530
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/757447

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice