My laptop is/was infected with the same YUR* virus. I used Malwarebytes and Kaspersky. The trojan is BAD. It keeps on putting explicit icons on the desktop. After using the above mentioned utilities I ran HijackThis v2.0.2 and the following is the log. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:21:56 PM, on 10/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Drivers\trcboot.exe C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\Program Files\IBM\tivoli\dcd\client\ISSI\cds\CDSWinSrv.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\cmd.exe C:\Program Files\c4ebreg\c4ebreg.exe c:\sdwork\issimsvc.exe C:\notes\ntmulti.exe C:\Program Files\AT&T Network Client\NetCfgSv.EXE C:\Program Files\IBM\tivoli\dcd\client\ISSI\_jvm\jre\bin\java.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\WINDOWS\System32\TPHDEXLG.exe C:\WINDOWS\system32\TpKmpSVC.exe C:\WINDOWS\system32\Drivers\ldlcserv.exe C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe C:\Program Files\IBM\Personal Communications\tpam.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe C:\WINDOWS\system32\TpShocks.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe C:\Program Files\Lenovo\Zoom\TpScrex.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\c4ebreg\isamtray.exe C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.common_1.3.14\pmonmh.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe C:\Program Files\IBM\Infoprint Select\ipnotify.exe C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE C:\Program Files\IBM\NotesBuddy\NotesBuddy.exe C:\notes\NLNOTES.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\notes\ntaskldr.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\IBM\My Help\MyHelp.exe C:\Program Files\IBM\My Help\jre\bin\myhelpw.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://w3.ibm.com/ R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe" O4 - HKLM\..\Run: [defergui] c:/sdwork/defergui.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [C4EBReg] "C:\Program Files\c4ebreg\c4ebreg.exe" /q O4 - HKLM\..\Run: [ISAMTray] "C:\Program Files\c4ebreg\isamtray.exe" O4 - HKLM\..\Run: [MyHelpService] "C:\Program Files\IBM\My Help\workspace\service\delayStart.exe" O4 - HKLM\..\Run: [pmonmh] C:\Program Files\IBM\My Help\workspace\..\plugins\com.ibm.myhelp.common_1.3.14/pmonmh.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Network Client\NetSP.exe" -show O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: Infoprint Select Notification.lnk = C:\Program Files\IBM\Infoprint Select\ipnotify.exe O4 - Global Startup: Lotus QuickStart.lnk = ? O8 - Extra context menu item: Add Person to NotesBuddy... - C:\Program Files\IBM\NotesBuddy\AddPersonN.html O8 - Extra context menu item: Add Picture to NotesBuddy... - C:\Program Files\IBM\NotesBuddy\AddImageN.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm O11 - Options group: [JAVA_IBM] Java (IBM) O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com O16 - DPF: {1ACECAFE-0015-0000-0000-ABCDEFFEDCBA} (Java2 Runtime Environment 1.5.0) - http:// O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://download.tvants.com/pub/tvants/tv.../cab/tvants.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsu...b?1189037145890 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1194968075000 O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bluepages/scripts/lnwebassist.cab O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/stream.ocx O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java2 Runtime Environment 1.5.0) - http:// O17 - HKLM\System\CCS\Services\Tcpip\..\{25BC6530-CB5C-4CBA-B38C-399F4DE98D50}: Domain = ibm.com O17 - HKLM\System\CCS\Services\Tcpip\..\{25BC6530-CB5C-4CBA-B38C-399F4DE98D50}: NameServer = 9.0.8.1,9.0.9.1 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com O17 - HKLM\System\CS1\Services\Tcpip\..\{25BC6530-CB5C-4CBA-B38C-399F4DE98D50}: Domain = ibm.com O17 - HKLM\System\CS1\Services\Tcpip\..\{25BC6530-CB5C-4CBA-B38C-399F4DE98D50}: NameServer = 9.0.8.1,9.0.9.1 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com O17 - HKLM\System\CS2\Services\Tcpip\..\{25BC6530-CB5C-4CBA-B38C-399F4DE98D50}: Domain = ibm.com O17 - HKLM\System\CS2\Services\Tcpip\..\{25BC6530-CB5C-4CBA-B38C-399F4DE98D50}: NameServer = 9.0.8.1,9.0.9.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\system32\Drivers\appnnode.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: IBM DCD Standard Client (DCDClient-ISSI) (DCDClient-ISSI) - Unknown owner - C:\Program Files\IBM\tivoli\dcd\client\ISSI\cds\CDSWinSrv.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: ISAM SMT Service (ISAMsmt) - Unknown owner - C:\Program Files\C4ebreg\isamsmt.exe (file missing) O23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Corp. - C:\Program Files\c4ebreg\c4ebreg.exe O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Corp. - c:\sdwork\issimsvc.exe O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe O23 - Service: My Help (MyHelp) - Unknown owner - C:\Program Files\IBM\My Help\ workspace\service\MyHelpService.exe (file missing) O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Network Client\NetCfgSv.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe -- End of file - 15534 bytes Is my computer still infected? How do I read this log to understand if its infected or not. I think my registry is still affected. One of the update programs complained about it. THanks in advance. Aus
Hey austex08 Please download Superantispyware Free and install it. Follow the prompts and reboot if required. Launch Superantispyware Free either by running C:\Program Files\SUPERANTISPYWARE.exe or right-click on the SuperAntispyware icon in your task bar (it looks like a bug) and click on Scan for Spyware, Adware, Malware... Configuring SuperAntispyware • Click on Preferences. • In the tab General and Startup, make sure the box Start SuperAntispyware when Windows starts is unchecked. This will prevent SuperAntispyware from starting everytime, because it may interfere with other fixes that may be run. • Navigate to the tab Scanning Control. • Make sure only these boxes are checked: Code: Close browsers before scanning Scan for tracking cookies Terminate memory threats before quarantining Scan Alternate Data Streams Use Kernel Direct File Access (recommended) Use Kernel Direct Registry Access (recommended) Use Direct Disk Access (recommended) • Click on Close. Updating SuperAntispyware • At the main window, click on Check for Updates.... • Wait for SuperAntispyware to be fully updated. Scanning Time • Boot into safe mode by repeatedly pressing the F8 key after you press the power button. If safe mode does not work, tell me and do the scan in normal mode. • Launch SuperAntispyware. • At the main window, click on Scan your Computer.... • Make sure all drives (excluding CD drives) are checked, select Perform Complete Scan, and then click on Next. • Wait for the scan to complete, and then click on Next>. This will quarantine and remove all detected items. • Reboot your computer. Post A Log • Launch SuperAntispyware • Click on Preferences • Navigate to the tab Statistics/Logs. • Choose the latest scan log, and the click on View Log.... • Copy and paste the contents of the log here in your next post. Best Regards
Thanks for the feedback cdavfrew. Attached is the log after following your instructions SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 10/09/2008 at 11:55 AM Application Version : 4.21.1004 Core Rules Database Version : 3593 Trace Rules Database Version: 1580 Scan type : Complete Scan Total Scan Time : 00:54:35 Memory items scanned : 195 Memory threats detected : 0 Registry items scanned : 6007 Registry threats detected : 1 File items scanned : 114682 File threats detected : 10 411Ferret Toolbar HKU\S-1-5-21-1685433429-2724634649-3027080834-500\Software\Microsoft\Internet Explorer\URLSearchHooks#{12F02779-6D88-4958-8AD3-83C12D86ADC7} Adware.Tracking Cookie C:\Documents and Settings\Administrator\Cookies\bakar@doubleclick[1].txt Trojan.Unknown Origin C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\1.ICO.VIR C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\2.ICO.VIR C:\SYSTEM VOLUME INFORMATION\_RESTORE{01E266C2-86F5-40B2-9145-B4252FFF29C3}\RP44\A0016315.ICO C:\SYSTEM VOLUME INFORMATION\_RESTORE{01E266C2-86F5-40B2-9145-B4252FFF29C3}\RP45\A0016320.ICO C:\SYSTEM VOLUME INFORMATION\_RESTORE{01E266C2-86F5-40B2-9145-B4252FFF29C3}\RP45\A0016330.ICO C:\SYSTEM VOLUME INFORMATION\_RESTORE{01E266C2-86F5-40B2-9145-B4252FFF29C3}\RP45\A0016389.ICO C:\SYSTEM VOLUME INFORMATION\_RESTORE{01E266C2-86F5-40B2-9145-B4252FFF29C3}\RP45\A0016391.ICO C:\SYSTEM VOLUME INFORMATION\_RESTORE{01E266C2-86F5-40B2-9145-B4252FFF29C3}\RP46\A0016477.ICO C:\SYSTEM VOLUME INFORMATION\_RESTORE{01E266C2-86F5-40B2-9145-B4252FFF29C3}\RP46\A0016478.ICO Thanks Aus
Hey austex08 Please post a new HijackThis log and tell me exactly what problems/symptoms you have. Best Regards
As mentioned in the first entry, got hit with the YUR###.exe which had some yur***.exe file in my windows/system32 and it kept on placing explicit icons on the desktop. Here is the new HIjack log. How do I read it to make sure my comp is no longer infected. Again thanks for all your help. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:06:50 PM, on 10/9/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Drivers\trcboot.exe C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\Program Files\IBM\tivoli\dcd\client\ISSI\cds\CDSWinSrv.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\system32\cmd.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\c4ebreg\c4ebreg.exe c:\sdwork\issimsvc.exe C:\notes\ntmulti.exe C:\Program Files\AT&T Network Client\NetCfgSv.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\IBM\tivoli\dcd\client\ISSI\_jvm\jre\bin\java.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\WINDOWS\System32\TPHDEXLG.exe C:\WINDOWS\system32\TpKmpSVC.exe C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe C:\WINDOWS\system32\Drivers\ldlcserv.exe C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\IBM\Personal Communications\tpam.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe C:\WINDOWS\system32\TpShocks.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe C:\Program Files\Lenovo\Zoom\TpScrex.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\c4ebreg\isamtray.exe C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.common_1.3.14\pmonmh.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe C:\Program Files\IBM\Infoprint Select\ipnotify.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\IBM\My Help\MyHelp.exe C:\Program Files\IBM\My Help\jre\bin\myhelpw.exe C:\Program Files\Internet Explorer\iexplore.exe C:\notes\NLNOTES.EXE C:\notes\ntaskldr.EXE C:\Program Files\AT&T Network Client\NetClient.exe C:\Program Files\IBM\NotesBuddy\NotesBuddy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://w3.ibm.com/ R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe" O4 - HKLM\..\Run: [defergui] c:/sdwork/defergui.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [C4EBReg] "C:\Program Files\c4ebreg\c4ebreg.exe" /q O4 - HKLM\..\Run: [ISAMTray] "C:\Program Files\c4ebreg\isamtray.exe" O4 - HKLM\..\Run: [MyHelpService] "C:\Program Files\IBM\My Help\workspace\service\delayStart.exe" O4 - HKLM\..\Run: [pmonmh] C:\Program Files\IBM\My Help\workspace\..\plugins\com.ibm.myhelp.common_1.3.14/pmonmh.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Network Client\NetSP.exe" -show O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Administrator\Application Data\mjusbsp\cdloader2.exe" MAGICJACK O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: Infoprint Select Notification.lnk = C:\Program Files\IBM\Infoprint Select\ipnotify.exe O4 - Global Startup: Lotus QuickStart.lnk = ? O8 - Extra context menu item: Add Person to NotesBuddy... - C:\Program Files\IBM\NotesBuddy\AddPersonN.html O8 - Extra context menu item: Add Picture to NotesBuddy... - C:\Program Files\IBM\NotesBuddy\AddImageN.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm O11 - Options group: [JAVA_IBM] Java (IBM) O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com O16 - DPF: {1ACECAFE-0015-0000-0000-ABCDEFFEDCBA} (Java2 Runtime Environment 1.5.0) - http:// O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://download.tvants.com/pub/tvants/tvants1/win32/cab/tvants.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189037145890 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194968075000 O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bluepages/scripts/lnwebassist.cab O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/stream.ocx O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java2 Runtime Environment 1.5.0) - http:// O17 - HKLM\System\CCS\Services\Tcpip\..\{25BC6530-CB5C-4CBA-B38C-399F4DE98D50}: Domain = ibm.com O17 - HKLM\System\CCS\Services\Tcpip\..\{25BC6530-CB5C-4CBA-B38C-399F4DE98D50}: NameServer = 9.0.8.1,9.0.9.1 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com O17 - HKLM\System\CS1\Services\Tcpip\..\{25BC6530-CB5C-4CBA-B38C-399F4DE98D50}: Domain = ibm.com O17 - HKLM\System\CS1\Services\Tcpip\..\{25BC6530-CB5C-4CBA-B38C-399F4DE98D50}: NameServer = 9.0.8.1,9.0.9.1 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\system32\Drivers\appnnode.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: IBM DCD Standard Client (DCDClient-ISSI) (DCDClient-ISSI) - Unknown owner - C:\Program Files\IBM\tivoli\dcd\client\ISSI\cds\CDSWinSrv.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: ISAM SMT Service (ISAMsmt) - Unknown owner - C:\Program Files\C4ebreg\isamsmt.exe (file missing) O23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Corp. - C:\Program Files\c4ebreg\c4ebreg.exe O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Corp. - c:\sdwork\issimsvc.exe O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe O23 - Service: My Help (MyHelp) - Unknown owner - C:\Program Files\IBM\My Help\ workspace\service\MyHelpService.exe (file missing) O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Network Client\NetCfgSv.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe -- End of file - 15518 bytes
Hey austex08 I meant what problems you have left. The YUR files are obviously gone, and you can delete the icons on your desktop. Best Regards
Oh I had deleted the YU files from the system32 lib already. kaspersky tool helped a lot. SuperAntiSpyware removed those 11 more. I dont see any more problems as such. But it you can look at the logs and tell me if you see something or not Thanks Aus
Hey austex08 Now, please download ComboFix. With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection. • Run Combo-Fix.exe and follow the prompts. **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later. • Wait for the scan to be completed. • If it requires a reboot, please do it. • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt) Do not click on the ComoboFix window, as it may cause it to stall. Best Regards
SOrry for the delay. Was travelling. Will be travelling tomorrow onwards again. Appreciate your help with this. here is the combofix log ComboFix 08-10-12.01 - bakkar 2008-10-13 12:25:35.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1230 [GMT -5:00] Running from: C:\Documents and Settings\Administrator\Desktop\Tools\Combo-Fix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-09-13 to 2008-10-13 ))))))))))))))))))))))))))))))) . 2008-10-09 16:23 . 2008-10-09 19:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\mjusbsp 2008-10-09 16:02 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys 2008-10-09 16:02 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys 2008-10-09 16:02 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2008-10-09 16:02 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys 2008-10-09 10:49 . 2008-10-09 10:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-10-09 10:49 . 2008-10-09 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-10-09 10:49 . 2008-10-09 10:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com 2008-10-08 23:53 . 2008-07-08 14:54 148,496 --a------ C:\WINDOWS\system32\drivers\17394314.sys 2008-10-08 20:10 . 2008-10-08 20:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles 2008-10-08 18:26 . 2008-10-08 18:26 21,361 --a------ C:\WINDOWS\system32\drivers\AegisP.sys 2008-10-08 18:26 . 2008-10-08 18:26 21,361 --a------ C:\WINDOWS\AegisP.sys 2008-10-08 18:26 . 2008-10-08 18:26 13,984 --a------ C:\WINDOWS\AegisP.inf 2008-10-08 18:26 . 2008-10-08 18:26 10,640 --a------ C:\WINDOWS\AegisP.cat 2008-10-08 18:25 . 2008-10-08 18:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Intel 2008-10-08 18:25 . 2008-10-08 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intel 2008-10-08 18:25 . 2008-10-08 18:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel 2008-10-08 18:23 . 2008-10-08 18:23 76,034,501 --a------ C:\temp\wlan_wpav622_08_04_08.exe 2008-10-08 11:30 . 2008-10-08 11:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-08 11:30 . 2008-10-08 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-10-08 11:30 . 2008-10-08 11:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes 2008-10-08 11:30 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-08 11:30 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-08 06:43 . 2008-07-08 14:54 148,496 --a------ C:\WINDOWS\system32\drivers\85477348.sys 2008-10-07 23:53 . 2008-10-07 23:53 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-07 23:29 . 2008-10-13 12:28 32,606,240 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-10-07 23:29 . 2008-10-13 12:28 382,004 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-10-07 19:21 . 2008-10-07 19:21 <DIR> d-------- C:\Program Files\CCleaner 2008-10-07 18:06 . 2008-10-08 06:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-10-07 17:51 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-10-07 17:51 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-10-07 17:51 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-10-07 17:36 . 2008-10-07 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-10-07 17:35 . 2008-10-09 10:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-10-05 18:59 . 2008-10-05 18:59 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-10-03 11:38 . 2008-10-03 11:42 <DIR> d-------- C:\Program Files\Picasa2 2008-09-29 18:00 . 2008-09-29 18:00 <DIR> d-------- C:\WINDOWS\system32\QuickTime 2008-09-29 18:00 . 2008-09-29 18:01 <DIR> d-------- C:\Program Files\Macromedia 2008-09-29 18:00 . 2008-09-29 18:01 <DIR> d-------- C:\Program Files\Common Files\Macromedia 2008-09-18 11:39 . 2008-09-18 11:39 <DIR> d-------- C:\WINDOWS\Sun 2008-09-17 13:55 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2008-09-17 13:55 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys 2008-09-16 12:35 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-09-16 12:34 . 2008-09-16 12:34 <DIR> d-------- C:\Program Files\Common Files\Java . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-13 17:30 --------- d-----w C:\Program Files\C4ebreg 2008-10-13 17:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-10-12 16:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-10-10 18:08 --------- d-----w C:\Program Files\WST 2008-10-10 03:06 --------- d-----w C:\Program Files\AT&T Network Client 2008-10-08 23:27 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-10-07 22:36 --------- d-----w C:\Program Files\Lavasoft 2008-10-05 23:59 --------- d-----w C:\Program Files\Common Files\Real 2008-09-16 17:35 --------- d-----w C:\Program Files\Java 2008-09-03 17:30 --------- d-----w C:\Program Files\IBM 2008-09-03 17:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield 2008-08-13 21:40 --------- d-----w C:\Program Files\IBM Ayudame 2008-07-24 23:58 59,904 ----a-w C:\ospreg.exe . ((((((((((((((((((((((((((((( snapshot@2008-10-07_22.30.05.26 ))))))))))))))))))))))))))))))))))))))))) . + 2008-10-09 15:49:50 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe + 2008-10-09 15:49:50 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe - 2007-04-16 11:24:48 614,400 ----a-w C:\WINDOWS\Installer\iProData\iconvrtr.exe + 2007-11-19 20:44:16 802,816 ----a-w C:\WINDOWS\Installer\iProData\iconvrtr.exe - 2007-05-01 16:15:06 600,592 ----a-w C:\WINDOWS\Installer\iProInst.exe + 2007-11-19 17:30:58 600,328 ----a-w C:\WINDOWS\Installer\iProInst.exe - 2005-11-08 09:27:20 11,520 ----a-w C:\WINDOWS\system32\drivers\ANC.sys + 2005-11-08 14:27:20 11,520 ----a-w C:\WINDOWS\system32\drivers\ANC.sys - 2007-04-02 11:24:08 4,224 ----a-w C:\WINDOWS\system32\drivers\IBMBLDID.sys + 2007-04-02 16:24:08 4,224 ----a-w C:\WINDOWS\system32\drivers\IBMBLDID.sys - 2007-11-02 00:00:00 21,808 ----a-w C:\WINDOWS\system32\drivers\ibmpmdrv.sys + 2007-11-02 20:50:30 21,808 ----a-w C:\WINDOWS\system32\drivers\ibmpmdrv.sys - 2007-04-30 06:37:20 2,206,976 ----a-w C:\WINDOWS\system32\drivers\NETw4x32.sys + 2007-11-27 04:37:00 2,236,544 ----a-w C:\WINDOWS\system32\drivers\NETw4x32.sys - 2007-03-29 15:19:36 12,416 ----a-w C:\WINDOWS\system32\drivers\s24trans.sys + 2007-11-20 21:39:56 12,288 ----a-w C:\WINDOWS\system32\drivers\s24trans.sys - 2007-11-15 10:18:06 17,845 ----a-w C:\WINDOWS\system32\drivers\TPHKDRV.sys + 2008-05-13 03:14:16 17,844 ----a-w C:\WINDOWS\system32\drivers\TPHKDRV.sys - 2007-11-02 00:00:00 36,136 ----a-w C:\WINDOWS\system32\ibmpmsvc.exe + 2007-11-02 20:51:02 36,136 ----a-w C:\WINDOWS\system32\ibmpmsvc.exe - 2006-10-16 23:44:44 1,028,096 ----a-w C:\WINDOWS\system32\libeay32.dll + 2006-08-29 18:40:36 1,089,536 ----a-w C:\WINDOWS\system32\libeay32.dll + 2007-11-19 19:45:38 208,896 ----a-w C:\WINDOWS\system32\NetProvCredMan.dll - 2007-04-16 11:21:10 684,032 ----a-w C:\WINDOWS\system32\NETw4c32.dll + 2007-11-20 21:41:12 749,568 ----a-w C:\WINDOWS\system32\NETw4c32.dll - 2007-04-16 11:21:46 2,772,992 ----a-w C:\WINDOWS\system32\NETw4r32.dll + 2007-11-20 21:42:08 2,777,088 ----a-w C:\WINDOWS\system32\NETw4r32.dll - 2008-10-08 01:09:49 69,478 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-10-12 16:32:13 69,478 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-10-08 01:09:49 435,906 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-10-12 16:32:13 435,906 ----a-w C:\WINDOWS\system32\perfh009.dat - 2007-03-23 09:50:44 14,848 ----a-w C:\WINDOWS\system32\s24NCfg.dll + 2007-08-27 15:09:54 14,848 ----a-w C:\WINDOWS\system32\s24NCfg.dll - 2007-01-30 09:03:56 53,248 ----a-w C:\WINDOWS\system32\SMSUnins.dll + 2006-08-29 17:59:32 53,248 ----a-w C:\WINDOWS\system32\SMSUnins.dll - 2007-11-02 00:00:00 35,112 ----a-w C:\WINDOWS\system32\tpinspm.dll + 2007-11-02 20:51:08 35,112 ----a-w C:\WINDOWS\system32\tpinspm.dll - 2007-02-05 17:45:24 583,232 ----a-w C:\WINDOWS\system32\tvt_gina.dll + 2007-02-05 22:45:24 583,232 ----a-w C:\WINDOWS\system32\tvt_gina.dll - 2007-02-05 17:45:24 292,416 ----a-w C:\WINDOWS\system32\tvt_gina_api.dll + 2007-02-05 22:45:24 292,416 ----a-w C:\WINDOWS\system32\tvt_gina_api.dll + 2008-04-15 17:54:19 1,724,416 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NetSP - restore settings on power failure"="C:\Program Files\AT&T Network Client\NetSP.exe" [2007-01-13 24576] "cdloader"="C:\Documents and Settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2008-08-22 50520] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "stgclean"="c:\sdwork\w32main2.exe" [2008-10-10 272384] "Tpam.exe"="C:\Program Files\IBM\Personal Communications\tpam.exe" [2005-09-06 28672] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896] "vptray"="C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-27 125168] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-17 8433664] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-05-17 81920] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-04-08 1015808] "ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696] "ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976] "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-01-10 294912] "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-01-10 208896] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 110592] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 512000] "TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-12-19 60704] "TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464] "TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352] "ISSI EZUpdate Service"="c:\sdwork\issimsvc.exe" [2008-10-10 210944] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-15 127035] "C4EBReg"="C:\Program Files\c4ebreg\c4ebreg.exe" [2008-05-02 372736] "ISAMTray"="C:\Program Files\c4ebreg\isamtray.exe" [2008-05-02 253952] "MyHelpService"="C:\Program Files\IBM\My Help\workspace\service\delayStart.exe" [2008-04-07 94208] "pmonmh"="C:\Program Files\IBM\My Help\workspace\..\plugins\com.ibm.myhelp.common_1.3.14/pmonmh.exe" [2008-04-07 184371] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "nwiz"="nwiz.exe" [2007-05-17 C:\WINDOWS\system32\nwiz.exe] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 C:\WINDOWS\system32\bthprops.cpl] "TpShocks"="TpShocks.exe" [2007-11-22 C:\WINDOWS\system32\TpShocks.exe] "defergui"="c:/sdwork/defergui.exe" [2008-03-03 c:\sdwork\defergui.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 443968] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-11-26 576104] Infoprint Select Notification.lnk - C:\Program Files\IBM\Infoprint Select\ipnotify.exe [2005-04-05 143360] Lotus QuickStart.lnk - C:\lotus\wordpro\ltsstart.exe [2003-04-07 32768] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDevMgrUpdate"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2006-09-06 11:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2008-03-17 16:02 34080 C:\Program Files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify] 2007-07-05 14:52 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atmgrtok] 2005-09-06 04:07 53248 C:\Program Files\IBM\Personal Communications\atmgrtok.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst] 2005-09-06 13:43 49152 C:\WINDOWS\system32\pcsinst.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli ACGina [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "IBMconfig"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\IBM\\Infoprint Select\\ipnotify.exe"= "C:\\Program Files\\IBM\\My Help\\jre\\bin\\myhelpw.exe"= "C:\\sdwork\\w32maing.exe"= "C:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"= R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-10-16 103472] R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-10-16 19504] R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 11520] R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 4224] R1 is-MHNS2drv;is-MHNS2drv;C:\WINDOWS\system32\DRIVERS\85477348.sys [2008-07-08 148496] R1 is-R678Ldrv;is-R678Ldrv;C:\WINDOWS\system32\DRIVERS\17394314.sys [2008-07-08 148496] R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2008-01-10 4442] R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2004-04-29 19328] R2 AppnApi;AppnApi;C:\WINDOWS\system32\drivers\appnapi.sys [2005-09-06 120192] R2 DCDClient-ISSI;IBM DCD Standard Client (DCDClient-ISSI);C:\Program Files\IBM\tivoli\dcd\client\ISSI\cds\CDSWinSrv.exe [2008-07-08 53248] R2 IBM_LLC2;IBM Personal Communications LLC2 Driver;C:\WINDOWS\system32\DRIVERS\llc2.sys [2005-09-06 101408] R2 ISAMSvc;IBM Standard Asset Manager Service;C:\Program Files\c4ebreg\c4ebreg.exe [2008-05-02 372736] R2 NsTrcNT;NsTrcNT;C:\WINDOWS\system32\drivers\nstrcnt.sys [2005-09-06 12028] R2 pdlnctdl;Twinax CUT Adapter;C:\WINDOWS\system32\drivers\pdlnctdl.sys [2005-09-06 12288] R2 pdlndldl;IBM Enterprise Extender (HPR/IP);C:\WINDOWS\system32\drivers\pdlndldl.sys [2005-09-06 59392] R3 agnfilt;AGN Filter Interface;C:\WINDOWS\system32\DRIVERS\agnfilt.sys [2006-05-19 180864] R3 Anydlc;Anydlc;C:\WINDOWS\system32\drivers\anydlc.sys [2005-09-06 38236] R3 Appn;Appn;C:\WINDOWS\system32\drivers\appn.sys [2005-09-06 1286560] R3 AppnBase;AppnBase;C:\WINDOWS\system32\drivers\AppnBase.sys [2005-09-06 195872] R3 KLOGNT;KLOGNT;C:\WINDOWS\system32\drivers\klognt.sys [2005-09-06 24588] R3 LenovoRd;LenovoRd;C:\WINDOWS\system32\Drivers\LenovoRd.sys [2007-02-25 81920] R3 pdlnacom;PDLC Adapter -- COM;C:\WINDOWS\system32\drivers\pdlnacom.sys [2005-09-06 75200] R3 pdlnafac;PDLC Adapter Factory;C:\WINDOWS\system32\drivers\pdlnafac.sys [2005-09-06 36048] R3 pdlnatcm;Twinax Adapter Common;C:\WINDOWS\system32\drivers\pdlnatcm.sys [2005-09-06 20480] R3 pdlnatdl;Twinax Adapter;C:\WINDOWS\system32\drivers\pdlnatdl.sys [2005-09-06 18432] R3 pdlncbas;PDLC CxM Classes;C:\WINDOWS\system32\drivers\pdlncbas.sys [2005-09-06 6784] R3 pdlncfwk;PDLC Connection Manager;C:\WINDOWS\system32\drivers\pdlncfwk.sys [2005-09-06 160288] R3 pdlndint;PDLC DLC Classes;C:\WINDOWS\system32\drivers\pdlndint.sys [2005-09-06 12800] R3 pdlndlpb;PDLC LAPB;C:\WINDOWS\system32\drivers\pdlndlpb.sys [2005-09-06 70144] R3 pdlndoem;PDLC OEM Interface;C:\WINDOWS\system32\drivers\pdlndoem.sys [2005-09-06 18944] R3 pdlndqll;PDLC QLLC;C:\WINDOWS\system32\drivers\pdlndqll.sys [2005-09-06 53248] R3 pdlndsdl;PDLC SDLC;C:\WINDOWS\system32\drivers\pdlndsdl.sys [2005-09-06 67072] R3 pdlndtdl;Twinax DLC;C:\WINDOWS\system32\drivers\pdlndtdl.sys [2005-09-06 51712] R3 pdlnebas;PDLC Environment;C:\WINDOWS\system32\drivers\pdlnebas.sys [2005-09-06 8608] R3 pdlnecfg;PDLC Configuration;C:\WINDOWS\system32\drivers\pdlnecfg.sys [2005-09-06 50336] R3 pdlnemap;PDLC Mapper;C:\WINDOWS\system32\drivers\pdlnemap.sys [2005-09-06 67184] R3 pdlnemsg;PDLC Message Driver;C:\WINDOWS\system32\drivers\pdlnemsg.sys [2005-09-06 12768] R3 pdlnepkt;PDLC Buffer Manager;C:\WINDOWS\system32\drivers\pdlnepkt.sys [2005-09-06 19984] R3 pdlnshay;PDLC Hayes At signalling;C:\WINDOWS\system32\drivers\pdlnshay.sys [2005-09-06 59504] R3 pdlnslea;PDLC SDLC Leased;C:\WINDOWS\system32\drivers\pdlnslea.sys [2005-09-06 22384] R3 pdlnsv25;PDLC V25bis signalling;C:\WINDOWS\system32\drivers\pdlnsv25.sys [2005-09-06 54416] R3 pdlnsx25;PDLC X.25;C:\WINDOWS\system32\drivers\pdlnsx25.sys [2005-09-06 58432] S2 MyHelp;My Help;C:\Program Files\IBM\My Help\ workspace\service\MyHelpService.exe [ ] S3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 13952] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\autorun.exe \Shell\phone\command - E:\autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{970be292-9645-11dd-b531-001f3bd7d68f}] \Shell\AutoRun\command - E:\autorun.exe \Shell\phone\command - E:\autorun.exe . Contents of the 'Scheduled Tasks' folder 2008-10-13 C:\WINDOWS\Tasks\PMTask.job - C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-01-10 19:00] . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vyekxfxl.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://w3.austin.ibm.com FF -: plugin - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vyekxfxl.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll FF -: plugin - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vyekxfxl.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll FF -: plugin - C:\Program Files\Google\Google Updater\2.3.1314.1135\npCIDetect12.dll FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npcpsweb.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\nphclx.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-13 12:31:08 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\system32\nview.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ibmpmsvc.exe C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\scardsvr.exe C:\WINDOWS\system32\drivers\trcboot.exe C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\notes\ntmulti.exe C:\Program Files\AT&T Network Client\NetCfgSv.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe C:\Program Files\IBM\tivoli\dcd\client\ISSI\_jvm\jre\bin\java.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\WINDOWS\system32\TPHDEXLG.exe C:\WINDOWS\system32\TpKmpSvc.exe C:\WINDOWS\system32\drivers\ldlcserv.exe C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe C:\Program Files\Lenovo\ZOOM\TpScrex.exe C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.common_1.3.14\pmonmh.exe . ************************************************************************** . Completion time: 2008-10-13 12:34:05 - machine was rebooted ComboFix-quarantined-files.txt 2008-10-13 17:34:00 ComboFix2.txt 2008-10-08 04:16:32 ComboFix3.txt 2008-10-08 03:30:55 Pre-Run: 58,136,334,336 bytes free Post-Run: 58,144,051,200 bytes free 329
Hey austex08 • Click Start. • Open My Computer. • Select the Tools menu and click Folder Options. • Select the View Tab. • Under the Hidden files and folders heading select Show hidden files and folders. • Uncheck the Hide protected operating system files (recommended) option. • Click Yes to confirm. • Click OK. Find these files, C:\WINDOWS\system32\drivers\85477348.sys C:\ospreg.exe And upload them to [b]www.virustotal.com[/b]. Post the results here. Best Regards
C:\WINDOWS\system32\drivers\85477348.sys File 68040710.sys received on 10.13.2008 11:00:32 (CET) Current status: finished Result: 0/36 (0.00%) Compact Compact Print results Print results Antivirus Version Last Update Result AhnLab-V3 2008.10.13.0 2008.10.13 - AntiVir 7.8.1.34 2008.10.13 - Authentium 5.1.0.4 2008.10.12 - Avast 4.8.1248.0 2008.10.12 - AVG 8.0.0.161 2008.10.12 - BitDefender 7.2 2008.10.13 - CAT-QuickHeal 9.50 2008.10.13 - ClamAV 0.93.1 2008.10.13 - DrWeb 4.44.0.09170 2008.10.13 - eSafe 7.0.17.0 2008.10.12 - eTrust-Vet 31.6.6141 2008.10.10 - Ewido 4.0 2008.10.12 - F-Prot 4.4.4.56 2008.10.12 - F-Secure 8.0.14332.0 2008.10.13 - Fortinet 3.113.0.0 2008.10.13 - GData 19 2008.10.13 - Ikarus T3.1.1.34.0 2008.10.13 - K7AntiVirus 7.10.491 2008.10.11 - Kaspersky 7.0.0.125 2008.10.13 - McAfee 5403 2008.10.11 - Microsoft 1.4005 2008.10.13 - NOD32 3516 2008.10.13 - Norman 5.80.02 2008.10.10 - Panda 9.0.0.4 2008.10.13 - PCTools 4.4.2.0 2008.10.12 - Prevx1 V2 2008.10.13 - Rising 20.66.01.00 2008.10.13 - SecureWeb-Gateway 6.7.6 2008.10.13 - Sophos 4.34.0 2008.10.13 - Sunbelt 3.1.1719.1 2008.10.13 - Symantec 10 2008.10.13 - TheHacker 6.3.1.0.108 2008.10.11 - TrendMicro 8.700.0.1004 2008.10.13 - VBA32 3.12.8.6 2008.10.12 - ViRobot 2008.10.13.1417 2008.10.13 - VirusBuster 4.5.11.0 2008.10.12 - Additional information File size: 148496 bytes MD5...: 0aa3ad071827118fcc8f37f7a6ab7aa1 SHA1..: 59784c49ffe530931010070c8843366f9d7fa6f0 SHA256: 3e893bcf9e3ec8fa44c8ef0cf7c2d269212651d65c16b30bd953cc3a54f3b2aa SHA512: b56442c4271033f9547727ac097fc903f0bd51c062f415726aeee3e6abde24e1 ec127cb548086d5429ff4dc4e78c322b2594bb4f29f817338299f6c9c23bbc25 PEiD..: - TrID..: File type identification Win32 Executable Generic (68.0%) Generic Win/DOS Executable (15.9%) DOS Executable Generic (15.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x33010 timedatestamp.....: 0x4873470a (Tue Jul 08 10:52:58 2008) machinetype.......: 0x14c (I386) ( 8 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x1a848 0x1aa00 6.38 ca8bbffb8c1aac75560de3ffede16f38 NONPAGED 0x1c000 0x25 0x200 0.30 76fbfaa1c4997eccce3ca016c3b1345b .rdata 0x1d000 0x850 0xa00 4.25 6ffc26ac817e2ae1a1cf5ce42adc9f0b .data 0x1e000 0x1b00 0x600 6.42 2680643c152bf562cae4ab5d1ed2070c PAGE 0x20000 0x2cdc 0x2e00 6.28 7516763c152ec5b6c5df87c555fadbb5 INIT 0x23000 0x1b88 0x1c00 5.96 4459dca4b85a564cb98f26cfbff36fbe .rsrc 0x25000 0x400 0x400 3.36 09f200edb8e02e6fa4ab2f6bc27ad921 .reloc 0x26000 0x1b6e 0x1c00 6.47 5d73a4e2a3be56c2448dbd9511deefa3 ( 3 imports ) > ntoskrnl.exe: IoAllocateWorkItem, RtlDeleteElementGenericTableAvl, RtlGetElementGenericTableAvl, FsRtlIsNameInExpression, RtlInsertElementGenericTableAvl, InitSafeBootMode, InterlockedPopEntrySList, InterlockedPushEntrySList, ExInitializeNPagedLookasideList, ExDeleteNPagedLookasideList, SeTokenType, SeCreateClientSecurity, SeImpersonateClientEx, IoVerifyVolume, IoDeviceObjectType, IoBuildSynchronousFsdRequest, IoDeleteDevice, IoDeleteSymbolicLink, IoUnregisterShutdownNotification, MmIsAddressValid, IoFreeMdl, MmUnlockPages, MmProbeAndLockPages, IoAllocateMdl, IoRegisterShutdownNotification, IoCreateSymbolicLink, IoCreateDevice, RtlAppendUnicodeToString, KeDelayExecutionThread, KeQuerySystemTime, strncmp, IoGetCurrentProcess, ExGetPreviousMode, SeReleaseSubjectContext, IoQueueWorkItem, SeCaptureSubjectContext, PsDereferenceImpersonationToken, RtlCopySid, RtlLengthSid, SeQueryInformationToken, PsReferencePrimaryToken, PsReferenceImpersonationToken, PsIsThreadTerminating, IoThreadToProcess, RtlInitializeGenericTableAvl, READ_REGISTER_UCHAR, ProbeForRead, RtlLookupElementGenericTableAvl, ObQueryNameString, CmUnRegisterCallback, MmUserProbeAddress, CmRegisterCallback, ZwEnumerateValueKey, ZwDeleteValueKey, ZwQueryKey, wcsrchr, NtBuildNumber, KeClearEvent, ExInitializePagedLookasideList, ExDeletePagedLookasideList, PsLookupProcessByProcessId, RtlCopyUnicodeString, RtlNumberGenericTableElementsAvl, RtlEnumerateGenericTableAvl, PsSetLoadImageNotifyRoutine, PsSetCreateThreadNotifyRoutine, PsSetCreateProcessNotifyRoutine, PsRemoveCreateThreadNotifyRoutine, PsRemoveLoadImageNotifyRoutine, IoFreeWorkItem, IofCompleteRequest, IoWMIRegistrationControl, MmGetSystemRoutineAddress, RtlCompareMemory, IoWMIWriteEvent, ZwQueryInformationProcess, KeStackAttachProcess, _wcsicmp, KeUnstackDetachProcess, ZwOpenKey, ZwEnumerateKey, RtlUnicodeStringToInteger, ZwQueryValueKey, ZwCreateKey, RtlIntegerToUnicodeString, ZwSetValueKey, RtlAppendUnicodeStringToString, ZwDeleteKey, DbgBreakPoint, ZwCreateFile, IoGetRelatedDeviceObject, _vsnwprintf, KeQueryInterruptTime, strncpy, RtlInitUnicodeString, RtlCompareUnicodeString, IoFileObjectType, ObReferenceObjectByPointer, _allmul, KeWaitForMultipleObjects, KeSetEvent, ExDeleteResourceLite, ExInitializeResourceLite, memcpy, _except_handler3, ZwOpenProcess, ZwTerminateProcess, PsCreateSystemThread, ObReferenceObjectByHandle, ZwClose, PsTerminateSystemThread, ObfDereferenceObject, KeGetCurrentThread, PsGetCurrentProcessId, PsGetCurrentThreadId, RtlUpcaseUnicodeChar, RtlUpperChar, memset, ExAllocatePoolWithTag, KeInitializeEvent, IoBuildDeviceIoControlRequest, IofCallDriver, KeWaitForSingleObject, SeQueryAuthenticationIdToken, ExFreePoolWithTag > HAL.dll: KfReleaseSpinLock, KeGetCurrentIrql, ExAcquireFastMutex, ExReleaseFastMutex, KfAcquireSpinLock > FLTMGR.SYS: FltQueryInformationFile, FltGetRoutineAddress, FltIsDirectory, FltGetFileNameInformation, FltParseFileNameInformation, FltAllocateCallbackData, FltPerformSynchronousIo, FltFreeCallbackData, FltReferenceFileNameInformation, FltReleaseFileNameInformation, FltGetStreamHandleContext, FltGetStreamContext, FltEnumerateVolumeInformation, FltRegisterFilter, FltStartFiltering, FltSetCallbackDataDirty, FltGetDestinationFileNameInformation, FltSetStreamHandleContext, FltCancelFileOpen, FltSetStreamContext, FltReleaseContext, FltGetVolumeProperties, FltAllocateContext, FltQueryVolumeInformation, FltGetVolumeName, FltSetInstanceContext, FltSetVolumeContext, FltUnregisterFilter, FltFsControlFile, FltGetVolumeFromFileObject, FltGetVolumeContext, FltGetInstanceContext, FltCreateFile, FltClose, FltFlushBuffers, FltSetInformationFile, FltWriteFile, FltBuildDefaultSecurityDescriptor, FltCreateCommunicationPort, FltFreeSecurityDescriptor, FltObjectReference, FltAllocatePoolAlignedWithTag, FltReadFile, FltFreePoolAlignedWithTag, FltObjectDereference, FltSendMessage, FltCloseClientPort, FltCloseCommunicationPort, FltReleaseResource, FltAcquireResourceShared, FltAcquireResourceExclusive, FltGetFileNameInformationUnsafe ( 0 exports ) For C:\ospreg.exe File size: 59904 bytes MD5...: 63c0551f8dce71b5afab0f41df08ba4d SHA1..: 0fc74e3b64dd87e74d4c73124b2b5c1fc45e4176 SHA256: 5e3c32ef22cc133bc84be0b208fc3efd0314dbf16b302312b2eddb9e4a01f75c SHA512: bea2b62493760835e491ea1430f333e28018c6ffad5e7b4c67d09168526b76e0 a1d55cac0ebb1df6ddf6951ccc3b82be43c9b624c17ccda0fbb8837a7c5a6b40 PEiD..: - TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) VXD Driver (0.1%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x4038e2 timedatestamp.....: 0x42bc5b80 (Fri Jun 24 19:14:08 2005) machinetype.......: 0x14c (I386) ( 7 sections ) name viradd virsiz rawdsiz ntrpy md5 AUTO 0x1000 0x0 0xa200 6.42 e78ea6cbc72662e98abae57acc7cd7b8 .idata 0xc000 0x0 0xa00 4.39 d54db3b41812e565ca259b0b1b875277 DGROUP 0xd000 0x0 0x1800 4.42 ac392e17e32e0da52d741813cb9f11f9 .bss 0xf000 0x0 0x1c00 5.63 aca3948b3cd10da58c6930e5b0223766 .reloc 0x11000 0x0 0xc00 6.70 cf5f62f37453c231950f60828692beb8 .desc 0x12000 0x0 0x200 1.10 bf5079996c4408556481512c65f33d3c .rsrc 0x13000 0x0 0x1400 3.52 efd68032c63fbc0a36379affc8b9b556 ( 3 imports ) > ADVAPI32.dll: RegCloseKey, RegDeleteValueA, RegFlushKey, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA > USER32.dll: CharUpperBuffA > KERNEL32.dll: CloseHandle, CreateEventA, CreateFileA, CreatePipe, CreateProcessA, CreateThread, DeleteCriticalSection, DeleteFileA, EnterCriticalSection, ExitProcess, ExitThread, FlushFileBuffers, FormatMessageA, FreeEnvironmentStringsA, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetCurrentDirectoryA, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStrings, GetExitCodeProcess, GetFileAttributesA, GetFileType, GetFullPathNameA, GetLastError, GetLocalTime, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetOEMCP, GetProcAddress, GetStdHandle, GetTimeZoneInformation, GetVersion, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LocalFree, MoveFileA, MultiByteToWideChar, ReadConsoleInputA, ReadFile, SetConsoleCtrlHandler, SetConsoleMode, SetEnvironmentVariableA, SetEnvironmentVariableW, SetEvent, SetFilePointer, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualQuery, WaitForSingleObject, WideCharToMultiByte, WriteConsoleA, WriteFile, lstrlenA ( 0 exports ) I do see some folders in blue in c:\WINDOWS .. here is an eg. C:\WINDOWS\$NtUninstallKB938464$ ... not sure why the color is different. I am travelling without this affected laptop so the response will be after a few days. thanks again. Regards Aus
