1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Computer too slow and internet very slow as well.

Discussion in 'Virus & Other Malware Removal' started by ATN, Jul 16, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. ATN

    ATN Thread Starter

    Joined:
    Jul 8, 2008
    Messages:
    14
    Hi! I am new here. I heard this is a great place to post all my computer problems. I hope I can get some help here.

    My computer is very slow and so is my internet. I can't manage to get some sites open because it is too slow. I do not know what is wrong with it but it looks like there is a virus or something like that. I do not know exactly what to do but I wish you can help me with this.

    This is my hijackThis log file.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:49:19 PM, on 7/16/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\LANDesk\Shared Files\residentagent.exe
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\LANDesk\LDClient\LocalSch.EXE
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\WINDOWS\system32\CBA\pds.exe
    C:\Program Files\LANDesk\LDClient\tmcsvc.exe
    C:\PROGRA~1\LANDesk\LDClient\issuser.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
    C:\PROGRA~1\LANDesk\LDClient\collector.exe
    C:\PROGRA~1\LANDesk\LDClient\LDregwatch.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\LANDesk\LDClient\softmon.exe
    C:\WINDOWS\system32\svchost.exe
    c:\program files\lenovo\system update\suservice.exe
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\WINDOWS\System32\TPHDEXLG.exe
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
    C:\Program Files\VMware\VMware Player\vmware-authd.exe
    C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\vVX1000.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
    O4 - HKLM\..\Run: [IBM Warranty Notification] "C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe /nointro"
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [bait face type axis] C:\Documents and Settings\All Users\Application Data\Meow Intra Bait Face\link debug.exe
    O4 - HKLM\..\Run: [vc log bows face] C:\Documents and Settings\All Users\Application Data\Memo Drive Vc Log\test shim.exe
    O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
    O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
    O4 - HKLM\..\Run: [bcf570f4] rundll32.exe "C:\WINDOWS\system32\hiusmtvu.dll",b
    O4 - HKLM\..\Run: [BMbfc64368] Rundll32.exe "C:\WINDOWS\system32\ibgstmol.dll",s
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [4Funk] C:\DOCUME~1\100353~1\APPLIC~1\SETTIN~1\Itch Jump.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178728926828
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178728988812
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = oncampus.local
    O17 - HKLM\Software\..\Telephony: DomainName = oncampus.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = oncampus.local
    O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
    O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
    O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
    O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
    O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
    O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
    O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

    --
    End of file - 12904 bytes


    THANK YOU VERY MUCH IN ADVANCE!:):)
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi Welcome to TSG!!


    Please visit this webpage for instructions for downloading and running ComboFix.

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
     
  3. ATN

    ATN Thread Starter

    Joined:
    Jul 8, 2008
    Messages:
    14
    Hi ! Thank you for the quick reply. I am sorry i took a little long to reply. Here is my ComboFix Log.

    ComboFix 08-07-19.1 - 100353286 2008-07-20 11:21:27.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1343 [GMT -4:00]
    Running from: C:\Documents and Settings\100353286\Desktop\ComboFix.exe
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\WINDOWS\BMbfc64368.txt
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system32\adsjbgxj.dll
    C:\WINDOWS\system32\ayeqvunf.ini
    C:\WINDOWS\system32\bkypwrfp.dll
    C:\WINDOWS\system32\bvfagepj.dll
    C:\WINDOWS\system32\cbXPheby.dll
    C:\WINDOWS\system32\cuupnvoj.dll
    C:\WINDOWS\system32\cvrjtfyt.dll
    C:\WINDOWS\system32\dstjfcxf.ini
    C:\WINDOWS\system32\ehrnrxmw.ini
    C:\WINDOWS\system32\exdswnpf.ini
    C:\WINDOWS\system32\fpnwsdxe.dll
    C:\WINDOWS\system32\frixln.dll
    C:\WINDOWS\system32\ftympsur.dll
    C:\WINDOWS\system32\gcnbnkon.dll
    C:\WINDOWS\system32\gmfhls.dll
    C:\WINDOWS\system32\gnmmjs.dll
    C:\WINDOWS\system32\grkxgnkt.ini
    C:\WINDOWS\system32\gsvctoqm.dll
    C:\WINDOWS\system32\hbgapc.dll
    C:\WINDOWS\system32\hvjqppbr.dll
    C:\WINDOWS\system32\ibgstmol.dll
    C:\WINDOWS\system32\imumtknm.dll
    C:\WINDOWS\system32\invyaesd.dll
    C:\WINDOWS\system32\ipocig.dll
    C:\WINDOWS\system32\jfdsjofu.dll
    C:\WINDOWS\system32\jiuilf.dll
    C:\WINDOWS\system32\jkkJaYSj.dll
    C:\WINDOWS\system32\jymejlqg.ini
    C:\WINDOWS\system32\kxsmujtb.ini
    C:\WINDOWS\system32\labrkdsp.ini
    C:\WINDOWS\system32\lmuiwr.dll
    C:\WINDOWS\system32\LRXwvyxx.ini
    C:\WINDOWS\system32\LRXwvyxx.ini2
    C:\WINDOWS\system32\lsntxxqu.dll
    C:\WINDOWS\system32\lxjlakxy.ini
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\mejpaijm.ini
    C:\WINDOWS\system32\mnrcgrkv.dll
    C:\WINDOWS\system32\mumhcwhb.ini
    C:\WINDOWS\system32\nosdeebh.dll
    C:\WINDOWS\system32\ohukyiur.dll
    C:\WINDOWS\system32\pdzctv.dll
    C:\WINDOWS\system32\pksqeiva.ini
    C:\WINDOWS\system32\prcuas.dll
    C:\WINDOWS\system32\psitiqdm.ini
    C:\WINDOWS\system32\qnpuwgvr.ini
    C:\WINDOWS\system32\quumhgkb.dll
    C:\WINDOWS\system32\qvkhviiy.dll
    C:\WINDOWS\system32\rfcyxibx.dll
    C:\WINDOWS\system32\ruiykuho.ini
    C:\WINDOWS\system32\soevocoi.dll
    C:\WINDOWS\system32\tlutjfra.ini
    C:\WINDOWS\system32\ulgzrx.dll
    C:\WINDOWS\system32\uoriktjt.dll
    C:\WINDOWS\system32\uuvwfvey.ini
    C:\WINDOWS\system32\uvhwve.dll
    C:\WINDOWS\system32\uvtmsuih.ini
    C:\WINDOWS\system32\vjjgey.dll
    C:\WINDOWS\system32\wjvhviji.dll
    C:\WINDOWS\system32\wpfclieq.ini
    C:\WINDOWS\system32\wwdaggvm.dll
    C:\WINDOWS\system32\wxmvjhhd.dll
    C:\WINDOWS\system32\xfdmvkjj.dll
    C:\WINDOWS\system32\xxyvwXRL.dll
    C:\WINDOWS\system32\yaqrmutq.ini
    C:\WINDOWS\system32\yjupkhbj.ini
    C:\WINDOWS\system32\ykarxo.dll
    C:\WINDOWS\system32\ykibuuro.ini
    C:\WINDOWS\system32\ylddpfin.dll
    C:\WINDOWS\system32\yutukdjb.dll
    C:\WINDOWS\system32\ztdsdk.dll
    C:\WINDOWS\system32\zyvhts.dll

    ----- BITS: Possible infected sites -----

    hxxp://itsoswsus01.oncampus.local
    .
    ((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
    .

    2008-07-16 12:48 . 2008-07-16 12:48 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-10 16:49 . 2008-07-12 23:11 230,424 --a------ C:\img2-001.raw
    2008-07-10 16:39 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
    2008-07-10 16:39 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
    2008-07-10 16:37 . 2007-04-10 17:46 1,966,312 --a------ C:\WINDOWS\system32\drivers\VX1000.sys
    2008-07-10 16:37 . 2007-04-10 17:46 709,992 --a------ C:\WINDOWS\vVX1000.exe
    2008-07-10 16:37 . 2007-04-10 17:46 476,520 --a------ C:\WINDOWS\vVX1000.dll
    2008-07-10 16:37 . 2007-04-10 17:46 202,088 --a------ C:\WINDOWS\system32\LCCoin14.dll
    2008-07-10 16:37 . 2007-04-10 17:46 185,704 --a------ C:\WINDOWS\system32\cVX1000.dll
    2008-07-10 16:37 . 2007-04-10 17:46 111,976 --a------ C:\WINDOWS\VX1000.dll
    2008-07-10 16:37 . 2007-04-10 17:46 15,498 --a------ C:\WINDOWS\VX1000.ini
    2008-07-10 16:37 . 2007-04-10 17:46 13,023 --a------ C:\WINDOWS\VX1000.src
    2008-07-10 16:34 . 2008-07-10 16:37 <DIR> d-------- C:\Program Files\Microsoft LifeCam
    2008-07-08 17:14 . 2008-07-08 17:14 105,296 --a------ C:\WINDOWS\system32\goepgudx.0ll
    2008-07-08 17:14 . 2008-07-08 17:14 105,296 --a------ C:\WINDOWS\system32\ayzcho.0ll
    2008-07-07 23:27 . 2008-07-07 23:27 <DIR> d-------- C:\Documents and Settings\100353286\Application Data\ArcSoft
    2008-07-07 23:26 . 2008-07-07 23:26 <DIR> d-------- C:\WINDOWS\PixArt
    2008-07-07 23:26 . 2008-07-07 23:26 <DIR> d-------- C:\Program Files\PC Camera
    2008-07-07 23:26 . 2008-07-07 23:26 <DIR> d-------- C:\Program Files\Common Files\PAC207
    2008-07-07 23:26 . 2006-11-03 10:59 48,128 --a------ C:\WINDOWS\system32\Remove.exe
    2008-07-07 23:26 . 2007-02-12 01:06 408 --a------ C:\WINDOWS\system32\Remover.ini
    2008-07-07 23:11 . 2008-07-07 23:11 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
    2008-07-07 23:11 . 2005-04-27 16:36 245,408 -ra------ C:\WINDOWS\system32\unicows.dll
    2008-07-07 23:11 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
    2008-07-07 23:10 . 2008-07-07 23:10 <DIR> d-------- C:\Program Files\ArcSoft
    2008-07-07 23:10 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
    2008-07-07 11:30 . 2008-07-20 00:14 110,419 --a------ C:\WINDOWS\BMbfc64368.xml
    2008-06-20 20:53 . 2008-06-20 20:53 <DIR> d-------- C:\Program Files\settings pure type

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-20 15:27 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
    2008-07-20 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
    2008-07-20 15:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
    2008-07-08 03:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-07-02 21:15 --------- d-----w C:\Program Files\MSN Messenger
    2008-06-21 00:54 --------- d---a-w C:\Documents and Settings\100353286\Application Data\settings pure type
    2008-06-21 00:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Memo Drive Vc Log
    2008-05-28 03:21 --------- d-----w C:\Program Files\PeerGuardian2
    2008-05-27 18:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Meow Intra Bait Face
    .

    ------- Sigcheck -------

    2007-02-20 05:52 665600 b258c922d22deec880b60720531d7627 C:\WINDOWS\$hf_mig$\KB931768\SP2QFE\wininet.dll
    2004-08-04 12:00 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\$NtUninstallKB931768$\wininet.dll
    2007-02-20 05:48 658944 30d1c47e40efbb792ff8d3c3b51ce507 C:\WINDOWS\$NtUninstallKB933566$\wininet.dll
    2007-04-18 08:46 665600 4261ba03afd659de04f0a17dfbdd454d C:\WINDOWS\$NtUninstallKB937143$\wininet.dll
    2007-06-26 10:35 699392 0c52d829a6be196f78db826a564b1939 C:\WINDOWS\system32\wininet.dll
    2007-06-26 10:35 699392 0c52d829a6be196f78db826a564b1939 C:\WINDOWS\system32\dllcache\wininet.dll

    2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:\WINDOWS\explorer.exe
    2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
    2004-08-04 12:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
    2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:\WINDOWS\system32\dllcache\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 13:54 5674352]
    "4Funk"="C:\DOCUME~1\100353~1\APPLIC~1\SETTIN~1\Itch Jump.exe" [2008-06-20 20:53 731648]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 13:19 536576]
    "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-11-29 02:30 243248]
    "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-12-20 01:14 159744]
    "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-12-20 01:14 208896]
    "TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 10:19 94208]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 09:11 925696]
    "TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-02 22:00 856064]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25 257088]
    "LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-23 02:02 120368]
    "IBM Warranty Notification"="C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe" [2004-03-12 18:24 106496]
    "F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.EXE" [2006-12-05 09:22 176177]
    "F-Secure TNB"="C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" [2007-01-08 15:10 724992]
    "vc log bows face"="C:\Documents and Settings\All Users\Application Data\Memo Drive Vc Log\test shim.exe" [2008-07-20 11:32 2819584]
    "LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 17:45 279912]
    "VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 17:46 709992]
    "TpShocks"="TpShocks.exe" [2007-03-29 18:40 181808 C:\WINDOWS\system32\TpShocks.exe]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "disablecad"= 0 (0x0)
    "SynchronousMachineGroupPolicy"= 0 (0x0)
    "SynchronousUserGroupPolicy"= 0 (0x0)
    "DisableStatusMessages"= 1 (0x1)
    "LogonType"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "ForceStartMenuLogOff"= 1 (0x1)
    "NoWelcomeScreen"= 1 (0x1)
    "NoAutoUpdate"= 0 (0x0)
    "NoStartMenuNetworkPlaces"= 1 (0x1)
    "NoSecurityTab"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-05 23:45 28672 C:\WINDOWS\system32\notifyf2.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-11-30 20:16 24576 C:\WINDOWS\system32\tphklock.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-167170\Scripts\Logon\0\0]
    "Script"=\\oncampus.local\SysVol\oncampus.local\scripts\javaupdate\javaupd.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-167170\Scripts\Logon\1\0]
    "Script"=\\oncampus.local\NETLOGON\AcademicIntegrity\fac\icon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-175706\Scripts\Logon\0\0]
    "Script"=\\oncampus.local\SysVol\oncampus.local\scripts\javaupdate\javaupd.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-175706\Scripts\Logon\1\0]
    "Script"=\\oncampus.local\NETLOGON\AcademicIntegrity\fac\icon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-197013\Scripts\Logon\0\0]
    "Script"=\\oncampus.local\SysVol\oncampus.local\scripts\javaupdate\javaupd.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-197013\Scripts\Logon\1\0]
    "Script"=\\oncampus.local\NETLOGON\AcademicIntegrity\stu\icon.bat

    [HKLM\~\startupfolder\C:^Documents and Settings^100353286^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
    path=C:\Documents and Settings\100353286\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
    backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4Funk]
    --a------ 2008-06-20 20:53 731648 C:\DOCUME~1\100353~1\APPLIC~1\SETTIN~1\Itch Jump.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    --a------ 2006-10-22 23:24 620152 C:\Program Files\Adobe\Acrobat\acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    --a------ 2007-09-11 01:43 67488 C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
    --a------ 2008-03-27 11:19 288576 C:\Program Files\DNA\btdna.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 12:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAPMClient]
    --a------ 2007-03-30 05:56 327680 C:\Program Files\LANDesk\LDClient\AMCLIENT.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    --a------ 2008-01-20 03:05 217088 C:\Program Files\PowerISO\PWRISOVM.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDClientMonitor]
    --a------ 2006-11-01 08:06 258048 C:\Program Files\LANDesk\LDClient\WebPortal\SDClientMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
    --a------ 2007-12-06 12:58 1069920 C:\Program Files\Search Settings\SearchSettings.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2006-05-03 02:56 36975 C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    --a------ 2006-02-14 14:16 512000 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
    --a------ 2006-02-14 14:17 110592 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
    --a------ 2007-05-01 22:46 56112 C:\Program Files\VMware\VMware Player\hqtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
    --a------ 2007-09-26 19:05 734264 C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
    --a------ 2005-10-17 01:11 65536 C:\WINDOWS\system32\TP4EX.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\DNA\\btdna.exe"=
    "C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

    R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2006-12-21 09:51]
    R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 17:49]
    R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 17:47]
    R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2006-12-20 01:14]
    R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 01:45]
    R2 CBA8;LANDesk(R) Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-01-09 12:03]
    R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 17:45]
    R2 Softmon;LANDesk(R) Software Monitoring Service;C:\Program Files\LANDesk\LDClient\softmon.exe [2007-04-27 05:53]
    R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 13:11]
    R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2007-01-24 11:41]
    R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2005-07-01 17:48]
    R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2005-07-01 17:48]
    R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2005-07-01 17:48]
    R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2006-09-13 12:42]
    S3 tpflhlp;tpflhlp;C:\Program Files\Lenovo\System Update\session\7cuj19us\tpflhlp.sys [2007-04-09 18:51]
    S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 17:46]
    S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2007-01-24 11:41]
    S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2007-01-24 11:41]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 07:01]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0de17090-d8ac-11dc-a7ea-001a6b35ded1}]
    \Shell\AutoRun\command - F:\LaunchU3.exe -a
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-07-20 15:00:00 C:\WINDOWS\Tasks\B41475AF918BEDA7.job"
    - c:\docume~1\100353~1\applic~1\settin~1\Morethistwo.exe
    "2008-07-20 15:30:34 C:\WINDOWS\Tasks\PMTask.job"
    - C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-ISUSScheduler - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    HKLM-Run-bait face type axis - C:\Documents and Settings\All Users\Application Data\Meow Intra Bait Face\link debug.exe
    HKLM-Run-BMbfc64368 - C:\WINDOWS\system32\uoriktjt.dll
    HKLM-Run-bcf570f4 - C:\WINDOWS\system32\fpnwsdxe.dll
    MSConfigStartUp-bait face type axis - C:\Documents and Settings\All Users\Application Data\Meow Intra Bait Face\heck start.exe
    MSConfigStartUp-Blubster - C:\Program Files\Blubster\Blubster.exe
    MSConfigStartUp-ISUSPM Startup - C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe


    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-20 11:29:44
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\tphklock.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\common\FSMA32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
    C:\Program Files\LANDesk\LDClient\LocalSch.EXE
    C:\Program Files\F-Secure\common\FSMB32.EXE
    C:\WINDOWS\system32\cba\pds.exe
    C:\Program Files\LANDesk\LDClient\tmcsvc.exe
    C:\PROGRA~1\LANDesk\LDClient\issuser.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
    C:\PROGRA~1\LANDesk\LDClient\collector.exe
    C:\PROGRA~1\LANDesk\LDClient\LDRegWatch.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\F-Secure\common\FCH32.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Lenovo\System Update\SUService.exe
    C:\Program Files\F-Secure\common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\WINDOWS\system32\TPHDEXLG.exe
    C:\WINDOWS\system32\TpKmpSvc.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
    C:\Program Files\VMware\VMware Player\vmware-authd.exe
    C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
    C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\common\FNRB32.exe
    C:\Program Files\F-Secure\FWES\program\fsdfwd.exe
    C:\Program Files\F-Secure\common\FIH32.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    .
    **************************************************************************
    .
    Completion time: 2008-07-20 11:35:30 - machine was rebooted [100353286]
    ComboFix-quarantined-files.txt 2008-07-20 15:35:25

    Pre-Run: 29,856,206,848 bytes free
    Post-Run: 30,565,244,928 bytes free

    352 --- E O F --- 2007-11-24 19:11:16
     
  4. ATN

    ATN Thread Starter

    Joined:
    Jul 8, 2008
    Messages:
    14
    Hi ! This is my HijackThis log.

    ComboFix 08-07-19.1 - 100353286 2008-07-20 11:21:27.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1343 [GMT -4:00]
    Running from: C:\Documents and Settings\100353286\Desktop\ComboFix.exe
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\WINDOWS\BMbfc64368.txt
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system32\adsjbgxj.dll
    C:\WINDOWS\system32\ayeqvunf.ini
    C:\WINDOWS\system32\bkypwrfp.dll
    C:\WINDOWS\system32\bvfagepj.dll
    C:\WINDOWS\system32\cbXPheby.dll
    C:\WINDOWS\system32\cuupnvoj.dll
    C:\WINDOWS\system32\cvrjtfyt.dll
    C:\WINDOWS\system32\dstjfcxf.ini
    C:\WINDOWS\system32\ehrnrxmw.ini
    C:\WINDOWS\system32\exdswnpf.ini
    C:\WINDOWS\system32\fpnwsdxe.dll
    C:\WINDOWS\system32\frixln.dll
    C:\WINDOWS\system32\ftympsur.dll
    C:\WINDOWS\system32\gcnbnkon.dll
    C:\WINDOWS\system32\gmfhls.dll
    C:\WINDOWS\system32\gnmmjs.dll
    C:\WINDOWS\system32\grkxgnkt.ini
    C:\WINDOWS\system32\gsvctoqm.dll
    C:\WINDOWS\system32\hbgapc.dll
    C:\WINDOWS\system32\hvjqppbr.dll
    C:\WINDOWS\system32\ibgstmol.dll
    C:\WINDOWS\system32\imumtknm.dll
    C:\WINDOWS\system32\invyaesd.dll
    C:\WINDOWS\system32\ipocig.dll
    C:\WINDOWS\system32\jfdsjofu.dll
    C:\WINDOWS\system32\jiuilf.dll
    C:\WINDOWS\system32\jkkJaYSj.dll
    C:\WINDOWS\system32\jymejlqg.ini
    C:\WINDOWS\system32\kxsmujtb.ini
    C:\WINDOWS\system32\labrkdsp.ini
    C:\WINDOWS\system32\lmuiwr.dll
    C:\WINDOWS\system32\LRXwvyxx.ini
    C:\WINDOWS\system32\LRXwvyxx.ini2
    C:\WINDOWS\system32\lsntxxqu.dll
    C:\WINDOWS\system32\lxjlakxy.ini
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\mejpaijm.ini
    C:\WINDOWS\system32\mnrcgrkv.dll
    C:\WINDOWS\system32\mumhcwhb.ini
    C:\WINDOWS\system32\nosdeebh.dll
    C:\WINDOWS\system32\ohukyiur.dll
    C:\WINDOWS\system32\pdzctv.dll
    C:\WINDOWS\system32\pksqeiva.ini
    C:\WINDOWS\system32\prcuas.dll
    C:\WINDOWS\system32\psitiqdm.ini
    C:\WINDOWS\system32\qnpuwgvr.ini
    C:\WINDOWS\system32\quumhgkb.dll
    C:\WINDOWS\system32\qvkhviiy.dll
    C:\WINDOWS\system32\rfcyxibx.dll
    C:\WINDOWS\system32\ruiykuho.ini
    C:\WINDOWS\system32\soevocoi.dll
    C:\WINDOWS\system32\tlutjfra.ini
    C:\WINDOWS\system32\ulgzrx.dll
    C:\WINDOWS\system32\uoriktjt.dll
    C:\WINDOWS\system32\uuvwfvey.ini
    C:\WINDOWS\system32\uvhwve.dll
    C:\WINDOWS\system32\uvtmsuih.ini
    C:\WINDOWS\system32\vjjgey.dll
    C:\WINDOWS\system32\wjvhviji.dll
    C:\WINDOWS\system32\wpfclieq.ini
    C:\WINDOWS\system32\wwdaggvm.dll
    C:\WINDOWS\system32\wxmvjhhd.dll
    C:\WINDOWS\system32\xfdmvkjj.dll
    C:\WINDOWS\system32\xxyvwXRL.dll
    C:\WINDOWS\system32\yaqrmutq.ini
    C:\WINDOWS\system32\yjupkhbj.ini
    C:\WINDOWS\system32\ykarxo.dll
    C:\WINDOWS\system32\ykibuuro.ini
    C:\WINDOWS\system32\ylddpfin.dll
    C:\WINDOWS\system32\yutukdjb.dll
    C:\WINDOWS\system32\ztdsdk.dll
    C:\WINDOWS\system32\zyvhts.dll

    ----- BITS: Possible infected sites -----

    hxxp://itsoswsus01.oncampus.local
    .
    ((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
    .

    2008-07-16 12:48 . 2008-07-16 12:48 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-10 16:49 . 2008-07-12 23:11 230,424 --a------ C:\img2-001.raw
    2008-07-10 16:39 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
    2008-07-10 16:39 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
    2008-07-10 16:37 . 2007-04-10 17:46 1,966,312 --a------ C:\WINDOWS\system32\drivers\VX1000.sys
    2008-07-10 16:37 . 2007-04-10 17:46 709,992 --a------ C:\WINDOWS\vVX1000.exe
    2008-07-10 16:37 . 2007-04-10 17:46 476,520 --a------ C:\WINDOWS\vVX1000.dll
    2008-07-10 16:37 . 2007-04-10 17:46 202,088 --a------ C:\WINDOWS\system32\LCCoin14.dll
    2008-07-10 16:37 . 2007-04-10 17:46 185,704 --a------ C:\WINDOWS\system32\cVX1000.dll
    2008-07-10 16:37 . 2007-04-10 17:46 111,976 --a------ C:\WINDOWS\VX1000.dll
    2008-07-10 16:37 . 2007-04-10 17:46 15,498 --a------ C:\WINDOWS\VX1000.ini
    2008-07-10 16:37 . 2007-04-10 17:46 13,023 --a------ C:\WINDOWS\VX1000.src
    2008-07-10 16:34 . 2008-07-10 16:37 <DIR> d-------- C:\Program Files\Microsoft LifeCam
    2008-07-08 17:14 . 2008-07-08 17:14 105,296 --a------ C:\WINDOWS\system32\goepgudx.0ll
    2008-07-08 17:14 . 2008-07-08 17:14 105,296 --a------ C:\WINDOWS\system32\ayzcho.0ll
    2008-07-07 23:27 . 2008-07-07 23:27 <DIR> d-------- C:\Documents and Settings\100353286\Application Data\ArcSoft
    2008-07-07 23:26 . 2008-07-07 23:26 <DIR> d-------- C:\WINDOWS\PixArt
    2008-07-07 23:26 . 2008-07-07 23:26 <DIR> d-------- C:\Program Files\PC Camera
    2008-07-07 23:26 . 2008-07-07 23:26 <DIR> d-------- C:\Program Files\Common Files\PAC207
    2008-07-07 23:26 . 2006-11-03 10:59 48,128 --a------ C:\WINDOWS\system32\Remove.exe
    2008-07-07 23:26 . 2007-02-12 01:06 408 --a------ C:\WINDOWS\system32\Remover.ini
    2008-07-07 23:11 . 2008-07-07 23:11 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
    2008-07-07 23:11 . 2005-04-27 16:36 245,408 -ra------ C:\WINDOWS\system32\unicows.dll
    2008-07-07 23:11 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
    2008-07-07 23:10 . 2008-07-07 23:10 <DIR> d-------- C:\Program Files\ArcSoft
    2008-07-07 23:10 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
    2008-07-07 11:30 . 2008-07-20 00:14 110,419 --a------ C:\WINDOWS\BMbfc64368.xml
    2008-06-20 20:53 . 2008-06-20 20:53 <DIR> d-------- C:\Program Files\settings pure type

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-20 15:27 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
    2008-07-20 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
    2008-07-20 15:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
    2008-07-08 03:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-07-02 21:15 --------- d-----w C:\Program Files\MSN Messenger
    2008-06-21 00:54 --------- d---a-w C:\Documents and Settings\100353286\Application Data\settings pure type
    2008-06-21 00:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Memo Drive Vc Log
    2008-05-28 03:21 --------- d-----w C:\Program Files\PeerGuardian2
    2008-05-27 18:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Meow Intra Bait Face
    .

    ------- Sigcheck -------

    2007-02-20 05:52 665600 b258c922d22deec880b60720531d7627 C:\WINDOWS\$hf_mig$\KB931768\SP2QFE\wininet.dll
    2004-08-04 12:00 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\$NtUninstallKB931768$\wininet.dll
    2007-02-20 05:48 658944 30d1c47e40efbb792ff8d3c3b51ce507 C:\WINDOWS\$NtUninstallKB933566$\wininet.dll
    2007-04-18 08:46 665600 4261ba03afd659de04f0a17dfbdd454d C:\WINDOWS\$NtUninstallKB937143$\wininet.dll
    2007-06-26 10:35 699392 0c52d829a6be196f78db826a564b1939 C:\WINDOWS\system32\wininet.dll
    2007-06-26 10:35 699392 0c52d829a6be196f78db826a564b1939 C:\WINDOWS\system32\dllcache\wininet.dll

    2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:\WINDOWS\explorer.exe
    2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
    2004-08-04 12:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
    2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:\WINDOWS\system32\dllcache\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 13:54 5674352]
    "4Funk"="C:\DOCUME~1\100353~1\APPLIC~1\SETTIN~1\Itch Jump.exe" [2008-06-20 20:53 731648]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 13:19 536576]
    "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-11-29 02:30 243248]
    "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-12-20 01:14 159744]
    "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-12-20 01:14 208896]
    "TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 10:19 94208]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 09:11 925696]
    "TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-02 22:00 856064]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25 257088]
    "LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-23 02:02 120368]
    "IBM Warranty Notification"="C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe" [2004-03-12 18:24 106496]
    "F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.EXE" [2006-12-05 09:22 176177]
    "F-Secure TNB"="C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" [2007-01-08 15:10 724992]
    "vc log bows face"="C:\Documents and Settings\All Users\Application Data\Memo Drive Vc Log\test shim.exe" [2008-07-20 11:32 2819584]
    "LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 17:45 279912]
    "VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 17:46 709992]
    "TpShocks"="TpShocks.exe" [2007-03-29 18:40 181808 C:\WINDOWS\system32\TpShocks.exe]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "disablecad"= 0 (0x0)
    "SynchronousMachineGroupPolicy"= 0 (0x0)
    "SynchronousUserGroupPolicy"= 0 (0x0)
    "DisableStatusMessages"= 1 (0x1)
    "LogonType"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "ForceStartMenuLogOff"= 1 (0x1)
    "NoWelcomeScreen"= 1 (0x1)
    "NoAutoUpdate"= 0 (0x0)
    "NoStartMenuNetworkPlaces"= 1 (0x1)
    "NoSecurityTab"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-05 23:45 28672 C:\WINDOWS\system32\notifyf2.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-11-30 20:16 24576 C:\WINDOWS\system32\tphklock.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-167170\Scripts\Logon\0\0]
    "Script"=\\oncampus.local\SysVol\oncampus.local\scripts\javaupdate\javaupd.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-167170\Scripts\Logon\1\0]
    "Script"=\\oncampus.local\NETLOGON\AcademicIntegrity\fac\icon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-175706\Scripts\Logon\0\0]
    "Script"=\\oncampus.local\SysVol\oncampus.local\scripts\javaupdate\javaupd.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-175706\Scripts\Logon\1\0]
    "Script"=\\oncampus.local\NETLOGON\AcademicIntegrity\fac\icon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-197013\Scripts\Logon\0\0]
    "Script"=\\oncampus.local\SysVol\oncampus.local\scripts\javaupdate\javaupd.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-197013\Scripts\Logon\1\0]
    "Script"=\\oncampus.local\NETLOGON\AcademicIntegrity\stu\icon.bat

    [HKLM\~\startupfolder\C:^Documents and Settings^100353286^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
    path=C:\Documents and Settings\100353286\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
    backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4Funk]
    --a------ 2008-06-20 20:53 731648 C:\DOCUME~1\100353~1\APPLIC~1\SETTIN~1\Itch Jump.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    --a------ 2006-10-22 23:24 620152 C:\Program Files\Adobe\Acrobat\acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    --a------ 2007-09-11 01:43 67488 C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
    --a------ 2008-03-27 11:19 288576 C:\Program Files\DNA\btdna.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 12:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAPMClient]
    --a------ 2007-03-30 05:56 327680 C:\Program Files\LANDesk\LDClient\AMCLIENT.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    --a------ 2008-01-20 03:05 217088 C:\Program Files\PowerISO\PWRISOVM.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDClientMonitor]
    --a------ 2006-11-01 08:06 258048 C:\Program Files\LANDesk\LDClient\WebPortal\SDClientMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
    --a------ 2007-12-06 12:58 1069920 C:\Program Files\Search Settings\SearchSettings.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2006-05-03 02:56 36975 C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    --a------ 2006-02-14 14:16 512000 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
    --a------ 2006-02-14 14:17 110592 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
    --a------ 2007-05-01 22:46 56112 C:\Program Files\VMware\VMware Player\hqtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
    --a------ 2007-09-26 19:05 734264 C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
    --a------ 2005-10-17 01:11 65536 C:\WINDOWS\system32\TP4EX.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\DNA\\btdna.exe"=
    "C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

    R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2006-12-21 09:51]
    R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 17:49]
    R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 17:47]
    R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2006-12-20 01:14]
    R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 01:45]
    R2 CBA8;LANDesk(R) Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-01-09 12:03]
    R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 17:45]
    R2 Softmon;LANDesk(R) Software Monitoring Service;C:\Program Files\LANDesk\LDClient\softmon.exe [2007-04-27 05:53]
    R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 13:11]
    R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2007-01-24 11:41]
    R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2005-07-01 17:48]
    R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2005-07-01 17:48]
    R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2005-07-01 17:48]
    R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2006-09-13 12:42]
    S3 tpflhlp;tpflhlp;C:\Program Files\Lenovo\System Update\session\7cuj19us\tpflhlp.sys [2007-04-09 18:51]
    S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 17:46]
    S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2007-01-24 11:41]
    S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2007-01-24 11:41]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 07:01]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0de17090-d8ac-11dc-a7ea-001a6b35ded1}]
    \Shell\AutoRun\command - F:\LaunchU3.exe -a
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-07-20 15:00:00 C:\WINDOWS\Tasks\B41475AF918BEDA7.job"
    - c:\docume~1\100353~1\applic~1\settin~1\Morethistwo.exe
    "2008-07-20 15:30:34 C:\WINDOWS\Tasks\PMTask.job"
    - C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-ISUSScheduler - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    HKLM-Run-bait face type axis - C:\Documents and Settings\All Users\Application Data\Meow Intra Bait Face\link debug.exe
    HKLM-Run-BMbfc64368 - C:\WINDOWS\system32\uoriktjt.dll
    HKLM-Run-bcf570f4 - C:\WINDOWS\system32\fpnwsdxe.dll
    MSConfigStartUp-bait face type axis - C:\Documents and Settings\All Users\Application Data\Meow Intra Bait Face\heck start.exe
    MSConfigStartUp-Blubster - C:\Program Files\Blubster\Blubster.exe
    MSConfigStartUp-ISUSPM Startup - C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe


    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-20 11:29:44
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\tphklock.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\common\FSMA32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
    C:\Program Files\LANDesk\LDClient\LocalSch.EXE
    C:\Program Files\F-Secure\common\FSMB32.EXE
    C:\WINDOWS\system32\cba\pds.exe
    C:\Program Files\LANDesk\LDClient\tmcsvc.exe
    C:\PROGRA~1\LANDesk\LDClient\issuser.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
    C:\PROGRA~1\LANDesk\LDClient\collector.exe
    C:\PROGRA~1\LANDesk\LDClient\LDRegWatch.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\F-Secure\common\FCH32.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Lenovo\System Update\SUService.exe
    C:\Program Files\F-Secure\common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\WINDOWS\system32\TPHDEXLG.exe
    C:\WINDOWS\system32\TpKmpSvc.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
    C:\Program Files\VMware\VMware Player\vmware-authd.exe
    C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
    C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\common\FNRB32.exe
    C:\Program Files\F-Secure\FWES\program\fsdfwd.exe
    C:\Program Files\F-Secure\common\FIH32.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    .
    **************************************************************************
    .
    Completion time: 2008-07-20 11:35:30 - machine was rebooted [100353286]
    ComboFix-quarantined-files.txt 2008-07-20 15:35:25

    Pre-Run: 29,856,206,848 bytes free
    Post-Run: 30,565,244,928 bytes free

    352 --- E O F --- 2007-11-24 19:11:16
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Open Notepad and copy and paste the text in the quote box below into it:

    Save the file to you desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]

    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.


    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.

    Click Exit on the Main menu to close the program.




    Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Quick Scan" option is selected.
      • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply with a new hijackthis log.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



    Please do an online scan with Kaspersky WebScanner

    Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure the following is checked.
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    9. Please post this log in your next reply.

    Upgrading Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
    • Click on Continue.
    • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.")
     
  6. ATN

    ATN Thread Starter

    Joined:
    Jul 8, 2008
    Messages:
    14
    Hi! This is the combofix log. I will do the other things you told me to do now.

    ComboFix 08-07-19.1 - 100353286 2008-07-20 23:52:22.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1541 [GMT -4:00]
    Running from: C:\Documents and Settings\100353286\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\100353286\Desktop\CFScript.txt
    * Created a new restore point

    FILE ::
    C:\WINDOWS\BMbfc64368.xml
    C:\WINDOWS\Tasks\B41475AF918BEDA7.job
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\DOCUME~1\100353~1\APPLIC~1\SETTIN~1
    C:\DOCUME~1\100353~1\APPLIC~1\SETTIN~1\0
    C:\DOCUME~1\100353~1\APPLIC~1\SETTIN~1\EGGSSIZETHEOBJ.exe
    C:\DOCUME~1\100353~1\APPLIC~1\SETTIN~1\emkpkwgp.exe
    C:\DOCUME~1\100353~1\APPLIC~1\SETTIN~1\fhauekqg.exe
    C:\DOCUME~1\100353~1\APPLIC~1\SETTIN~1\Itch Jump.exe
    C:\DOCUME~1\100353~1\APPLIC~1\SETTIN~1\Morethistwo.exe
    C:\DOCUME~1\100353~1\APPLIC~1\SETTIN~1\vlmaupsx.exe
    C:\DOCUME~1\100353~1\APPLIC~1\SETTIN~1\yhdfphhs.exe
    C:\Documents and Settings\All Users\Application Data\Memo Drive Vc Log
    C:\Documents and Settings\All Users\Application Data\Memo Drive Vc Log\test shim.exe
    C:\WINDOWS\BMbfc64368.xml
    C:\WINDOWS\Tasks\B41475AF918BEDA7.job

    .
    ((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
    .

    2008-07-20 15:11 . 2008-07-20 15:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-07-20 15:11 . 2008-07-20 15:11 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-07-16 12:48 . 2008-07-16 12:48 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-10 16:49 . 2008-07-12 23:11 230,424 --a------ C:\img2-001.raw
    2008-07-10 16:39 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
    2008-07-10 16:39 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
    2008-07-10 16:37 . 2007-04-10 17:46 1,966,312 --a------ C:\WINDOWS\system32\drivers\VX1000.sys
    2008-07-10 16:37 . 2007-04-10 17:46 709,992 --a------ C:\WINDOWS\vVX1000.exe
    2008-07-10 16:37 . 2007-04-10 17:46 476,520 --a------ C:\WINDOWS\vVX1000.dll
    2008-07-10 16:37 . 2007-04-10 17:46 202,088 --a------ C:\WINDOWS\system32\LCCoin14.dll
    2008-07-10 16:37 . 2007-04-10 17:46 185,704 --a------ C:\WINDOWS\system32\cVX1000.dll
    2008-07-10 16:37 . 2007-04-10 17:46 111,976 --a------ C:\WINDOWS\VX1000.dll
    2008-07-10 16:37 . 2007-04-10 17:46 15,498 --a------ C:\WINDOWS\VX1000.ini
    2008-07-10 16:37 . 2007-04-10 17:46 13,023 --a------ C:\WINDOWS\VX1000.src
    2008-07-10 16:34 . 2008-07-10 16:37 <DIR> d-------- C:\Program Files\Microsoft LifeCam
    2008-07-08 17:14 . 2008-07-08 17:14 105,296 --a------ C:\WINDOWS\system32\goepgudx.0ll
    2008-07-08 17:14 . 2008-07-08 17:14 105,296 --a------ C:\WINDOWS\system32\ayzcho.0ll
    2008-07-07 23:27 . 2008-07-07 23:27 <DIR> d-------- C:\Documents and Settings\100353286\Application Data\ArcSoft
    2008-07-07 23:26 . 2008-07-07 23:26 <DIR> d-------- C:\WINDOWS\PixArt
    2008-07-07 23:26 . 2008-07-07 23:26 <DIR> d-------- C:\Program Files\PC Camera
    2008-07-07 23:26 . 2008-07-07 23:26 <DIR> d-------- C:\Program Files\Common Files\PAC207
    2008-07-07 23:26 . 2006-11-03 10:59 48,128 --a------ C:\WINDOWS\system32\Remove.exe
    2008-07-07 23:26 . 2007-02-12 01:06 408 --a------ C:\WINDOWS\system32\Remover.ini
    2008-07-07 23:11 . 2008-07-07 23:11 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
    2008-07-07 23:11 . 2005-04-27 16:36 245,408 -ra------ C:\WINDOWS\system32\unicows.dll
    2008-07-07 23:11 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
    2008-07-07 23:10 . 2008-07-07 23:10 <DIR> d-------- C:\Program Files\ArcSoft
    2008-07-07 23:10 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-21 03:56 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
    2008-07-21 03:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
    2008-07-21 03:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
    2008-07-08 03:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-07-02 21:15 --------- d-----w C:\Program Files\MSN Messenger
    2008-06-21 00:53 --------- d-----w C:\Program Files\settings pure type
    2008-05-28 03:21 --------- d-----w C:\Program Files\PeerGuardian2
    2008-05-27 18:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Meow Intra Bait Face
    .

    ------- Sigcheck -------

    2007-02-20 05:52 665600 b258c922d22deec880b60720531d7627 C:\WINDOWS\$hf_mig$\KB931768\SP2QFE\wininet.dll
    2004-08-04 12:00 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\$NtUninstallKB931768$\wininet.dll
    2007-02-20 05:48 658944 30d1c47e40efbb792ff8d3c3b51ce507 C:\WINDOWS\$NtUninstallKB933566$\wininet.dll
    2007-04-18 08:46 665600 4261ba03afd659de04f0a17dfbdd454d C:\WINDOWS\$NtUninstallKB937143$\wininet.dll
    2007-06-26 10:35 699392 0c52d829a6be196f78db826a564b1939 C:\WINDOWS\system32\wininet.dll
    2007-06-26 10:35 699392 0c52d829a6be196f78db826a564b1939 C:\WINDOWS\system32\dllcache\wininet.dll

    2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:\WINDOWS\explorer.exe
    2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
    2004-08-04 12:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
    2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:\WINDOWS\system32\dllcache\explorer.exe
    .
    ((((((((((((((((((((((((((((( [email protected]_11.35.12.51 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-07-21 03:57:17 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_e84.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 13:54 5674352]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 13:19 536576]
    "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-11-29 02:30 243248]
    "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-12-20 01:14 159744]
    "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-12-20 01:14 208896]
    "TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 10:19 94208]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 09:11 925696]
    "TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-02 22:00 856064]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25 257088]
    "LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-23 02:02 120368]
    "IBM Warranty Notification"="C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe" [2004-03-12 18:24 106496]
    "F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.EXE" [2006-12-05 09:22 176177]
    "F-Secure TNB"="C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" [2007-01-08 15:10 724992]
    "LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 17:45 279912]
    "VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 17:46 709992]
    "TpShocks"="TpShocks.exe" [2007-03-29 18:40 181808 C:\WINDOWS\system32\TpShocks.exe]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "disablecad"= 0 (0x0)
    "SynchronousMachineGroupPolicy"= 0 (0x0)
    "SynchronousUserGroupPolicy"= 0 (0x0)
    "DisableStatusMessages"= 1 (0x1)
    "LogonType"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "ForceStartMenuLogOff"= 1 (0x1)
    "NoWelcomeScreen"= 1 (0x1)
    "NoAutoUpdate"= 0 (0x0)
    "NoStartMenuNetworkPlaces"= 1 (0x1)
    "NoSecurityTab"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-05 23:45 28672 C:\WINDOWS\system32\notifyf2.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-11-30 20:16 24576 C:\WINDOWS\system32\tphklock.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-167170\Scripts\Logon\0\0]
    "Script"=\\oncampus.local\SysVol\oncampus.local\scripts\javaupdate\javaupd.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-167170\Scripts\Logon\1\0]
    "Script"=\\oncampus.local\NETLOGON\AcademicIntegrity\fac\icon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-175706\Scripts\Logon\0\0]
    "Script"=\\oncampus.local\SysVol\oncampus.local\scripts\javaupdate\javaupd.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-175706\Scripts\Logon\1\0]
    "Script"=\\oncampus.local\NETLOGON\AcademicIntegrity\fac\icon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-197013\Scripts\Logon\0\0]
    "Script"=\\oncampus.local\SysVol\oncampus.local\scripts\javaupdate\javaupd.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-197013\Scripts\Logon\1\0]
    "Script"=\\oncampus.local\NETLOGON\AcademicIntegrity\stu\icon.bat

    [HKLM\~\startupfolder\C:^Documents and Settings^100353286^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
    path=C:\Documents and Settings\100353286\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
    backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    --a------ 2006-10-22 23:24 620152 C:\Program Files\Adobe\Acrobat\acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    --a------ 2007-09-11 01:43 67488 C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
    --a------ 2008-03-27 11:19 288576 C:\Program Files\DNA\btdna.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 12:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAPMClient]
    --a------ 2007-03-30 05:56 327680 C:\Program Files\LANDesk\LDClient\AMCLIENT.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    --a------ 2008-01-20 03:05 217088 C:\Program Files\PowerISO\PWRISOVM.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDClientMonitor]
    --a------ 2006-11-01 08:06 258048 C:\Program Files\LANDesk\LDClient\WebPortal\SDClientMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
    --a------ 2007-12-06 12:58 1069920 C:\Program Files\Search Settings\SearchSettings.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2006-05-03 02:56 36975 C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    --a------ 2006-02-14 14:16 512000 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
    --a------ 2006-02-14 14:17 110592 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
    --a------ 2007-05-01 22:46 56112 C:\Program Files\VMware\VMware Player\hqtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
    --a------ 2007-09-26 19:05 734264 C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
    --a------ 2005-10-17 01:11 65536 C:\WINDOWS\system32\TP4EX.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\DNA\\btdna.exe"=
    "C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

    R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2006-12-21 09:51]
    R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 17:49]
    R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 17:47]
    R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2006-12-20 01:14]
    R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 01:45]
    R2 CBA8;LANDesk(R) Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2007-01-09 12:03]
    R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 17:45]
    R2 Softmon;LANDesk(R) Software Monitoring Service;C:\Program Files\LANDesk\LDClient\softmon.exe [2007-04-27 05:53]
    R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 13:11]
    R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2007-01-24 11:41]
    R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2005-07-01 17:48]
    R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2005-07-01 17:48]
    R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2005-07-01 17:48]
    R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2006-09-13 12:42]
    S3 tpflhlp;tpflhlp;C:\Program Files\Lenovo\System Update\session\7cuj19us\tpflhlp.sys [2007-04-09 18:51]
    S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 17:46]
    S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2007-01-24 11:41]
    S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2007-01-24 11:41]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 07:01]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0de17090-d8ac-11dc-a7ea-001a6b35ded1}]
    \Shell\AutoRun\command - F:\LaunchU3.exe -a

    *Newly Created Service* - FSBL
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-07-21 04:00:48 C:\WINDOWS\Tasks\PMTask.job"
    - C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-20 23:59:09
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\tphklock.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\common\FSMA32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
    C:\Program Files\F-Secure\common\FSMB32.EXE
    C:\Program Files\LANDesk\LDClient\LocalSch.EXE
    C:\WINDOWS\system32\cba\pds.exe
    C:\Program Files\LANDesk\LDClient\tmcsvc.exe
    C:\PROGRA~1\LANDesk\LDClient\issuser.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
    C:\PROGRA~1\LANDesk\LDClient\collector.exe
    C:\PROGRA~1\LANDesk\LDClient\LDRegWatch.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\F-Secure\common\FCH32.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Lenovo\System Update\SUService.exe
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure\common\FAMEH32.EXE
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\WINDOWS\system32\TPHDEXLG.exe
    C:\WINDOWS\system32\TpKmpSvc.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
    C:\Program Files\VMware\VMware Player\vmware-authd.exe
    C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\Program Files\F-Secure\common\FNRB32.exe
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
    C:\Program Files\F-Secure\FWES\program\fsdfwd.exe
    C:\Program Files\F-Secure\common\FIH32.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    .
    **************************************************************************
    .
    Completion time: 2008-07-21 0:07:33 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-07-21 04:07:15
    ComboFix2.txt 2008-07-20 15:35:31

    Pre-Run: 30,547,427,328 bytes free
    Post-Run: 30,530,125,824 bytes free

    279 --- E O F --- 2007-11-24 19:11:16
     
  7. ATN

    ATN Thread Starter

    Joined:
    Jul 8, 2008
    Messages:
    14
    This is the MBAM log.

    Malwarebytes' Anti-Malware 1.22
    Database version: 974
    Windows 5.1.2600 Service Pack 2

    00:29:06 2008-07-21
    mbam-log-7-21-2008 (00-29-06).txt

    Scan type: Quick Scan
    Objects scanned: 44849
    Time elapsed: 5 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\goepgudx.0ll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ayzcho.0ll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\serauth1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\serauth2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

    This is the HijackThis Log
    .

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 00:31, on 2008-07-21
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\LANDesk\Shared Files\residentagent.exe
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\LANDesk\LDClient\LocalSch.EXE
    C:\WINDOWS\system32\CBA\pds.exe
    C:\Program Files\LANDesk\LDClient\tmcsvc.exe
    C:\PROGRA~1\LANDesk\LDClient\issuser.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
    C:\PROGRA~1\LANDesk\LDClient\collector.exe
    C:\PROGRA~1\LANDesk\LDClient\LDregwatch.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\LANDesk\LDClient\softmon.exe
    C:\WINDOWS\system32\svchost.exe
    c:\program files\lenovo\system update\suservice.exe
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\WINDOWS\System32\TPHDEXLG.exe
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
    C:\Program Files\VMware\VMware Player\vmware-authd.exe
    C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\vVX1000.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
    O4 - HKLM\..\Run: [IBM Warranty Notification] "C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe /nointro"
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
    O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178728926828
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178728988812
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = oncampus.local
    O17 - HKLM\Software\..\Telephony: DomainName = oncampus.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = oncampus.local
    O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
    O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
    O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
    O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
    O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
    O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
    O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

    --
    End of file - 12491 bytes
     
  8. ATN

    ATN Thread Starter

    Joined:
    Jul 8, 2008
    Messages:
    14
    Hi! This is the kaspersky report.

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7 REPORT
    Monday, July 21, 2008
    Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Monday, July 21, 2008 16:39:56
    Records in database: 981105
    --------------------------------------------------------------------------------
    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes
    Scan area - My Computer:
    C:\
    D:\
    E:\
    Scan statistics:
    Files scanned: 132974
    Threat name: 1
    Infected objects: 1
    Suspicious objects: 0
    Duration of the scan: 01:41:27

    File name / Threat name / Threats count
    C:\Program Files\Circle Developement\Uninstall.0xe Infected: Trojan-Dropper.Win32.Agent.lxl 1
    The selected area was scanned.
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    • Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



    Your Java is out of date.

    Upgrading Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
    • Click on Continue.
    • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.")


    How is it running now? Any problems?
     
  10. ATN

    ATN Thread Starter

    Joined:
    Jul 8, 2008
    Messages:
    14
    Hi! This is the result from OTMoveIt

    File/Folder not found.
    C:\Program Files\Circle Developement\Uninstall.0xe moved successfully.

    OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07212008_104145
     
  11. ATN

    ATN Thread Starter

    Joined:
    Jul 8, 2008
    Messages:
    14
    I also instlled java now. There aren't any major problems but sometimes, some error messages pop up at random times. How do I fix that?
     
  12. ATN

    ATN Thread Starter

    Joined:
    Jul 8, 2008
    Messages:
    14
    Hi! There is one more problem. After I ran ComboFix, and combofix changed the time format, it didn't change it back to the 12 hr clock.
     
  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    To reset your clock:
    • Click My Computer
    • Open the Control Panel
    • Select Time Options
    • Classic View: Open Reginal and Language Options or Category View: Date, Time, Language and Regional Options.
    • Click Change the format of numbers, dates, and times.
    • Select the Regional Options tab.
    • Next to the box that shows your selected language click "Customize".
    • Click the "Time" tab.
    • In the "Time Format" box enter:
    • Standard Format: "h:mm:ss:tt"
    • Military Format: "HH:mm:ss"


    I would need to know the exact error message to try and help with that.


    Follow these steps to uninstall Combofix and tools used in the removal of malware
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]



    It's a good idea to Flush your System Restore after removing malware:
    Turn off system restore, restart the machine and then turn it back on: http://support.microsoft.com/kb/310405


    Now you should Clean up your PC
     
  14. ATN

    ATN Thread Starter

    Joined:
    Jul 8, 2008
    Messages:
    14
    Hi ! Sorry for the late reply but, the disk fragmentation took long. I did everything you told me to. Do I have to do anything more ? :) :D
     
  15. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/731063

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice