WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Security Toolbar 7.1, Blinking Icon, Numerous Viruses

Started by lin0056 , Nov 15 2007 05:53 AM

Please log in to reply

36 replies to this topic

#1 lin0056

Authentic Member

Authentic Member
115 posts

Posted 15 November 2007 - 05:53 AM

Hi guys,
I've looked everywhere for help and this place seems like the best bet.
I have a blinking icon on my taskbar that keeps asking me to download antivirus programs, which, i obviously object to. I Also receive the occasional pop-up, and without my numerous antivirus programs, i believe i would have a lot more.

I have tried:
SUPERAntiSpyware - It works and gets rid of the virus, but wont let me start my machine up. I'm guessing this is because important files are infected?
SmitFraudFix - I Use it during safe mode, and it works temporarily, then after 5 minutes or so, it comes back.
PrevX - It detected the same file that most of my antivirus programs detected. - gebcc.dll which is located in C:\Windows\system32 folder.

This is my HJT Log.

Logfile of HijackThis v1.99.1
Scan saved at 10:40:15 PM, on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ThinkVantage\SystemUpdate\PipeServer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://balwynhs.vic.edu.au/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.balwynhs.vic.edu.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.balwynhs.vic.edu.au;172.*;*.education.vic.gov.au;*.sofweb.vic.edu.au;*.vass.vi
.edu.au;*.eduweb.vic.gov.au;*.edudev.vic.gov.au;*.edumail.vic.gov.au;*.otte.vic.
ov.au;*.icon.edu.vic.gov.au;*.ultranet.vic.edu.au;*.vcaa.vic.edu.au;<local>
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\psrdswkp.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\DOCUME~1\lin0056\LOCALS~1\Temp\qrjatydi.exe"
O4 - HKLM\..\Run: [acfdb785] rundll32.exe "C:\WINDOWS\system32\fbofvtbl.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185221205500
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = balwynhs.vic.edu.au
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00EFFF5.dat
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (file missing)
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\eicdpwnq.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe (file missing)

Advertisements

Register to Remove

#2 SNOWHITE

Retired GTG Staff

Authentic Member
165 posts

Posted 16 November 2007 - 03:05 AM

Hello lin0056,

My name is SNOWHITE and I will be helping you with your Malware problem.

Please follow the steps below exactly in the order they are written:
1. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
2. Download combofix from one of these links:
Link1
Link2
3. Double click combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. Post that log in your next reply and new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Regards,

SNOWHITE

#3 lin0056

Authentic Member

Authentic Member
115 posts

Posted 16 November 2007 - 03:47 AM

ComboFix 07-11-08.1 - LIN0056 2007-11-16 20:17:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.70 [GMT 11:00]Running from: C:\Documents and Settings\lin0056\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\lin0056\Desktop\Live Safety Center.lnk
C:\Documents and Settings\lin0056\Desktop\Online Security Guide.lnk
C:\Documents and Settings\lin0056\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\blvltmjy.dll
C:\WINDOWS\system32\bqmqbwwe.dll
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.bak2
C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\ccbeg.ini2
C:\WINDOWS\system32\ccbeg.tmp
C:\WINDOWS\system32\ckbvkmvu.dll
C:\WINDOWS\system32\fqpdidqb.dll
C:\WINDOWS\system32\gamytlnv.dll
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\gxpftlfs.dll
C:\WINDOWS\system32\hgsijeay.dll
C:\WINDOWS\system32\hvieklcl.dll
C:\WINDOWS\system32\itoxavya.dll
C:\WINDOWS\system32\jlmyblvf.dll
C:\WINDOWS\system32\psrdswkp.dllbox
C:\WINDOWS\system32\ynmbuudi.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-16 20:12 51,200 --a--c--- C:\WINDOWS\NirCmd.exe
2007-11-16 19:52 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 18:46 85,056 --a--c--- C:\WINDOWS\system32\tmrtbsew.dll
2007-11-16 18:43 81,984 --a--c--- C:\WINDOWS\system32\afpljkqi.dll
2007-11-16 18:37 71,232 --a--c--- C:\WINDOWS\system32\emrxtgra.exe
2007-11-16 18:08 71,232 --a--c--- C:\WINDOWS\system32\qsuwkdqf.exe
2007-11-16 17:49 81,984 --a--c--- C:\WINDOWS\system32\yotrjgoj.dll
2007-11-16 17:43 71,232 --a--c--- C:\WINDOWS\system32\vpayuxki.exe
2007-11-16 15:05 79,936 --a--c--- C:\WINDOWS\system32\eoltomnq.dll
2007-11-16 14:56 71,232 --a--c--- C:\WINDOWS\system32\pnvbdxeh.exe
2007-11-16 13:50 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\Grisoft
2007-11-15 23:11 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-15 23:11 10,872 --a--c--- C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-15 22:25 <DIR> d----c--- C:\WINDOWS\Sun
2007-11-15 21:50 79,936 --a--c--- C:\WINDOWS\system32\mfntceyh.dll
2007-11-15 21:41 7,076 --a--c--- C:\WINDOWS\system32\sktcrtba.dll
2007-11-15 21:38 71,232 --a--c--- C:\WINDOWS\system32\kiasxola.exe
2007-11-15 20:01 289,144 --a--c--- C:\WINDOWS\system32\VCCLSID.exe
2007-11-15 20:01 288,417 --a--c--- C:\WINDOWS\system32\SrchSTS.exe
2007-11-15 20:01 53,248 --a--c--- C:\WINDOWS\system32\Process.exe
2007-11-15 20:01 51,200 --a--c--- C:\WINDOWS\system32\dumphive.exe
2007-11-15 20:01 25,600 --a--c--- C:\WINDOWS\system32\WS2Fix.exe
2007-11-15 19:33 79,936 --a--c--- C:\WINDOWS\system32\kevdwiwv.dll
2007-11-15 19:26 71,232 --a--c--- C:\WINDOWS\system32\lwgjsbnc.exe
2007-11-15 17:44 79,936 --a--c--- C:\WINDOWS\system32\llbvaiuu.dll
2007-11-15 17:38 85,056 --a--c--- C:\WINDOWS\system32\erthdarm.dll
2007-11-15 17:35 71,232 --a--c--- C:\WINDOWS\system32\ihrudddn.exe
2007-11-15 16:41 79,936 --a--c--- C:\WINDOWS\system32\ubmhmmiy.dll
2007-11-15 14:18 79,424 --a--c--- C:\WINDOWS\system32\olprpygl.dll
2007-11-15 14:14 71,232 --a--c--- C:\WINDOWS\system32\cpjitabn.exe
2007-11-15 11:22 <DIR> d----c--- C:\Program Files\NJStar Chinese WP
2007-11-15 11:22 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\NJStar
2007-11-15 11:11 79,424 --a--c--- C:\WINDOWS\system32\olffixyw.dll
2007-11-15 11:08 71,232 --a--c--- C:\WINDOWS\system32\jpewuuny.exe
2007-11-15 10:32 79,424 --a--c--- C:\WINDOWS\system32\xtcqatem.dll
2007-11-14 19:50 20,480 --a--c--- C:\WINDOWS\system32\H@tKeysH@@k.DLL
2007-11-14 16:42 81,472 --a--c--- C:\WINDOWS\system32\nwixdqhj.dll
2007-11-14 16:36 71,232 --a--c--- C:\WINDOWS\system32\mtkjpdrw.exe
2007-11-14 16:20 81,472 --a--c--- C:\WINDOWS\system32\hvnptjtv.dll
2007-11-14 10:32 85,056 --a--c--- C:\WINDOWS\system32\xuvlkqpj.dll
2007-11-14 10:29 71,232 --a--c--- C:\WINDOWS\system32\samtevlo.exe
2007-11-13 21:54 <DIR> d----c--- C:\temp\Tmp___30808
2007-11-13 21:52 <DIR> d----c--- C:\temp\Tmp___30328
2007-11-13 21:48 <DIR> d----c--- C:\temp\Tmp___29584
2007-11-13 21:46 <DIR> d----c--- C:\temp\Tmp___29189
2007-11-13 21:45 <DIR> d----c--- C:\temp\Tmp___28980
2007-11-13 21:44 <DIR> d----c--- C:\temp\Tmp___28879
2007-11-13 21:31 80,448 --a--c--- C:\WINDOWS\system32\wlenjfca.dll
2007-11-13 21:26 71,232 --a--c--- C:\WINDOWS\system32\kmmhkrdi.exe
2007-11-13 21:15 80,448 --a--c--- C:\WINDOWS\system32\beulhmop.dll
2007-11-13 21:12 88,128 --a--c--- C:\WINDOWS\system32\jkajxbqk.dll
2007-11-13 21:04 71,232 --a--c--- C:\WINDOWS\system32\gywllfdb.exe
2007-11-13 20:57 80,448 --a--c--- C:\WINDOWS\system32\peyygprm.dll
2007-11-13 20:52 71,232 --a--c--- C:\WINDOWS\system32\dkobkxgy.exe
2007-11-13 20:49 5,616 --a--c--- C:\WINDOWS\system32\iaydefdl.dll
2007-11-13 20:33 80,448 --a--c--- C:\WINDOWS\system32\wnbabcxn.dll
2007-11-13 20:29 88,128 --a--c--- C:\WINDOWS\system32\rruuucag.dll
2007-11-13 20:24 71,232 --a--c--- C:\WINDOWS\system32\hujevyak.exe
2007-11-13 20:14 71,232 --a--c--- C:\WINDOWS\system32\sqarphbc.exe
2007-11-13 20:08 80,448 --a--c--- C:\WINDOWS\system32\sratotyk.dll
2007-11-13 20:07 0 --a--c--- C:\WINDOWS\system32\dliuwief.dll
2007-11-13 20:06 664 --a--c--- C:\WINDOWS\system32\d3d9caps.dat
2007-11-13 20:05 71,232 --a--c--- C:\WINDOWS\system32\koehucfc.exe
2007-11-13 19:28 71,232 --a--c--- C:\WINDOWS\system32\adahwgxo.exe
2007-11-13 19:21 71,232 --a--c--- C:\WINDOWS\system32\gotuqmuw.exe
2007-11-13 19:11 80,448 --a--c--- C:\WINDOWS\system32\bquyovlc.dll
2007-11-13 19:11 4,156 --a--c--- C:\WINDOWS\system32\vsuomipf.dll
2007-11-13 19:09 71,232 --a--c--- C:\WINDOWS\system32\uhcsojlo.exe
2007-11-13 19:06 5,470 --a--c--- C:\WINDOWS\system32\tmp.reg
2007-11-13 18:47 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Prevx
2007-11-13 18:36 80,448 --a--c--- C:\WINDOWS\system32\rlhpenks.dll
2007-11-13 18:33 88,128 --a--c--- C:\WINDOWS\system32\rdaqkigu.dll
2007-11-13 18:29 71,232 --a--c--- C:\WINDOWS\system32\ufapsahm.exe
2007-11-13 17:12 80,448 --a--c--- C:\WINDOWS\system32\euovygjx.dll
2007-11-13 17:09 71,232 --a--c--- C:\WINDOWS\system32\hiwshbgc.exe
2007-11-13 07:51 <DIR> d----c--- C:\Program Files\SUPERAntiSpyware
2007-11-13 07:51 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\SUPERAntiSpyware.com
2007-11-13 07:51 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-13 07:50 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-12 16:45 144,320 --a--c--- C:\WINDOWS\system32\psrdswkp.dll
2007-11-12 16:45 144,320 --a--c--- C:\WINDOWS\system32\cosetjjg.dll
2007-11-11 20:26 <DIR> d----c--- C:\WINDOWS\system32\xlive
2007-11-11 20:26 3,495,784 --a--c--- C:\WINDOWS\system32\d3dx9_33.dll
2007-11-11 20:26 1,123,696 --a--c--- C:\WINDOWS\system32\D3DCompiler_33.dll
2007-11-11 20:26 81,768 --a--c--- C:\WINDOWS\system32\xinput1_3.dll
2007-11-11 20:05 519,912 --a--c--- C:\WINDOWS\system32\d3dx10d_33.dll
2007-11-11 20:05 519,912 --a--c--- C:\WINDOWS\system32\d3dx10d.dll
2007-11-11 20:05 519,912 --a--c--- C:\WINDOWS\system32\d3dx10_33.dll
2007-11-11 19:57 566,624 --a--c--- C:\WINDOWS\system32\d3d10.dll
2007-11-11 19:57 519,912 --a--c--- C:\WINDOWS\system32\d3dx10.dll
2007-11-11 19:57 494,557 --a--c--- C:\WINDOWS\system32\dxgi.dll
2007-11-11 19:57 25,037 --a--c--- C:\WINDOWS\system32\Nucleus.dll
2007-11-11 18:56 <DIR> d----c--- C:\Program Files\Microsoft Games
2007-11-11 18:49 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\Microsoft Game Studios
2007-11-11 14:42 32,768 --a--c--- C:\WINDOWS\system32\mf.dll
2007-11-11 14:24 <DIR> d----c--- C:\Documents and Settings\lin0056\My Games
2007-11-11 14:24 <DIR> d----c--- C:\Documents and Settings\All Users\Microsoft
2007-11-10 13:47 <DIR> d----c--- C:\WINDOWS\Emoticon Live Patch Uninstall
2007-11-09 23:09 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-11-09 22:59 <DIR> d----c--- C:\Program Files\Sierra

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 09:37 --------- dc----w C:\Program Files\Symantec AntiVirus
2007-11-10 22:23 5,427 -c--a-w C:\WINDOWS\system32\EGATHDRV.SYS
2007-11-09 11:58 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-11-08 01:18 --------- dc----w C:\Program Files\Windows Media Connect
2007-11-08 01:13 --------- dc----w C:\Program Files\Microsoft Works
2007-11-07 05:31 --------- dc----w C:\Program Files\Google
2007-11-07 05:09 --------- dc----w C:\Program Files\Picasa2
2007-10-21 16:39 267,272 -c--a-w C:\WINDOWS\system32\xactengine2_10.dll
2007-10-21 16:37 17,928 -c--a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-12 12:19 13,653,824 -c--a-w C:\WINDOWS\system32\xlivefnt.dll
2007-10-12 12:19 10,155,840 -c--a-w C:\WINDOWS\system32\xlive.dll
2007-10-12 04:14 3,734,536 -c--a-w C:\WINDOWS\system32\d3dx9_36.dll
2007-10-12 04:14 1,374,232 -c--a-w C:\WINDOWS\system32\D3DCompiler_36.dll
2007-10-01 22:56 444,776 -c--a-w C:\WINDOWS\system32\d3dx10_36.dll
2007-08-21 06:15 683,520 -c--a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-23 21:37:19 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0aec91cc-56fb-42ff-8bd4-632dfd696cd9}]
2007-11-16 18:43 81984 --a--c--- C:\WINDOWS\system32\afpljkqi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-12 16:45 144320 --a--c--- C:\WINDOWS\system32\psrdswkp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\psrdswkp.dll [2007-11-12 16:45 144320]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-16 07:57]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-16 07:57]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 13:04]
"TpShocks"="TpShocks.exe" [2005-11-08 05:14 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2005-10-17 19:11 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 20:22]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-12-16 08:19]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-07 08:06]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-13 08:43]
"suScheduler"="C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 11:32]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-01-25 19:03]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-01 23:10]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 10:50]
"ISUSScheduler"="c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 10:50]
"cssauth"="C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 12:08]
"PDService.exe"="C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-16 07:13]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2005-10-29 05:08]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-30 04:55]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-18 07:09]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-18 06:59]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 19:12]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 19:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-02 09:57]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-04 12:20]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-09 09:52]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2005-04-18 06:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 20:25]
"acfdb785"="C:\WINDOWS\system32\tmrtbsew.dll" [2007-11-16 18:46]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-09 17:36]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 03:24]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2007-07-24 08:18:49]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-07-24 08:18:47]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-18 18:50:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psrdswkp]
psrdswkp.dll 2007-11-12 16:45 144320 C:\WINDOWS\system32\psrdswkp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 2005-07-06 17:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-12-01 14:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebcc.dll
"Notification Packages"= scecli csspwntfy

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Scripts\Logon\0\0]
"Script"=stdlogon.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e047ed2c-8cee-11dc-ad54-0019d2456ac3}]
\Shell\1\Command - .\readme.txt.exe
\Shell\2\Command - .\readme.txt.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\readme.txt.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e047ed2d-8cee-11dc-ad54-0019d2456ac3}]
\Shell\1\Command - .\readme.txt.exe
\Shell\2\Command - .\readme.txt.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\readme.txt.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-10 01:06:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-16 09:37:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-16 09:40:01 C:\WINDOWS\Tasks\PMTask.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 20:37:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-16 20:43:20 - machine was rebooted
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 20:47, on 2007-11-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://balwynhs.vic.edu.au/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.balwynhs.vic.edu.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.balwynhs.vic.edu.au;172.*;*.education.vic.gov.au;*.sofweb.vic.edu.au;*.vass.vi
.edu.au;*.eduweb.vic.gov.au;*.edudev.vic.gov.au;*.edumail.vic.gov.au;*.otte.vic.
ov.au;*.icon.edu.vic.gov.au;*.ultranet.vic.edu.au;*.vcaa.vic.edu.au;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {9dc696df-d236-4db8-ff24-bf65cc19cea0} - {0aec91cc-56fb-42ff-8bd4-632dfd696cd9} - C:\WINDOWS\system32\afpljkqi.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\psrdswkp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\psrdswkp.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [acfdb785] rundll32.exe "C:\WINDOWS\system32\tmrtbsew.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185221205500
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = balwynhs.vic.edu.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: psrdswkp - C:\WINDOWS\SYSTEM32\psrdswkp.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (file missing)
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe (file missing)

thanks

#4 SNOWHITE

Retired GTG Staff

Authentic Member
165 posts

Posted 17 November 2007 - 01:50 PM

Hello lin0056,

Please follow the steps below exactly in the order they are written:

Step #1

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

Step #2

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\emrxtgra.exe
C:\WINDOWS\system32\qsuwkdqf.exe
C:\WINDOWS\system32\yotrjgoj.dll
C:\WINDOWS\system32\vpayuxki.exe
C:\WINDOWS\system32\pnvbdxeh.exe
C:\WINDOWS\system32\mfntceyh.dll
C:\WINDOWS\system32\kiasxola.exe
C:\WINDOWS\system32\kevdwiwv.dll
C:\WINDOWS\system32\lwgjsbnc.exe
C:\WINDOWS\system32\llbvaiuu.dll
C:\WINDOWS\system32\erthdarm.dll
C:\WINDOWS\system32\ihrudddn.exe
C:\WINDOWS\system32\ubmhmmiy.dll
C:\WINDOWS\system32\olprpygl.dll
C:\WINDOWS\system32\cpjitabn.exe
C:\WINDOWS\system32\olffixyw.dll
C:\WINDOWS\system32\jpewuuny.exe
C:\WINDOWS\system32\nwixdqhj.dll
C:\WINDOWS\system32\mtkjpdrw.exe
C:\WINDOWS\system32\xuvlkqpj.dll
C:\WINDOWS\system32\samtevlo.exe
C:\WINDOWS\system32\wlenjfca.dll
C:\WINDOWS\system32\kmmhkrdi.exe
C:\WINDOWS\system32\beulhmop.dll
C:\WINDOWS\system32\jkajxbqk.dll
C:\WINDOWS\system32\gywllfdb.exe
C:\WINDOWS\system32\peyygprm.dll
C:\WINDOWS\system32\dkobkxgy.exe
C:\WINDOWS\system32\iaydefdl.dll
C:\WINDOWS\system32\wnbabcxn.dll
C:\WINDOWS\system32\rruuucag.dll
C:\WINDOWS\system32\hujevyak.exe
C:\WINDOWS\system32\dliuwief.dll
C:\WINDOWS\system32\koehucfc.exe
C:\WINDOWS\system32\adahwgxo.exe
C:\WINDOWS\system32\gotuqmuw.exe
C:\WINDOWS\system32\bquyovlc.dll
C:\WINDOWS\system32\vsuomipf.dll
C:\WINDOWS\system32\uhcsojlo.exe
C:\WINDOWS\system32\rlhpenks.dll
C:\WINDOWS\system32\ufapsahm.exe
C:\WINDOWS\system32\euovygjx.dll
C:\WINDOWS\system32\hiwshbgc.exe
C:\WINDOWS\system32\cosetjjg.dll

Collect::[29]
C:\WINDOWS\system32\psrdswkp.dll
C:\WINDOWS\system32\tmrtbsew.dll
C:\WINDOWS\system32\afpljkqi.dll
C:\WINDOWS\system32\eoltomnq.dll
C:\WINDOWS\system32\sktcrtba.dll
C:\WINDOWS\system32\xtcqatem.dll
C:\WINDOWS\system32\hvnptjtv.dll
C:\WINDOWS\system32\rdaqkigu.dll
C:\WINDOWS\system32\sqarphbc.exe
C:\WINDOWS\system32\sratotyk.dll
C:\WINDOWS\system32\gebcc.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0aec91cc-56fb-42ff-8bd4-632dfd696cd9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"acfdb785"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psrdswkp]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e047ed2c-8cee-11dc-ad54-0019d2456ac3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e047ed2d-8cee-11dc-ad54-0019d2456ac3}]

DirLook::
C:\WINDOWS\system32\xlive

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Save this as "CFScript"

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. Additonally, ComboFix will generate the following files on your desktop

A zipped file on your desktop called Submit [Date Time].zip
And another file named - CF-Submit.htm

ComboFix may need to reboot to finish its work. Let it.

When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.

Click on the file to Select it.
Submit the file by clicking "OK"

Once the file has been submitted, please DELETE both files on your desktop.

Post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log (run after ComboFix has finished its work.)
Also let me know do you use trainers in games.

Regards,

Edited by SNOWHITE, 17 November 2007 - 01:54 PM.

SNOWHITE

#5 lin0056

Authentic Member

Authentic Member
115 posts

Posted 17 November 2007 - 04:04 PM

Hi SNOWHITE, thanks for your help. so far my system hasnt been getting these popups or anything since i rebooted through combofix. here are my logs u requested

ComboFix 07-11-08.1 - LIN0056 2007-11-18 8:43:32.3 - NTFSx86
Running from: C:\Documents and Settings\lin0056\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\lin0056\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\adahwgxo.exe
C:\WINDOWS\system32\beulhmop.dll
C:\WINDOWS\system32\bquyovlc.dll
C:\WINDOWS\system32\cosetjjg.dll
C:\WINDOWS\system32\cpjitabn.exe
C:\WINDOWS\system32\dkobkxgy.exe
C:\WINDOWS\system32\dliuwief.dll
C:\WINDOWS\system32\emrxtgra.exe
C:\WINDOWS\system32\erthdarm.dll
C:\WINDOWS\system32\euovygjx.dll
C:\WINDOWS\system32\gotuqmuw.exe
C:\WINDOWS\system32\gywllfdb.exe
C:\WINDOWS\system32\hiwshbgc.exe
C:\WINDOWS\system32\hujevyak.exe
C:\WINDOWS\system32\iaydefdl.dll
C:\WINDOWS\system32\ihrudddn.exe
C:\WINDOWS\system32\jkajxbqk.dll
C:\WINDOWS\system32\jpewuuny.exe
C:\WINDOWS\system32\kevdwiwv.dll
C:\WINDOWS\system32\kiasxola.exe
C:\WINDOWS\system32\kmmhkrdi.exe
C:\WINDOWS\system32\koehucfc.exe
C:\WINDOWS\system32\llbvaiuu.dll
C:\WINDOWS\system32\lwgjsbnc.exe
C:\WINDOWS\system32\mfntceyh.dll
C:\WINDOWS\system32\mtkjpdrw.exe
C:\WINDOWS\system32\nwixdqhj.dll
C:\WINDOWS\system32\olffixyw.dll
C:\WINDOWS\system32\olprpygl.dll
C:\WINDOWS\system32\peyygprm.dll
C:\WINDOWS\system32\pnvbdxeh.exe
C:\WINDOWS\system32\qsuwkdqf.exe
C:\WINDOWS\system32\rlhpenks.dll
C:\WINDOWS\system32\rruuucag.dll
C:\WINDOWS\system32\samtevlo.exe
C:\WINDOWS\system32\ubmhmmiy.dll
C:\WINDOWS\system32\ufapsahm.exe
C:\WINDOWS\system32\uhcsojlo.exe
C:\WINDOWS\system32\vpayuxki.exe
C:\WINDOWS\system32\vsuomipf.dll
C:\WINDOWS\system32\wlenjfca.dll
C:\WINDOWS\system32\wnbabcxn.dll
C:\WINDOWS\system32\xuvlkqpj.dll
C:\WINDOWS\system32\yotrjgoj.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\lin0056\Desktop\Live Safety Center.lnk
C:\Documents and Settings\lin0056\Desktop\Online Security Guide.lnk
C:\Documents and Settings\lin0056\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\adahwgxo.exe
C:\WINDOWS\system32\afpljkqi.dll
C:\WINDOWS\system32\beulhmop.dll
C:\WINDOWS\system32\bquyovlc.dll
C:\WINDOWS\system32\cosetjjg.dll
C:\WINDOWS\system32\cpjitabn.exe
C:\WINDOWS\system32\dkobkxgy.exe
C:\WINDOWS\system32\dliuwief.dll
C:\WINDOWS\system32\emrxtgra.exe
C:\WINDOWS\system32\eoltomnq.dll
C:\WINDOWS\system32\erthdarm.dll
C:\WINDOWS\system32\euovygjx.dll
C:\WINDOWS\system32\gotuqmuw.exe
C:\WINDOWS\system32\gywllfdb.exe
C:\WINDOWS\system32\hiwshbgc.exe
C:\WINDOWS\system32\hujevyak.exe
C:\WINDOWS\system32\hvnptjtv.dll
C:\WINDOWS\system32\iaydefdl.dll
C:\WINDOWS\system32\ihrudddn.exe
C:\WINDOWS\system32\jkajxbqk.dll
C:\WINDOWS\system32\jpewuuny.exe
C:\WINDOWS\system32\kevdwiwv.dll
C:\WINDOWS\system32\kiasxola.exe
C:\WINDOWS\system32\kmmhkrdi.exe
C:\WINDOWS\system32\koehucfc.exe
C:\WINDOWS\system32\llbvaiuu.dll
C:\WINDOWS\system32\lwgjsbnc.exe
C:\WINDOWS\system32\mfntceyh.dll
C:\WINDOWS\system32\mtkjpdrw.exe
C:\WINDOWS\system32\nwixdqhj.dll
C:\WINDOWS\system32\olffixyw.dll
C:\WINDOWS\system32\olprpygl.dll
C:\WINDOWS\system32\peyygprm.dll
C:\WINDOWS\system32\pnvbdxeh.exe
C:\WINDOWS\system32\psrdswkp.dll
C:\WINDOWS\system32\psrdswkp.dllbox
C:\WINDOWS\system32\qsuwkdqf.exe
C:\WINDOWS\system32\rdaqkigu.dll
C:\WINDOWS\system32\rlhpenks.dll
C:\WINDOWS\system32\rruuucag.dll
C:\WINDOWS\system32\samtevlo.exe
C:\WINDOWS\system32\sktcrtba.dll
C:\WINDOWS\system32\sqarphbc.exe
C:\WINDOWS\system32\sratotyk.dll
C:\WINDOWS\system32\tmrtbsew.dll
C:\WINDOWS\system32\ubmhmmiy.dll
C:\WINDOWS\system32\ufapsahm.exe
C:\WINDOWS\system32\uhcsojlo.exe
C:\WINDOWS\system32\vpayuxki.exe
C:\WINDOWS\system32\vsuomipf.dll
C:\WINDOWS\system32\wlenjfca.dll
C:\WINDOWS\system32\wnbabcxn.dll
C:\WINDOWS\system32\xtcqatem.dll
C:\WINDOWS\system32\xuvlkqpj.dll
C:\WINDOWS\system32\yotrjgoj.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-16 20:12 51,200 --a--c--- C:\WINDOWS\NirCmd.exe
2007-11-16 19:52 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 13:50 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\Grisoft
2007-11-15 23:11 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-15 23:11 10,872 --a--c--- C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-15 22:25 <DIR> d----c--- C:\WINDOWS\Sun
2007-11-15 20:01 289,144 --a--c--- C:\WINDOWS\system32\VCCLSID.exe
2007-11-15 20:01 288,417 --a--c--- C:\WINDOWS\system32\SrchSTS.exe
2007-11-15 20:01 53,248 --a--c--- C:\WINDOWS\system32\Process.exe
2007-11-15 20:01 51,200 --a--c--- C:\WINDOWS\system32\dumphive.exe
2007-11-15 20:01 25,600 --a--c--- C:\WINDOWS\system32\WS2Fix.exe
2007-11-15 11:22 <DIR> d----c--- C:\Program Files\NJStar Chinese WP
2007-11-15 11:22 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\NJStar
2007-11-14 19:50 20,480 --a--c--- C:\WINDOWS\system32\H@tKeysH@@k.DLL
2007-11-13 21:54 <DIR> d----c--- C:\temp\Tmp___30808
2007-11-13 21:52 <DIR> d----c--- C:\temp\Tmp___30328
2007-11-13 21:48 <DIR> d----c--- C:\temp\Tmp___29584
2007-11-13 21:46 <DIR> d----c--- C:\temp\Tmp___29189
2007-11-13 21:45 <DIR> d----c--- C:\temp\Tmp___28980
2007-11-13 21:44 <DIR> d----c--- C:\temp\Tmp___28879
2007-11-13 20:06 664 --a--c--- C:\WINDOWS\system32\d3d9caps.dat
2007-11-13 19:06 5,470 --a--c--- C:\WINDOWS\system32\tmp.reg
2007-11-13 18:47 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Prevx
2007-11-13 07:51 <DIR> d----c--- C:\Program Files\SUPERAntiSpyware
2007-11-13 07:51 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\SUPERAntiSpyware.com
2007-11-13 07:51 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-13 07:50 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 20:26 <DIR> d----c--- C:\WINDOWS\system32\xlive
2007-11-11 20:26 3,495,784 --a--c--- C:\WINDOWS\system32\d3dx9_33.dll
2007-11-11 20:26 1,123,696 --a--c--- C:\WINDOWS\system32\D3DCompiler_33.dll
2007-11-11 20:26 81,768 --a--c--- C:\WINDOWS\system32\xinput1_3.dll
2007-11-11 20:05 519,912 --a--c--- C:\WINDOWS\system32\d3dx10d_33.dll
2007-11-11 20:05 519,912 --a--c--- C:\WINDOWS\system32\d3dx10d.dll
2007-11-11 20:05 519,912 --a--c--- C:\WINDOWS\system32\d3dx10_33.dll
2007-11-11 19:57 566,624 --a--c--- C:\WINDOWS\system32\d3d10.dll
2007-11-11 19:57 519,912 --a--c--- C:\WINDOWS\system32\d3dx10.dll
2007-11-11 19:57 494,557 --a--c--- C:\WINDOWS\system32\dxgi.dll
2007-11-11 19:57 25,037 --a--c--- C:\WINDOWS\system32\Nucleus.dll
2007-11-11 18:56 <DIR> d----c--- C:\Program Files\Microsoft Games
2007-11-11 18:49 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\Microsoft Game Studios
2007-11-11 14:42 32,768 --a--c--- C:\WINDOWS\system32\mf.dll
2007-11-11 14:24 <DIR> d----c--- C:\Documents and Settings\lin0056\My Games
2007-11-11 14:24 <DIR> d----c--- C:\Documents and Settings\All Users\Microsoft
2007-11-10 13:47 <DIR> d----c--- C:\WINDOWS\Emoticon Live Patch Uninstall
2007-11-09 23:09 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-11-09 22:59 <DIR> d----c--- C:\Program Files\Sierra
2007-11-09 18:13 0 --a--c--- C:\WINDOWS\nsreg.dat
2007-11-09 09:21 <DIR> d----c--- C:\Program Files\MSXML 6.0
2007-11-08 19:18 313 --a--c--- C:\WINDOWS\NAME_HERE.bat
2007-11-08 12:27 <DIR> d----c--- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-08 12:22 <DIR> d----c--- C:\Program Files\Windows Media Connect 2
2007-11-08 12:19 <DIR> d----c--- C:\WINDOWS\system32\LogFiles
2007-11-08 12:19 <DIR> d----c--- C:\WINDOWS\system32\drivers\UMDF
2007-11-08 10:01 1,033,216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-11-08 10:01 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-08 10:01 549,376 -----c--- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-11-08 10:00 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-07 23:30 <DIR> d----c--- C:\Program Files\MSN Messenger
2007-11-07 22:04 <DIR> d----c--- C:\Program Files\Rapidown
2007-11-07 20:50 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\Apple Computer
2007-11-07 20:02 <DIR> d----c--- C:\Program Files\sXe Injected
2007-11-07 19:59 <DIR> d----c--- C:\Program Files\Counter-Strike 1.6
2007-11-07 18:31 221,184 --a--c--- C:\WINDOWS\system32\wmpns.dll
2007-11-07 18:22 <DIR> d----c--- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-11-07 18:13 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-11-07 18:09 <DIR> d----c--- C:\Program Files\Paint.NET
2007-11-07 17:48 <DIR> d----c--- C:\Program Files\MSBuild
2007-11-07 17:45 <DIR> d----c--- C:\WINDOWS\system32\XPSViewer
2007-11-07 17:44 <DIR> d----c--- C:\Program Files\Reference Assemblies
2007-11-07 17:43 14,048 --a--c--- C:\WINDOWS\system32\spmsg2.dll
2007-11-07 17:38 <DIR> d---sc--- C:\Program Files\Xfire
2007-11-07 17:38 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\Xfire
2007-11-07 17:34 <DIR> d----c--- C:\Program Files\uTorrent
2007-11-07 17:34 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\uTorrent
2007-11-07 17:32 <DIR> d----c--- C:\Program Files\Steam
2007-11-07 17:29 <DIR> d----c--- C:\Program Files\PowerISO
2007-11-07 17:24 <DIR> d----c--- C:\Program Files\GIMP-2.0
2007-11-07 17:22 <DIR> d----c--- C:\Documents and Settings\lin0056\Shared
2007-11-07 17:22 <DIR> d----c--- C:\Documents and Settings\lin0056\Incomplete
2007-11-07 17:22 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\FrostWire
2007-11-07 17:21 <DIR> d----c--- C:\Program Files\Java
2007-11-07 17:21 <DIR> d----c--- C:\Program Files\Common Files\Java
2007-11-07 17:19 <DIR> d----c--- C:\Program Files\Common Files\GTK
2007-11-07 17:18 <DIR> d----c--- C:\Program Files\FrostWire
2007-11-07 17:09 <DIR> d----c--- C:\Program Files\Messenger Plus! Live
2007-11-07 16:53 <DIR> d----c--- C:\Documents and Settings\lin0056\Contacts
2007-11-07 16:51 <DIR> d----c--- C:\Program Files\DoubleDesktop
2007-11-07 16:41 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-07 16:40 <DIR> d----c--- C:\Program Files\Windows Live
2007-11-07 16:40 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-07 16:22 <DIR> d----c--- C:\Downloads
2007-11-07 16:04 12,160 --a--c--- C:\WINDOWS\system32\drivers\mouhid.sys
2007-11-07 16:04 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-11-07 16:03 9,600 --a--c--- C:\WINDOWS\system32\drivers\hidusb.sys
2007-11-07 16:03 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-11-07 14:04 <DIR> d--hsc--- C:\Documents and Settings\lin0056\UserData
2007-11-07 14:04 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\ThinkVantage
2007-11-07 14:04 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\Symantec
2007-11-07 14:04 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\Inspiration Software
2007-11-07 14:04 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\IBM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 21:53 --------- dc----w C:\Program Files\Symantec AntiVirus
2007-11-09 11:58 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-11-08 01:18 --------- dc----w C:\Program Files\Windows Media Connect
2007-11-08 01:13 --------- dc----w C:\Program Files\Microsoft Works
2007-11-07 05:31 --------- dc----w C:\Program Files\Google
2007-11-07 05:09 --------- dc----w C:\Program Files\Picasa2
2007-07-23 21:37:19 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\xlive ----

2007-09-18 16:01 134144 --a--c--- C:\WINDOWS\system32\xlive\sqmapi.dll

((((((((((((((((((((((((((((( snapshot@2007-11-16_20.38.52.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-10 22:23:46 5,427 -c--a-w C:\WINDOWS\system32\EGATHDRV.SYS
+ 2007-11-17 13:00:02 5,427 -c--a-w C:\WINDOWS\system32\EGATHDRV.SYS
+ 2007-11-17 21:52:41 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_78c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-16 07:57]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-16 07:57]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 13:04]
"TpShocks"="TpShocks.exe" [2005-11-08 05:14 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2005-10-17 19:11 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 20:22]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-12-16 08:19]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-07 08:06]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-13 08:43]
"suScheduler"="C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 11:32]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-01-25 19:03]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-01 23:10]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 10:50]
"ISUSScheduler"="c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 10:50]
"cssauth"="C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 12:08]
"PDService.exe"="C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-16 07:13]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2005-10-29 05:08]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-30 04:55]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-18 07:09]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-18 06:59]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 19:12]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 19:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-02 09:57]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-04 12:20]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-09 09:52]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2005-04-18 06:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 20:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-09 17:36]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 03:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2007-07-24 08:18:49]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-07-24 08:18:47]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-18 18:50:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 2005-07-06 17:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-12-01 14:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli csspwntfy

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Scripts\Logon\0\0]
"Script"=stdlogon.vbs

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS
R1 IBMTPCHK;IBMTPCHK;\??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys
R2 ibmfilter;ibmfilter;\??\C:\WINDOWS\system32\drivers\ibmfilter.sys
R2 PrivateDisk;PrivateDisk;\??\C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\PrivateDiskM.sys
R2 smi2;smi2;\??\C:\Program Files\SMI2\smi2.sys
R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
R3 atmeltpm;atmeltpm;C:\WINDOWS\system32\DRIVERS\atmeltpm.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 01:06:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-17 21:54:29 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
"2007-11-17 21:55:16 C:\WINDOWS\Tasks\PMTask.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 08:54:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-18 8:58:42 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-16 21:55
C:\ComboFix3.txt ... 2007-11-16 20:43
.
--- E O F ---

gram Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185221205500
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = balwynhs.vic.edu.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{581BEF0D-C033-4CA8-92CB-85EEFEC95FE1}: NameServer = 61.9.133.193,61.9.134.49
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (file missing)
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe (file missing)

thanks

#6 SNOWHITE

Retired GTG Staff

Authentic Member
165 posts

Posted 17 November 2007 - 04:47 PM

Please follow the steps below exactly in the order they are written:

Step #1

Open Norton AntiVirus by double clicking the 'Shield' icon located in the right hand bottom corner of your computer screen.
Double click the 'View' folder. It is located on the left side of the Norton AntiVirus window. This will expand the folder and display the contents. Click on the 'Quarantine' icon. The right side of the Norton AntiVirus window will now list the contents of your quarantine folder.
Select the item you wish to remove and click on RED 'X' icon to delete it. This will open the 'Take Action' window. Click the 'Start Delete' button to remove the infected file from your computer.
Repeat for any other quarantined files you want to remove.
When you are done removing files, click the 'Exit' button in the bottom left hand corner of the Norton AntiVirus window.

Step #2

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step #3

Please do an online scan with Kaspersky WebScanner

NOTE: This Scanner will work with Internet Explorer Only!

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save Report As... button:
Under Save as type select Text file write name for the file and save it to your Desktop.
Locate the file at the Desktop, open it, then copy and paste that information in your next post, together with new HijackThis log.

Regards,

SNOWHITE

#7 lin0056

Authentic Member

Authentic Member
115 posts

Posted 17 November 2007 - 08:01 PM

Here are my logs as you requested. kaspersky detected quite a lot of viruses.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 18, 2007 12:18:38 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/11/2007
Kaspersky Anti-Virus database records: 461025
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 77555
Number of viruses found: 11
Number of infected objects: 93
Number of suspicious objects: 0
Duration of the scan process: 01:08:43

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-07232007-142208.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine3E40000.VBN Infected: Trojan-Downloader.Win32.ConHook.hl skipped
C:\Documents and Settings\lin0056\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\lin0056\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\lin0056\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\lin0056\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\lin0056\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\lin0056\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{6A1A313E-F619-4BAF-8A77-3B0D6505A783} Object is locked skipped
C:\Documents and Settings\lin0056\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lin0056\Local Settings\Temp\Perflib_Perfdata_1f8.dat Object is locked skipped
C:\Documents and Settings\lin0056\Local Settings\Temp\Perflib_Perfdata_dec.dat Object is locked skipped
C:\Documents and Settings\lin0056\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lin0056\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\lin0056\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\AntiVirus Stuff\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\AntiVirus Stuff\SmitfraudFix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\AntiVirus Stuff\SmitfraudFix\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Downloads\AntiVirus Stuff\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\AntiVirus Stuff\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\AntiVirus Stuff\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Downloads\MSN Fun\NYU_msn_hack_with_rapidshare_premium_downloader\msn.hack\MSN Hack v2.1 All.exe Infected: HackTool.Win32.Blackmess.a skipped
C:\Downloads\MSN Fun\NYU_msn_hack_with_rapidshare_premium_downloader.rar/msn.hack/MSN Hack v2.1 All.exe Infected: HackTool.Win32.Blackmess.a skipped
C:\Downloads\MSN Fun\NYU_msn_hack_with_rapidshare_premium_downloader.rar RAR: infected - 1 skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Microsoft Games\halo2xp_v0.3\INSTALL\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Program Files\Rapidown\Download\halo2xp_v0.3.zip/halo2xp_v0.3/INSTALL/cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Program Files\Rapidown\Download\halo2xp_v0.3.zip ZIP: infected - 1 skipped
C:\Program Files\Symantec AntiVirus\SAVRT893NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT969NAV~.TMP Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\adahwgxo.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\cosetjjg.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\cpjitabn.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\dkobkxgy.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\emrxtgra.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\erthdarm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\gotuqmuw.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\gywllfdb.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\hiwshbgc.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\hujevyak.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\hvnptjtv.dll.vir Infected: Trojan.Win32.BHO.xe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ihrudddn.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\jpewuuny.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\kiasxola.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\kmmhkrdi.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\koehucfc.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\lwgjsbnc.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\mtkjpdrw.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\nwixdqhj.dll.vir Infected: Trojan.Win32.BHO.xe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\pnvbdxeh.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\psrdswkp.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\qsuwkdqf.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\samtevlo.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\sqarphbc.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\tmrtbsew.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ufapsahm.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\uhcsojlo.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\vpayuxki.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\xuvlkqpj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\qoobox\Quarantine\catchme2007-11-18_ 85420.70.zip/psrdswkp.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\qoobox\Quarantine\catchme2007-11-18_ 85420.70.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP26\A0008684.exe Infected: Trojan-Downloader.Win32.Tuvir.r skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP26\A0008686.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP29\A0012892.exe/stream/data0004 Infected: Trojan-Downloader.Win32.Zlob.ego skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP29\A0012892.exe/stream Infected: Trojan-Downloader.Win32.Zlob.ego skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP29\A0012892.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP30\A0012945.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP30\A0019076.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP30\A0019076.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP30\A0019076.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP30\A0022196.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP31\A0022356.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP31\A0023356.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP31\A0023470.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP32\A0027633.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP32\A0028634.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP33\A0028668.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP33\A0028669.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP33\A0028698.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP34\A0028754.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029015.dll Infected: Trojan.Win32.BHO.xe skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029018.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029020.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029022.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029025.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029026.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029027.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029029.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029030.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029032.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029033.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029034.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029035.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029037.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029039.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029041.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029042.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029043.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029045.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029047.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029048.dll Infected: Trojan.Win32.BHO.xe skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029052.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029053.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029056.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029058.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029059.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029060.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029064.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029069.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0029075.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\change.log Object is locked skipped
C:\WINDOWS\CSC000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A136A2AF-B217-4140-A86E-82CD574438D8}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_78c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 12:56, on 2007-11-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.balwynhs....u/home/home.bhs
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.balwynhs.vic.edu.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.balwynhs.vic.edu.au;172.*;*.education.vic.gov.au;*.sofweb.vic.edu.au;*.vass.vi
.edu.au;*.eduweb.vic.gov.au;*.edudev.vic.gov.au;*.edumail.vic.gov.au;*.otte.vic.
ov.au;*.icon.edu.vic.gov.au;*.ultranet.vic.edu.au;*.vcaa.vic.edu.au;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185221205500
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = balwynhs.vic.edu.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{581BEF0D-C033-4CA8-92CB-85EEFEC95FE1}: NameServer = 61.9.133.193,61.9.134.49
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (file missing)
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe (file missing)

#8 SNOWHITE

Retired GTG Staff

Authentic Member
165 posts

Posted 18 November 2007 - 07:12 AM

Hi lin0056

Please follow the steps below exactly in the order they are written:

Step #1
Next two entries are leftovers from legit programs, and you can fix them. Re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Step #2

Please download the OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Downloads\MSN Fun\NYU_msn_hack_with_rapidshare_premium_downloader
C:\Downloads\MSN Fun\NYU_msn_hack_with_rapidshare_premium_downloader.rar
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step #3

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Post back with OTMoveIt report, and dss scan reports main.txt and extra.txt.

Regards,

SNOWHITE

#9 lin0056

Authentic Member

Authentic Member
115 posts

Posted 19 November 2007 - 12:25 AM

Here is the OTMove it. i think this is a virus some guy sent me, i never saw it

C:\Downloads\MSN Fun\NYU_msn_hack_with_rapidshare_premium_downloader moved successfully.
C:\Downloads\MSN Fun\NYU_msn_hack_with_rapidshare_premium_downloader.rar moved successfully.

Created on 11-19-2007 17:12:46

This is my main.txt

Deckard's System Scanner v20071014.68
Run by LIN0056 on 2007-11-19 17:19:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as LIN0056.exe) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 17:20, on 2007-11-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\lin0056\Desktop\dss.exe
C:\PROGRA~1\Hijackthis\LIN0056.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.balwynhs....u/home/home.bhs
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.balwynhs.vic.edu.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.balwynhs.vic.edu.au;172.*;*.education.vic.gov.au;*.sofweb.vic.edu.au;*.vass.vi
.edu.au;*.eduweb.vic.gov.au;*.edudev.vic.gov.au;*.edumail.vic.gov.au;*.otte.vic.
ov.au;*.icon.edu.vic.gov.au;*.ultranet.vic.edu.au;*.vcaa.vic.edu.au;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185221205500
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = balwynhs.vic.edu.au
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (file missing)
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe (file missing)

-- Files created between 2007-10-19 and 2007-11-19 -----------------------------

2007-11-19 13:47:49 0 d------c- C:\Documents and Settings\LocalService\Desktop
2007-11-18 10:28:39 0 d------c- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-18 10:28:36 0 d------c- C:\WINDOWS\system32\Kaspersky Lab
2007-11-16 19:52:25 0 d------c- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 13:50:11 0 d------c- C:\Documents and Settings\lin0056\Application Data\Grisoft
2007-11-15 23:11:19 0 d------c- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-15 22:25:04 0 d------c- C:\WINDOWS\Sun
2007-11-15 20:01:31 25600 --a----c- C:\WINDOWS\system32\WS2Fix.exe
2007-11-15 20:01:31 289144 --a----c- C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-15 20:01:31 288417 --a----c- C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-15 20:01:31 53248 --a----c- C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-15 20:01:31 51200 --a----c- C:\WINDOWS\system32\dumphive.exe
2007-11-15 11:22:22 0 d------c- C:\Documents and Settings\lin0056\Application Data\NJStar
2007-11-15 11:22:03 0 d------c- C:\Program Files\NJStar Chinese WP
2007-11-13 20:06:49 664 --a----c- C:\WINDOWS\system32\d3d9caps.dat
2007-11-13 19:06:43 5470 --a----c- C:\WINDOWS\system32\tmp.reg
2007-11-13 18:47:39 0 d------c- C:\Documents and Settings\All Users\Application Data\Prevx
2007-11-13 07:51:31 0 d------c- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-13 07:51:07 0 d------c- C:\Program Files\SUPERAntiSpyware
2007-11-13 07:51:07 0 d------c- C:\Documents and Settings\lin0056\Application Data\SUPERAntiSpyware.com
2007-11-13 07:50:28 0 d------c- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 20:26:16 0 d------c- C:\WINDOWS\system32\xlive
2007-11-11 20:05:29 519912 --a----c- C:\WINDOWS\system32\d3dx10d_33.dll
2007-11-11 20:05:29 519912 --a----c- C:\WINDOWS\system32\d3dx10d.dll
2007-11-11 20:05:28 519912 --a----c- C:\WINDOWS\system32\d3dx10_33.dll
2007-11-11 19:57:40 25037 --a----c- C:\WINDOWS\system32\Nucleus.dll
2007-11-11 19:57:40 494557 --a----c- C:\WINDOWS\system32\dxgi.dll
2007-11-11 19:57:40 519912 --a----c- C:\WINDOWS\system32\d3dx10.dll
2007-11-11 19:57:40 566624 --a----c- C:\WINDOWS\system32\d3d10.dll
2007-11-11 18:56:58 0 d------c- C:\Program Files\Microsoft Games
2007-11-11 18:49:41 0 d------c- C:\Documents and Settings\lin0056\Application Data\Microsoft Game Studios
2007-11-11 14:42:28 32768 --a----c- C:\WINDOWS\system32\mf.dll
2007-11-11 14:24:54 0 d------c- C:\Documents and Settings\lin0056\My Games
2007-11-11 14:24:51 0 d------c- C:\Documents and Settings\All Users\Microsoft
2007-11-10 13:47:03 0 d------c- C:\WINDOWS\Emoticon Live Patch Uninstall
2007-11-09 23:09:15 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2007-11-09 22:59:05 0 d------c- C:\Program Files\Sierra
2007-11-09 18:13:30 0 --a----c- C:\WINDOWS\nsreg.dat
2007-11-09 18:13:26 0 d------c- C:\Documents and Settings\lin0056\Application Data\Mozilla
2007-11-09 09:21:04 0 d------c- C:\Program Files\MSXML 6.0
2007-11-08 19:18:50 313 --a----c- C:\WINDOWS\NAME_HERE.bat
2007-11-08 12:27:05 0 d------c- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-08 12:22:17 0 d------c- C:\Program Files\Windows Media Connect 2
2007-11-08 12:19:40 0 d------c- C:\WINDOWS\system32\LogFiles
2007-11-08 12:19:40 0 d------c- C:\WINDOWS\system32\drivers\UMDF
2007-11-07 23:30:14 0 d------c- C:\Program Files\MSN Messenger
2007-11-07 22:04:34 0 d------c- C:\Program Files\Rapidown
2007-11-07 20:50:52 0 d------c- C:\Documents and Settings\lin0056\Application Data\Apple Computer
2007-11-07 20:50:40 1751 --a----c- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2007-11-07 20:02:59 0 d------c- C:\Program Files\sXe Injected
2007-11-07 19:59:25 0 d------c- C:\Program Files\Counter-Strike 1.6
2007-11-07 18:22:17 0 d------c- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-11-07 18:13:18 0 d------c- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-11-07 18:09:14 0 d------c- C:\Program Files\Paint.NET
2007-11-07 17:48:35 0 d------c- C:\Program Files\MSBuild
2007-11-07 17:45:11 0 d------c- C:\WINDOWS\system32\XPSViewer
2007-11-07 17:44:20 0 d------c- C:\Program Files\Reference Assemblies
2007-11-07 17:38:42 0 d------c- C:\Documents and Settings\lin0056\Application Data\Xfire
2007-11-07 17:38:39 0 d---s--c- C:\Program Files\Xfire
2007-11-07 17:37:28 0 d------c- C:\Documents and Settings\lin0056\Application Data\WinRAR
2007-11-07 17:34:12 0 d------c- C:\Program Files\uTorrent
2007-11-07 17:34:06 0 d------c- C:\Documents and Settings\lin0056\Application Data\uTorrent
2007-11-07 17:32:09 0 d------c- C:\Program Files\Steam
2007-11-07 17:29:59 0 d------c- C:\Program Files\PowerISO
2007-11-07 17:24:18 0 d------c- C:\Program Files\GIMP-2.0
2007-11-07 17:22:35 0 d------c- C:\Documents and Settings\lin0056\Shared
2007-11-07 17:22:33 0 d------c- C:\Documents and Settings\lin0056\Incomplete
2007-11-07 17:22:25 0 d------c- C:\Documents and Settings\lin0056\Application Data\FrostWire
2007-11-07 17:21:25 0 d------c- C:\Program Files\Java
2007-11-07 17:21:24 0 d------c- C:\Program Files\Common Files\Java
2007-11-07 17:20:41 0 d------c- C:\Documents and Settings\lin0056\Application Data\Sun
2007-11-07 17:19:29 0 d------c- C:\Program Files\Common Files\GTK
2007-11-07 17:18:37 0 d------c- C:\Program Files\FrostWire
2007-11-07 17:09:37 0 d------c- C:\Program Files\Messenger Plus! Live
2007-11-07 16:53:37 0 d------c- C:\Documents and Settings\lin0056\Contacts
2007-11-07 16:51:54 0 d------c- C:\Program Files\DoubleDesktop
2007-11-07 16:41:09 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-07 16:40:49 0 d------c- C:\Program Files\Windows Live
2007-11-07 16:40:37 0 d------c- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-07 16:31:48 0 d------c- C:\Documents and Settings\All Users\Application Data\Google
2007-11-07 16:22:50 0 d------c- C:\Downloads
2007-11-07 14:04:30 0 d------c- C:\Documents and Settings\lin0056\Application Data\Inspiration Software
2007-11-07 14:04:30 0 d------c- C:\Documents and Settings\lin0056\Application Data\Identities
2007-11-07 14:04:30 0 d------c- C:\Documents and Settings\lin0056\Application Data\IBM
2007-11-07 14:04:30 0 d------c- C:\Documents and Settings\lin0056\Application Data\Google
2007-11-07 14:04:30 0 d------c- C:\Documents and Settings\lin0056\Application Data\ATI
2007-11-07 14:04:30 0 d------c- C:\Documents and Settings\lin0056\Application Data\Adobe
2007-11-07 14:04:29 0 d--hs--c- C:\Documents and Settings\lin0056\UserData
2007-11-07 14:04:29 0 d--h---c- C:\Documents and Settings\lin0056\Templates
2007-11-07 14:04:29 0 dr-----c- C:\Documents and Settings\lin0056\Start Menu
2007-11-07 14:04:29 0 dr-h---c- C:\Documents and Settings\lin0056\SendTo
2007-11-07 14:04:29 0 dr-h---c- C:\Documents and Settings\lin0056\Recent
2007-11-07 14:04:29 0 d--h---c- C:\Documents and Settings\lin0056\PrintHood
2007-11-07 14:04:29 0 d--h---c- C:\Documents and Settings\lin0056\NetHood
2007-11-07 14:04:29 0 dr-----c- C:\Documents and Settings\lin0056\My Documents
2007-11-07 14:04:29 0 d--h---c- C:\Documents and Settings\lin0056\Local Settings
2007-11-07 14:04:29 0 dr-----c- C:\Documents and Settings\lin0056\Favorites
2007-11-07 14:04:29 0 d------c- C:\Documents and Settings\lin0056\Desktop
2007-11-07 14:04:29 0 d--hs--c- C:\Documents and Settings\lin0056\Cookies
2007-11-07 14:04:29 0 dr-h---c- C:\Documents and Settings\lin0056\Application Data
2007-11-07 14:04:29 0 d------c- C:\Documents and Settings\lin0056\Application Data\ThinkVantage
2007-11-07 14:04:29 0 d------c- C:\Documents and Settings\lin0056\Application Data\Symantec
2007-11-07 14:04:29 0 d------c- C:\Documents and Settings\lin0056\Application Data\Macromedia
2007-11-07 14:04:28 4980736 --ah----- C:\Documents and Settings\lin0056\NTUSER.DAT
2007-11-07 13:31:14 0 d--hs---- C:\WINDOWS\CSC
2007-11-07 12:32:10 0 d------c- C:\WINDOWS\SchCache

-- Find3M Report ---------------------------------------------------------------

2007-11-19 16:57:36 0 d------c- C:\Program Files\Symantec AntiVirus
2007-11-18 00:00:02 5427 --a----c- C:\WINDOWS\system32\EGATHDRV.SYS <Not Verified; IBM Corporation; IBM eGatherer>
2007-11-13 07:50:28 0 d------c- C:\Program Files\Common Files
2007-11-09 22:58:55 0 d--h---c- C:\Program Files\InstallShield Installation Information
2007-11-08 12:18:55 0 d------c- C:\Program Files\Windows Media Connect
2007-11-08 12:13:53 0 d------c- C:\Program Files\Microsoft Works
2007-11-07 16:31:45 0 d------c- C:\Program Files\Google
2007-11-07 16:09:31 0 d------c- C:\Program Files\Picasa2

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-16 07:57]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-16 07:57]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 13:04]
"TpShocks"="TpShocks.exe" [2005-11-08 05:14 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2005-10-17 19:11 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 20:22]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-12-16 08:19]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-07 08:06]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-13 08:43]
"suScheduler"="C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 11:32]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-01-25 19:03]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-01 23:10]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 10:50]
"ISUSScheduler"="c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 10:50]
"cssauth"="C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 12:08]
"PDService.exe"="C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-16 07:13]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2005-10-29 05:08]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-30 04:55]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-18 07:09]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-18 06:59]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 19:12]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 19:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-02 09:57]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-04 12:20]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-09 09:52]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2005-04-18 06:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 20:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-09 17:36]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 03:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2007-07-24 08:18:49]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-07-24 08:18:47]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-18 18:50:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 2005-07-06 17:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-12-01 14:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli csspwntfy

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Scripts\Logon\]
"Script"=stdlogon.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e047ed2c-8cee-11dc-ad54-0019d2456ac3}]
1\Command- .\readme.txt.exe
2\Command- .\readme.txt.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\readme.txt.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e047ed2d-8cee-11dc-ad54-0019d2456ac3}]
1\Command- .\readme.txt.exe
2\Command- .\readme.txt.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\readme.txt.exe

-- End of Deckard's System Scanner: finished at 2007-11-19 17:20:27 ------------

i accidently closed extra.txt but i found it in C:/Deckard/System Scanner/2007111917156.

here it is

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™ Duo CPU T2400 @ 1.83GHz
CPU 1: Intel® Core™ Duo CPU T2400 @ 1.83GHz
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 510.36 MiB / 203.24 MiB
Pagefile Memory (total/avail): 1245 MiB / 621.16 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1908.72 MiB

C: is Fixed (NTFS) - 69.64 GiB total, 39.87 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 48.83 GiB total, 28.73 GiB free.
F: is Fixed (NTFS) - 62.95 GiB total, 31 GiB free.

\\.\PHYSICALDRIVE0 - TOSHIBA MK8034GSX - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 69.64 GiB - C:
\PARTITION1 - Unknown - 4.89 GiB

\\.\PHYSICALDRIVE1 - SAMSUNG HM120II USB Device - 111.79 GiB - 2 partitions
\PARTITION0 - Extended w/Extended Int 13 - 111.78 GiB - E: - F:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Symantec AntiVirus Corporate Edition v10.0.0.359 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"="C:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe:*:Enabled:ThinkVantage System Update"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Microsoft Games\\Halo\\Halo.eXe"="C:\\Program Files\\Microsoft Games\\Halo\\Halo.eXe:*:Enabled:Halo"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"="C:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe:*:Enabled:ThinkVantage System Update"
"\\\\172.18.0.50\\Gaia$\\gpclient.exe"="\\\\172.18.0.50\\Gaia$\\gpclient.exe:*:Enabled:gpclient.exe"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\lin0056\Application Data
CLASSPATH=.;C:\Program Files\IBM\Java142\jre\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BHS-LP-LIN0056
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\lin0056
HOMESHARE=\\bhs-srv-file\Student07
IBMSHARE=C:\IBMSHARE
LOGONSERVER=\\BHS-SRV-ACC-DC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ThinkPad\Utilities;C:\Program Files\Intel\Wireless\Bin\;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\IBM ThinkVantage\Client Security Solution;C:\Program Files\Diskeeper Corporation\Diskeeper\;C:\Program Files\ThinkPad\ConnectUtilities;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\GTK\2.0\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 12, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e0c
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\IBM\Java142\jre\lib\ext\QTJava.zip
RR=C:\Program Files\IBM ThinkVantage\Rescue and Recovery
SESSIONNAME=Console
SMA=C:\Program Files\IBM ThinkVantage\SMA\
SonicCentral=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\lin0056\LOCALS~1\Temp
TMP=C:\DOCUME~1\lin0056\LOCALS~1\Temp
TVT=C:\Program Files\IBM ThinkVantage
TVTPYDIR=C:\Program Files\IBM ThinkVantage\Common\Python24
USERDNSDOMAIN=BALWYNHS.VIC.EDU.AU
USERDOMAIN=BALWYNHS
USERNAME=LIN0056
USERPROFILE=C:\Documents and Settings\lin0056
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

lin0056 (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\SETUP.EXE" -l0x9 ControlPanelAnyText
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\SETUP.EXE" -l0x9 ControlPanel
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Access Help --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6FA39A7-26B1-480A-BC74-6D17531AC222}\SETUP.EXE" -l0x9 UNINSTALL
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Software Update --> MsiExec.exe /I{55FA89BD-21D3-42F7-9249-C94C0094A83C}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{4C32C2A5-4BD6-4796-B263-3C6450E7023F}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Counter-Strike 1.6 --> C:\Program Files\Counter-Strike 1.6\Uninstal.exe
Diskeeper Lite --> MsiExec.exe /X{F6A04D96-C6D7-498C-9099-BCAD0D99778D}
DoubleDesktop --> C:\PROGRA~1\DoubleDesktop\UNWISE.EXE C:\PROGRA~1\DoubleDesktop\INSTALL.LOG
FEARCombat --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{75E607CF-7BAE-4B88-84B3-97F3DF44BA28}\setup.exe" -l0x9 /zU -removeonly
FrostWire 4.13.3 --> C:\Program Files\FrostWire\Uninstall.exe
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Graphmatica --> C:\Program Files\Graphmatica\uninstall.exe
GTK+ 2.10.13 runtime environment --> "C:\Program Files\Common Files\GTK\2.0\setup\unins000.exe"
Half-Life --> "C:\PacSteam\steam.exe" steam://uninstall/70
Half-Life 2: Deathmatch --> "C:\PacSteam\steam.exe" steam://uninstall/320
Half-Life 2: Lost Coast --> "C:\PacSteam\steam.exe" steam://uninstall/340
Help Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{986F64DC-FF15-449D-998F-EE3BCEC6666A}\SETUP.EXE" -l0x9 -AddRemove
High Definition Audio Driver Package - KB888111 -->
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
IBM 32-bit Runtime Environment for Java 2, v1.4.2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E922961C-6DB6-41DE-9FEA-426DF3E9F81C} /l1033
Intel® PRO Network Connections Drivers --> Prounstl.exe
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
InterVideo WinDVD Creator --> "C:\Program Files\InstallShield Installation Information\{3694899E-5C7F-4EAA-A26B-ED163D5DCADB}\setup.exe" REMOVEALL
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Maths300: Complete --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Maths300\Complete\ST6UNST.LOG"
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
Message Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7E836B8-4BDD-454F-82E6-5FEA17C83AD4}\SETUP.EXE" -l0x9 -AddRemove
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Games for Windows - LIVE Redistributable --> MsiExec.exe /X{D1B01DC9-CBAF-45F9-A387-7D00C11B630E}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
Microsoft Producer for Microsoft Office PowerPoint 2003 --> MsiExec.exe /I{155FBB0D-0EE9-42D1-9E41-15E08F691033}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (2.0.0.9) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
NJStar Chinese WP --> C:\Program Files\NJStar Chinese WP\uninst.exe
Paint.NET v3.10 --> MsiExec.exe /X{5E749AEB-5A19-43BA-BB20-3CBB37539FE4}
PC-Doctor 5 for Windows --> C:\Program Files\PCDR5\uninst.exe
Photo Story 3 for Windows --> MsiExec.exe /I{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
Productivity Center Supplement for ThinkPad --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D728E945-256D-4477-B377-6BBA693714AC}\SETUP.EXE" -l0x9 -AddRemove
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Remove Multimedia Center --> C:\ibmtools\apps\recnow\sequencer.exe -fc:\ibmtools\apps\recnow\uninst.seq
Rescue and Recovery - Client Security Solution --> MsiExec.exe /I{BF90215F-2D7B-4C84-8A24-A03BC41B95DD}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) -->
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Software Installer --> _tpiu000.exe /U
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.exe" -l0x9 -removeonly
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec AntiVirus --> MsiExec.exe /I{5A633ED0-E5D7-4D65-AB8D-53ED43510284}
System Migration Assistant --> MsiExec.exe /X{E5072660-B723-422B-BB74-EAA300BF716B}
The GIMP 2.2.17 --> "C:\Program Files\GIMP-2.0\unins000.exe"
ThinkPad Configuration --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC081D4D-DF1B-4CF1-B530-027E4118D846}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad EasyEject Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1297C681-92D7-40EF-93BF-03F66EC5105C}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad FullScreen Magnifier --> RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.inf
ThinkPad Keyboard Customizer Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2111B23F-7FDA-4A41-8309-E5A1663CA296}\SETUP.EXE" -l0x9 anything
ThinkPad Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588\HXFSETUP.EXE -U -ITkp0588p.inf -ISFG
ThinkPad PC Card Power Policy --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUnInstall 132 C:\IBMTOOLS\OSFIXES\PCMCIAPW\pcmciapw.inf
ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,Uninstall
ThinkPad Power Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad Presentation Director --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ThinkPad\Utilities\UNNPDR.isu" -c"C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll"
ThinkPad UltraNav Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
ThinkPad UltraNav Wizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}\SETUP.EXE" -l0x9 UNINSTALL
ThinkVantage Access Connections --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7EB114D8-207F-45AE-BABD-1669715F2630}\SETUP.EXE" -l0x9 anything
ThinkVantage Active Protection System --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72806716-7088-41B2-8FA6-717A2A164DAB}\SETUP.EXE" -l0x9 anything
ThinkVantage Away Manager --> Rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\AWAYTASK.INF
ThinkVantage Productivity Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}\SETUP.EXE" -l0x9 -AddRemove
ThinkVantage System Update --> MsiExec.exe /X{2A43FF29-0D97-4445-B82D-9324F176AED5}
ThinkVantage Technologies Welcome Message --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1007F41F-7D69-468E-8017-3849A5A973C2}\SETUP.EXE" -l0x9 anything
TrackPoint Accessibility Features --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA664480-3844-11D5-8C25-444553540000}\SETUP.EXE"
Wallpapers --> MsiExec.exe /I{F386C340-DF4B-4BBA-9503-420FB7EDB395}
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->
XP Themes --> MsiExec.exe /I{C54ED2B6-1AF2-416F-BBA8-5E2B8CDCB5C4}

-- Application Event Log -------------------------------------------------------

Event Record #/Type2467 / Success
Event Submitted/Written: 11/19/2007 05:03:56 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type2466 / Error
Event Submitted/Written: 11/19/2007 04:59:54 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for BALWYNHS\LIN0056 failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type2465 / Error
Event Submitted/Written: 11/19/2007 04:59:13 PM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script stdlogon.vbs. The system cannot find the file specified.
.

Event Record #/Type2463 / Error
Event Submitted/Written: 11/19/2007 04:58:13 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type2462 / Warning
Event Submitted/Written: 11/19/2007 04:58:01 PM
Event ID/Source: 4354 / EventSystem
Event Description:
The COM+ Event System failed to fire the ConnectionMadeNoQOCInfo method on subscription {A82F0E80-1305-400C-BA56-375AE04264A1}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}. The subscriber returned HRESULT 80004001.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type3776 / Warning
Event Submitted/Written: 11/19/2007 05:17:47 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%BALWYNHS27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %BALWYNHS27 can't undo changes that you allow.

For more information please see the following:
%BALWYNHS275

Scan ID: {993437B0-C993-46E3-95EA-E3E5B64260A0}

User: BALWYNHS\LIN0056

Name: %BALWYNHS271

ID: %BALWYNHS272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %BALWYNHS276

Alert Type: %BALWYNHS278

Detection Type: 1.1.1593.02

Event Record #/Type3775 / Warning
Event Submitted/Written: 11/19/2007 05:17:47 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%BALWYNHS27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %BALWYNHS27 can't undo changes that you allow.

For more information please see the following:
%BALWYNHS275

Scan ID: {EE6B93A6-A56B-441E-B61C-9CAA3263FAA6}

User: BALWYNHS\LIN0056

Name: %BALWYNHS271

ID: %BALWYNHS272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %BALWYNHS276

Alert Type: %BALWYNHS278

Detection Type: 1.1.1593.02

Event Record #/Type3774 / Error
Event Submitted/Written: 11/19/2007 05:14:07 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.

Event Record #/Type3773 / Warning
Event Submitted/Written: 11/19/2007 05:14:07 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 30 minutes.

Event Record #/Type3767 / Error
Event Submitted/Written: 11/19/2007 04:59:04 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

-- End of Deckard's System Scanner: finished at 2007-11-19 17:18:49 ------------

#10 SNOWHITE

Retired GTG Staff

Authentic Member
165 posts

Posted 20 November 2007 - 07:51 AM

Hello lin0056,

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER

You have a flash drive infection, follow these steps:

Step #1

First we'll need to backup registry:

Start -> Run -> type: regedit -> press OK button. Then click on My Computer to highlight it, right click on it and select Export. Give it a name and press Save.
Save text below as fixme.reg on Notepad. Save it as All Files and save it on your Desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e047ed2c-8cee-11dc-ad54-0019d2456ac3}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e047ed2d-8cee-11dc-ad54-0019d2456ac3}]

The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Locate fixme.reg on your Desktop and double-click on it. It should look like this -> Posted Image

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Step #2

Plug in your external drive or usb.

Right click on My Computer (Important don't double click on it but right click on it)

From the menu choose Explore, right click on the external drive and choose Explore again, now find this file:

readme.txt.exe <-- right click on it and choose delete.

Empty Recycle Bin.

Step #3

Please run this online scan:

Panda ActiveScan

Once you are on the Panda site, click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Step #4

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives (make sure that external drive is plugged in and selected for scanning). A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Run new scan with dss and post back with the contents of main.txt, Panda Active Scan report, and Dr.Web report.

Regards,

SNOWHITE

Advertisements

Register to Remove

#11 lin0056

Authentic Member

Authentic Member
115 posts

Posted 22 November 2007 - 04:52 AM

Hi SNOWHITE, i couldn't find readme.txt.exe, it is not hidden. maybe you thought wrong? i don't know.

main.txt:

Deckard's System Scanner v20071014.68
Run by LIN0056 on 2007-11-22 20:58:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as LIN0056.exe) ---------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-22 20:58:14
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Games\Halo\Halo.eXe
C:\Documents and Settings\lin0056\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.balwynhs....u/home/home.bhs
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.balwynhs.vic.edu.au:8080
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options Group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.micr...heckControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185221205500
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.ma...t/ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\Software\..\Telephony: DomainName = balwynhs.vic.edu.au
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\system32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 10407 bytes

-- Files created between 2007-10-22 and 2007-11-22 -----------------------------

2007-11-22 17:28:58 0 d------c- C:\Documents and Settings\lin0056\DoctorWeb
2007-11-21 17:03:11 0 d------c- C:\WINDOWS\system32\ActiveScan
2007-11-20 22:24:36 552 --a----c- C:\WINDOWS\system32\d3d8caps.dat
2007-11-20 17:30:21 1622016 --a----c- C:\WINDOWS\system32\rlvknlg.exe <Not Verified; RelevantKnowledge; RelevantKnowledge>
2007-11-20 17:26:20 266240 --a----c- C:\WINDOWS\system32\rkupginstaller.exe <Not Verified; TMRG, INC.; >
2007-11-20 17:25:34 0 d------c- C:\Program Files\CEDP Stealer 6.0 for Messenger
2007-11-20 11:40:31 0 d------c- C:\Documents and Settings\lin0056\Application Data\InterVideo
2007-11-19 21:37:20 86016 --a----c- C:\WINDOWS\system32\CNMCP6d.exe <Not Verified; CANON INC.; Canon BJ Raster Printer Driver Installer>
2007-11-19 21:36:54 0 d--h---c- C:\BJPrinter
2007-11-19 13:47:49 0 d------c- C:\Documents and Settings\LocalService\Desktop
2007-11-18 10:28:39 0 d------c- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-18 10:28:36 0 d------c- C:\WINDOWS\system32\Kaspersky Lab
2007-11-16 19:52:25 0 d------c- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 13:50:11 0 d------c- C:\Documents and Settings\lin0056\Application Data\Grisoft
2007-11-15 23:11:19 0 d------c- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-15 22:25:04 0 d------c- C:\WINDOWS\Sun
2007-11-15 20:01:31 25600 --a----c- C:\WINDOWS\system32\WS2Fix.exe
2007-11-15 20:01:31 289144 --a----c- C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-15 20:01:31 288417 --a----c- C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-15 20:01:31 53248 --a----c- C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-15 20:01:31 51200 --a----c- C:\WINDOWS\system32\dumphive.exe
2007-11-15 11:22:22 0 d------c- C:\Documents and Settings\lin0056\Application Data\NJStar
2007-11-15 11:22:03 0 d------c- C:\Program Files\NJStar Chinese WP
2007-11-13 20:06:49 1324 --a----c- C:\WINDOWS\system32\d3d9caps.dat
2007-11-13 19:06:43 5470 --a----c- C:\WINDOWS\system32\tmp.reg
2007-11-13 18:47:39 0 d------c- C:\Documents and Settings\All Users\Application Data\Prevx
2007-11-13 07:51:31 0 d------c- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-13 07:51:07 0 d------c- C:\Program Files\SUPERAntiSpyware
2007-11-13 07:51:07 0 d------c- C:\Documents and Settings\lin0056\Application Data\SUPERAntiSpyware.com
2007-11-13 07:50:28 0 d------c- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 20:26:16 0 d------c- C:\WINDOWS\system32\xlive
2007-11-11 20:05:29 519912 --a----c- C:\WINDOWS\system32\d3dx10d_33.dll
2007-11-11 20:05:29 519912 --a----c- C:\WINDOWS\system32\d3dx10d.dll
2007-11-11 20:05:28 519912 --a----c- C:\WINDOWS\system32\d3dx10_33.dll
2007-11-11 19:57:40 25037 --a----c- C:\WINDOWS\system32\Nucleus.dll
2007-11-11 19:57:40 494557 --a----c- C:\WINDOWS\system32\dxgi.dll
2007-11-11 19:57:40 519912 --a----c- C:\WINDOWS\system32\d3dx10.dll
2007-11-11 19:57:40 566624 --a----c- C:\WINDOWS\system32\d3d10.dll
2007-11-11 18:56:58 0 d------c- C:\Program Files\Microsoft Games
2007-11-11 18:49:41 0 d------c- C:\Documents and Settings\lin0056\Application Data\Microsoft Game Studios
2007-11-11 14:42:28 32768 --a----c- C:\WINDOWS\system32\mf.dll
2007-11-11 14:24:54 0 d------c- C:\Documents and Settings\lin0056\My Games
2007-11-11 14:24:51 0 d------c- C:\Documents and Settings\All Users\Microsoft
2007-11-10 13:47:03 0 d------c- C:\WINDOWS\Emoticon Live Patch Uninstall
2007-11-09 23:09:15 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2007-11-09 22:59:05 0 d------c- C:\Program Files\Sierra
2007-11-09 18:13:30 0 --a----c- C:\WINDOWS\nsreg.dat
2007-11-09 18:13:26 0 d------c- C:\Documents and Settings\lin0056\Application Data\Mozilla
2007-11-09 09:21:04 0 d------c- C:\Program Files\MSXML 6.0
2007-11-08 19:18:50 313 --a----c- C:\WINDOWS\NAME_HERE.bat
2007-11-08 12:27:05 0 d------c- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-08 12:22:17 0 d------c- C:\Program Files\Windows Media Connect 2
2007-11-08 12:19:40 0 d------c- C:\WINDOWS\system32\LogFiles
2007-11-08 12:19:40 0 d------c- C:\WINDOWS\system32\drivers\UMDF
2007-11-07 23:30:14 0 d------c- C:\Program Files\MSN Messenger
2007-11-07 22:04:34 0 d------c- C:\Program Files\Rapidown
2007-11-07 20:50:52 0 d------c- C:\Documents and Settings\lin0056\Application Data\Apple Computer
2007-11-07 20:50:40 1751 --a----c- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2007-11-07 20:02:59 0 d------c- C:\Program Files\sXe Injected
2007-11-07 19:59:25 0 d------c- C:\Program Files\Counter-Strike 1.6
2007-11-07 18:22:17 0 d------c- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-11-07 18:13:18 0 d------c- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-11-07 18:09:14 0 d------c- C:\Program Files\Paint.NET
2007-11-07 17:48:35 0 d------c- C:\Program Files\MSBuild
2007-11-07 17:45:11 0 d------c- C:\WINDOWS\system32\XPSViewer
2007-11-07 17:44:20 0 d------c- C:\Program Files\Reference Assemblies
2007-11-07 17:38:42 0 d------c- C:\Documents and Settings\lin0056\Application Data\Xfire
2007-11-07 17:38:39 0 d---s--c- C:\Program Files\Xfire
2007-11-07 17:37:28 0 d------c- C:\Documents and Settings\lin0056\Application Data\WinRAR
2007-11-07 17:34:12 0 d------c- C:\Program Files\uTorrent
2007-11-07 17:34:06 0 d------c- C:\Documents and Settings\lin0056\Application Data\uTorrent
2007-11-07 17:32:09 0 d------c- C:\Program Files\Steam
2007-11-07 17:29:59 0 d------c- C:\Program Files\PowerISO
2007-11-07 17:24:18 0 d------c- C:\Program Files\GIMP-2.0
2007-11-07 17:22:35 0 d------c- C:\Documents and Settings\lin0056\Shared
2007-11-07 17:22:33 0 d------c- C:\Documents and Settings\lin0056\Incomplete
2007-11-07 17:22:25 0 d------c- C:\Documents and Settings\lin0056\Application Data\FrostWire
2007-11-07 17:21:25 0 d------c- C:\Program Files\Java
2007-11-07 17:21:24 0 d------c- C:\Program Files\Common Files\Java
2007-11-07 17:20:41 0 d------c- C:\Documents and Settings\lin0056\Application Data\Sun
2007-11-07 17:19:29 0 d------c- C:\Program Files\Common Files\GTK
2007-11-07 17:18:37 0 d------c- C:\Program Files\FrostWire
2007-11-07 17:09:37 0 d------c- C:\Program Files\Messenger Plus! Live
2007-11-07 16:53:37 0 d------c- C:\Documents and Settings\lin0056\Contacts
2007-11-07 16:51:54 0 d------c- C:\Program Files\DoubleDesktop
2007-11-07 16:41:09 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-07 16:40:49 0 d------c- C:\Program Files\Windows Live
2007-11-07 16:40:37 0 d------c- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-07 16:31:48 0 d------c- C:\Documents and Settings\All Users\Application Data\Google
2007-11-07 16:22:50 0 d------c- C:\Downloads
2007-11-07 14:04:30 0 d------c- C:\Documents and Settings\lin0056\Application Data\Inspiration Software
2007-11-07 14:04:30 0 d------c- C:\Documents and Settings\lin0056\Application Data\Identities
2007-11-07 14:04:30 0 d------c- C:\Documents and Settings\lin0056\Application Data\IBM
2007-11-07 14:04:30 0 d------c- C:\Documents and Settings\lin0056\Application Data\Google
2007-11-07 14:04:30 0 d------c- C:\Documents and Settings\lin0056\Application Data\ATI
2007-11-07 14:04:30 0 d------c- C:\Documents and Settings\lin0056\Application Data\Adobe
2007-11-07 14:04:29 0 d--hs--c- C:\Documents and Settings\lin0056\UserData
2007-11-07 14:04:29 0 d--h---c- C:\Documents and Settings\lin0056\Templates
2007-11-07 14:04:29 0 dr-----c- C:\Documents and Settings\lin0056\Start Menu
2007-11-07 14:04:29 0 dr-h---c- C:\Documents and Settings\lin0056\SendTo
2007-11-07 14:04:29 0 dr-h---c- C:\Documents and Settings\lin0056\Recent
2007-11-07 14:04:29 0 d--h---c- C:\Documents and Settings\lin0056\PrintHood
2007-11-07 14:04:29 0 d--h---c- C:\Documents and Settings\lin0056\NetHood
2007-11-07 14:04:29 0 dr-----c- C:\Documents and Settings\lin0056\My Documents
2007-11-07 14:04:29 0 d--h---c- C:\Documents and Settings\lin0056\Local Settings
2007-11-07 14:04:29 0 dr-----c- C:\Documents and Settings\lin0056\Favorites
2007-11-07 14:04:29 0 d------c- C:\Documents and Settings\lin0056\Desktop
2007-11-07 14:04:29 0 d--hs--c- C:\Documents and Settings\lin0056\Cookies
2007-11-07 14:04:29 0 dr-h---c- C:\Documents and Settings\lin0056\Application Data
2007-11-07 14:04:29 0 d------c- C:\Documents and Settings\lin0056\Application Data\ThinkVantage
2007-11-07 14:04:29 0 d------c- C:\Documents and Settings\lin0056\Application Data\Symantec
2007-11-07 14:04:29 0 d------c- C:\Documents and Settings\lin0056\Application Data\Macromedia
2007-11-07 14:04:28 6029312 --ah----- C:\Documents and Settings\lin0056\NTUSER.DAT
2007-11-07 13:31:14 0 d--hs---- C:\WINDOWS\CSC
2007-11-07 12:32:10 0 d------c- C:\WINDOWS\SchCache

-- Find3M Report ---------------------------------------------------------------

2007-11-22 18:47:50 0 d------c- C:\Program Files\Symantec AntiVirus
2007-11-22 17:14:36 0 d------c- C:\Program Files\Windows Defender
2007-11-22 17:09:07 0 d------c- C:\Program Files\Messenger
2007-11-22 17:04:43 0 d------c- C:\Program Files\Google
2007-11-22 17:04:13 0 d------c- C:\Program Files\Digital Line Detect
2007-11-22 17:00:20 0 d------c- C:\Program Files\Common Files\Symantec Shared
2007-11-18 00:00:02 5427 --a----c- C:\WINDOWS\system32\EGATHDRV.SYS <Not Verified; IBM Corporation; IBM eGatherer>
2007-11-13 07:50:28 0 d------c- C:\Program Files\Common Files
2007-11-09 22:58:55 0 d--h---c- C:\Program Files\InstallShield Installation Information
2007-11-08 12:18:55 0 d------c- C:\Program Files\Windows Media Connect
2007-11-08 12:13:53 0 d------c- C:\Program Files\Microsoft Works
2007-11-07 16:09:31 0 d------c- C:\Program Files\Picasa2

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-09 17:36]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 03:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2007-07-24 08:18:49]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-07-24 08:18:47]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-18 18:50:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="lsass.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 2005-07-06 17:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-12-01 14:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli csspwntfy

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Scripts\Logon\0\0]
"Script"=stdlogon.vbs

-- End of Deckard's System Scanner: finished at 2007-11-22 20:58:52 ------------

Panda active scan.

Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\lin0056\Application Data\Mozilla\Firefox\Profiles\1rptdl4i.default\cookies.txt[.com.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\lin0056\Application Data\Mozilla\Firefox\Profiles\1rptdl4i.default\cookies.txt[.gamearena.com.au/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\lin0056\Cookies\lin0056@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\lin0056\Cookies\lin0056@bs.serving-sys[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\lin0056\Cookies\lin0056@serving-sys[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\lin0056\Cookies\lin0056@yadro[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\lin0056\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\lin0056\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Downloads\AntiVirus Stuff\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Downloads\AntiVirus Stuff\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Downloads\AntiVirus Stuff\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Downloads\AntiVirus Stuff\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/restart.exe]
Potentially unwanted tool:Application/HideWindow.S Not disinfected C:\Program Files\Microsoft Games\halo2xp_v0.3\INSTALL\cmdow.exe
Potentially unwanted tool:Application/HideWindow.S Not disinfected C:\Program Files\Rapidown\Download\halo2xp_v0.3.zip[halo2xp_v0.3/INSTALL/cmdow.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\psrdswkp.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\catchme2007-11-18_ 85420.70.zip[psrdswkp.dll]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Spyware:Spyware/MarketScore Not disinfected C:\WINDOWS\system32\rlvknlg.exe

Dr Web Report:

WPE PRO 0.9a.exe;E:\Other\Game Hacking Bundle Pack V1.2\Hack Pack V1.2\Hacking programs\Memory Scanners\Best Hacking Programs\Wpe Pro 0.9a;Program.Wpe;;
Process.exe;E:\Programs\AntiVirus Stuff\SmitfraudFix;Tool.Prockill;;
restart.exe;E:\Programs\AntiVirus Stuff\SmitfraudFix;Tool.ShutDown.11;;
A0029244.exe;E:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37;Tool.GameCrack;;
A0002277.exe;F:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP3;Tool.Netcat;;
A0029146.exe;F:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37;Tool.GameCrack;;
A0029384.exe;F:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37;Program.Wpe;;
Process.exe;C:\Downloads\AntiVirus Stuff\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Downloads\AntiVirus Stuff\SmitfraudFix;Tool.ShutDown.11;;
A0019082.exe;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP30;Tool.Prockill;;
A0022195.exe;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP30;Tool.Prockill;;
A0022197.exe;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP30;Tool.ShutDown.11;;
A0022206.exe;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP30;Tool.Prockill;;
A0029120.DLL;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37;Tool.Hatkeys;;
A0029828.exe;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP41;Adware.Relevant;;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;

#12 __RiP_ChAiN_

GeekU Teacher

Authentic Member
142 posts

Posted 29 November 2007 - 06:30 AM

Hello lin0056

SNOWHITE is very busy right now, and has asked me to help out with your log for the time being.
Let's start off with some minor stuff and get some new updated logs to view

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\rlvknlg.exe
C:\WINDOWS\system32\rkupginstaller.exe

Folder::
C:\WINDOWS\system32\xlive

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e047ed2c-8cee-11dc-ad54-0019d2456ac3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e047ed2d-8cee-11dc-ad54-0019d2456ac3}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#13 lin0056

Authentic Member

Authentic Member
115 posts

Posted 04 December 2007 - 05:56 AM

ComboFix 07-12-02.7 - LIN0056 2007-12-04 22:25:02.4 - NTFSx86
Running from: C:\Documents and Settings\lin0056\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\lin0056\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\rkupginstaller.exe
C:\WINDOWS\system32\rlvknlg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\rkupginstaller.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\xlive
C:\WINDOWS\system32\xlive\sqmapi.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-04 19:54 . 2007-12-04 19:54 17,542 ---h-c--- C:\DriveIcon.ico
2007-12-04 19:50 . 2007-12-04 19:56 <DIR> d----c--- C:\Program Files\Bee Icons
2007-12-04 16:54 . 2007-12-04 16:55 <DIR> d----c--- C:\Program Files\AnyReader
2007-12-04 09:20 . 2007-12-04 09:20 <DIR> d----c--- C:\Program Files\VideoLAN
2007-12-04 09:15 . 2007-12-04 09:15 <DIR> d----c--- C:\Program Files\XviD
2007-12-04 09:08 . 2007-12-04 09:08 <DIR> d----c--- C:\Program Files\DScaler5
2007-12-04 08:58 . 2007-12-04 08:58 <DIR> d----c--- C:\Program Files\3ivx
2007-12-04 08:50 . 2007-12-04 15:38 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\DivX
2007-12-04 08:48 . 2007-09-29 03:07 129,784 -----c--- C:\WINDOWS\system32\pxafs.dll
2007-12-04 08:48 . 2007-09-29 03:07 9,464 -----c--- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-04 08:48 . 2007-09-29 03:07 9,336 -----c--- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-04 08:34 . 2007-12-04 08:48 <DIR> d----c--- C:\Program Files\DivX
2007-12-04 08:31 . 2007-12-04 08:31 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\Nokia Multimedia Player
2007-12-04 08:30 . 2007-12-04 08:31 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2007-12-04 08:30 . 2007-12-04 08:31 1,409 --a--c--- C:\WINDOWS\QTFont.for
2007-12-04 00:36 . 2007-12-04 00:36 <DIR> d----c--- C:\Program Files\ElcomSoft
2007-12-04 00:17 . 2007-12-04 00:17 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\Leadertech
2007-12-03 23:25 . 2007-12-03 23:25 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Nokia
2007-12-03 23:23 . 2007-02-22 11:15 137,216 --a--c--- C:\WINDOWS\system32\drivers\nmwcd.sys
2007-12-03 23:23 . 2007-02-22 11:15 65,536 --a--c--- C:\WINDOWS\system32\nmwcdcocls.dll
2007-12-03 23:19 . 2007-12-03 23:21 <DIR> d----c--- C:\Documents and Settings\lin0056\Phone Browser
2007-12-03 22:36 . 2007-12-03 22:38 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\PC Suite
2007-12-03 22:35 . 2007-12-03 22:38 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\Nokia
2007-12-03 22:34 . 2007-12-03 22:35 <DIR> d----c--- C:\Program Files\DIFX
2007-12-03 22:34 . 2007-12-03 22:34 <DIR> d----c--- C:\Program Files\Common Files\PCSuite
2007-12-03 22:34 . 2007-12-03 23:42 <DIR> d----c--- C:\Program Files\Common Files\Nokia
2007-12-03 22:34 . 2007-12-03 23:19 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\PC Suite
2007-12-03 22:33 . 2007-12-03 22:33 <DIR> d----c--- C:\Program Files\PC Connectivity Solution
2007-12-03 22:33 . 2007-12-03 23:42 <DIR> d----c--- C:\Program Files\Nokia
2007-12-03 22:33 . 2007-02-22 11:15 90,624 --a--c--- C:\WINDOWS\system32\nmwcdcls.dll
2007-12-03 22:24 . 2007-12-03 22:24 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Installations
2007-12-03 22:21 . 2007-12-03 22:21 <DIR> d--hsc--- C:\WINDOWS\ftpcache
2007-12-03 22:02 . 2007-12-03 22:02 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\AdobeUM
2007-12-03 22:02 . 2007-12-03 22:02 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\AdobeAUM
2007-12-03 18:27 . 2007-12-03 18:56 <DIR> d----c--- C:\Program Files\Download Direct
2007-12-03 17:37 . 2007-12-03 17:37 <DIR> d--h-c--- C:\WINDOWS\system32\GroupPolicy
2007-12-03 17:23 . 2007-12-02 02:05 307,200 --a--c--- C:\WINDOWS\kopmet.dll
2007-12-03 17:23 . 2007-12-02 02:05 192,512 --a--c--- C:\WINDOWS\jetctrl.dll
2007-12-03 17:23 . 2007-12-02 02:05 147,456 --a--c--- C:\WINDOWS\nretcip.exe
2007-12-03 17:03 . 2007-12-03 17:04 <DIR> d----c--- C:\Program Files\RichVideoCodec
2007-12-03 11:21 . 2007-12-03 11:21 244 --ah-c--- C:\sqmnoopt00.sqm
2007-12-03 11:21 . 2007-12-03 11:21 232 --ah-c--- C:\sqmdata00.sqm
2007-12-03 06:25 . 2007-05-27 17:09 419,969 -r-h-c--- C:\WINDOWS\NetMSConfig.exe
2007-12-03 06:04 . 2007-12-03 06:05 <DIR> d----c--- C:\Program Files\Date Cracker 2000
2007-12-03 06:04 . 2007-12-03 06:04 73,216 --a--c--- C:\WINDOWS\temp.000
2007-12-02 22:53 . 2007-12-02 22:53 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-02 13:54 . 2007-12-02 14:15 <DIR> d----c--- C:\Program Files\TVAnts
2007-12-02 13:53 . 2007-12-02 13:53 <DIR> d----c--- C:\WINDOWS\uninstall\Satellite TV for PC Elite
2007-12-02 13:53 . 2007-12-02 13:53 <DIR> d----c--- C:\WINDOWS\uninstall
2007-12-02 13:53 . 2007-12-02 13:53 <DIR> d----c--- C:\Program Files\SatelliteTVforPC
2007-12-02 13:11 . 2007-12-02 13:11 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\TVU Networks
2007-12-02 10:56 . 2007-12-02 10:56 <DIR> d----c--- C:\Program Files\smr-usenet
2007-12-02 10:56 . 2001-03-29 01:38 69,632 --a--c--- C:\WINDOWS\system32\GkSui18.EXE
2007-12-02 09:45 . 2007-12-02 09:45 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\ZipZag
2007-12-02 09:44 . 2007-12-02 09:46 <DIR> d----c--- C:\Program Files\ZipZag
2007-12-01 20:20 . 2007-12-04 09:23 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\vlc
2007-12-01 20:17 . 2007-12-02 13:12 <DIR> d----c--- C:\Program Files\TVU Player
2007-12-01 16:35 . 2007-12-01 16:43 <DIR> d----c--- C:\WINDOWS\system32\dt
2007-12-01 16:29 . 2007-12-01 16:29 0 --a--c--- C:\WINDOWS\WB.ini
2007-12-01 15:48 . 2007-12-01 15:48 <DIR> d----c--- C:\WINDOWS\{hopper}
2007-12-01 15:48 . 2007-12-03 10:01 <DIR> d----c--- C:\Program Files\WiFi Hopper
2007-12-01 15:48 . 2006-05-31 02:36 21,376 --a--c--- C:\WINDOWS\system32\drivers\hopperp.sys
2007-12-01 15:14 . 2007-12-01 15:14 103 --a--c--- C:\WINDOWS\system32\msrcom.dat
2007-12-01 12:31 . 2001-06-11 22:15 115,016 --a--c--- C:\WINDOWS\system32\Msinet.ocx
2007-12-01 09:44 . 2007-12-01 09:44 <DIR> d----c--- C:\Program Files\Download Manager
2007-12-01 09:43 . 2007-12-01 11:23 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\IGN_DLM
2007-12-01 00:43 . 2007-12-01 00:43 479,298 --a--c--- C:\WINDOWS\system32\wbocx.ocx
2007-12-01 00:43 . 2007-12-01 00:43 172,032 --a--c--- C:\WINDOWS\system32\AniGIF.ocx
2007-12-01 00:43 . 2007-12-01 00:43 50,688 --a--c--- C:\WINDOWS\system32\wbhelp2.dll
2007-11-30 21:37 . 2007-11-30 21:37 <DIR> d----c--- C:\Program Files\GameSpot
2007-11-30 20:17 . 2007-11-30 20:17 <DIR> d----c--- C:\Program Files\Uconomix
2007-11-30 17:00 . 2007-11-30 17:18 <DIR> d----c--- C:\Program Files\Spyware Doctor
2007-11-30 17:00 . 2007-11-30 17:00 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\PC Tools
2007-11-30 17:00 . 2007-10-18 00:16 79,688 --a--c--- C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-30 17:00 . 2007-10-18 00:15 62,280 --a--c--- C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-30 17:00 . 2007-10-18 00:14 41,288 --a--c--- C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-30 17:00 . 2007-10-18 00:16 29,000 --a--c--- C:\WINDOWS\system32\drivers\kcom.sys
2007-11-30 16:59 . 2005-09-23 08:29 626,688 --a--c--- C:\WINDOWS\system32\msvcr80.dll
2007-11-30 13:40 . 2007-12-01 15:15 160,564,119 --a--c--- C:\WINDOWS\system32\mfccache.dll
2007-11-29 20:41 . 2007-11-29 20:58 <DIR> d----c--- C:\Program Files\Hide The IP
2007-11-29 20:28 . 2007-12-01 22:40 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\LimeWire
2007-11-29 20:27 . 2007-11-29 20:27 <DIR> d----c--- C:\Program Files\LimeWire
2007-11-29 18:52 . 2007-11-29 18:55 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\XP Visual Tools
2007-11-29 18:50 . 2007-12-03 16:56 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-29 12:49 . 2007-11-29 18:58 <DIR> d----c--- C:\Program Files\Common Files\Stardock
2007-11-29 11:52 . 2007-11-29 18:57 <DIR> d----c--- C:\Program Files\Stardock
2007-11-29 11:52 . 2007-07-11 15:06 42,672 --a--c--- C:\WINDOWS\system32\wbsys.dll
2007-11-29 11:52 . 2005-01-22 18:05 20,480 --a--c--- C:\WINDOWS\system32\wbload.dll
2007-11-29 08:57 . 2007-11-29 09:15 <DIR> d----c--- C:\Program Files\GameSpy Arcade
2007-11-28 15:16 . 2007-11-28 15:16 <DIR> d----c--- C:\WINDOWS\.jagex_cache_32
2007-11-24 19:16 . 2007-11-25 11:39 <DIR> d----c--- C:\Program Files\Halo Server
2007-11-24 16:41 . 2007-11-24 16:41 <DIR> d----c--- C:\Documents and Settings\LocalService\Application Data\Xfire
2007-11-24 09:34 . 2007-11-24 09:34 54 --a--c--- C:\WINDOWS\Composer.INI
2007-11-24 09:33 . 2007-11-28 20:54 <DIR> d----c--- C:\Program Files\Notation
2007-11-24 08:21 . 2007-11-24 08:21 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Musicnotes
2007-11-22 17:28 . 2007-11-22 17:44 <DIR> d----c--- C:\Documents and Settings\lin0056\DoctorWeb
2007-11-21 17:03 . 2007-11-22 17:22 <DIR> d----c--- C:\WINDOWS\system32\ActiveScan
2007-11-21 17:03 . 2007-11-22 16:22 30,590 --a--c--- C:\WINDOWS\system32\pavas.ico
2007-11-21 17:03 . 2007-11-22 16:22 2,550 --a--c--- C:\WINDOWS\system32\Uninstall.ico
2007-11-21 17:03 . 2007-11-22 16:22 1,406 --a--c--- C:\WINDOWS\system32\Help.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 11:29 --------- dc----w C:\Program Files\Symantec AntiVirus
2007-12-04 08:54 106 -c-h--w C:\Program Files\desktop.ini
2007-12-03 14:28 --------- dc----w C:\Program Files\Common Files\Adobe
2007-12-02 19:04 249,856 -c----w C:\WINDOWS\Setup1.exe
2007-11-30 10:37 5,588 -c--a-w C:\Program Files\install.log
2007-11-22 06:14 --------- dc----w C:\Program Files\Windows Defender
2007-11-22 06:04 --------- dc----w C:\Program Files\Google
2007-11-22 06:04 --------- dc----w C:\Program Files\Digital Line Detect
2007-11-22 06:00 --------- dc----w C:\Program Files\Common Files\Symantec Shared
2007-11-09 11:58 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-11-08 01:18 --------- dc----w C:\Program Files\Windows Media Connect
2007-11-08 01:13 --------- dc----w C:\Program Files\Microsoft Works
2007-11-07 05:09 --------- dc----w C:\Program Files\Picasa2
2007-07-23 21:37 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((( snapshot@2007-11-16_20.38.52.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-05-30 02:44:18 11,776 -c--a-w C:\WINDOWS\{hopper}\snetcfg.exe
- 2007-10-29 07:56:19 136,192 -c--a-w C:\WINDOWS\catchme.exe
+ 2007-11-26 16:58:11 140,288 -c--a-w C:\WINDOWS\catchme.exe
+ 2006-08-23 21:28:54 141,424 -c--a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
+ 2007-03-05 02:57:46 325,240 -c--a-w C:\WINDOWS\Downloaded Program Files\DLMControl.dll
+ 2007-06-01 03:25:26 317,016 -c--a-w C:\WINDOWS\Downloaded Program Files\mnviewer.dll
+ 2006-05-30 15:36:54 21,376 -c--a-w C:\WINDOWS\inf\hopperp.sys
+ 2007-12-04 05:40:30 10,134 -c--a-r C:\WINDOWS\Installer\{066D65EA-ED53-44E4-A96A-F81B6E409D2E}\ARPPRODUCTICON.exe
+ 2007-12-03 12:23:50 3,262 -c--a-r C:\WINDOWS\Installer\{11964613-805F-432D-A12B-169554B793E7}\ARPPRODUCTICON.exe
+ 2007-12-03 10:59:43 65,536 -c--a-r C:\WINDOWS\Installer\{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}\ARPPRODUCTICON.exe
+ 2007-12-03 10:59:43 65,536 -c--a-r C:\WINDOWS\Installer\{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}\NewShortcut2_4BDFD2CE632942E498019B3D1F10D79B.exe
+ 2007-12-03 10:59:43 65,536 -c--a-r C:\WINDOWS\Installer\{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}\NewShortcut3_4BDFD2CE632942E498019B3D1F10D79B.exe
+ 2007-12-04 05:41:19 15,086 -c--a-r C:\WINDOWS\Installer\{57A48477-92F0-4C1F-ADF9-4806C4EC3CF2}\ARPPRODUCTICON.exe
+ 2007-12-04 05:41:19 216,358 -c--a-r C:\WINDOWS\Installer\{57A48477-92F0-4C1F-ADF9-4806C4EC3CF2}\EXTUI_UninstallPCSui_0F854AC05AF149EFBE65492233B7B5AD.exe
- 2007-11-08 01:18:14 12,288 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-11-30 02:49:27 12,288 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-11-08 01:18:14 135,168 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-11-30 02:49:26 135,168 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-11-08 01:18:14 11,264 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-11-30 02:49:27 11,264 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-11-08 01:18:14 27,136 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-11-30 02:49:27 27,136 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-11-08 01:18:14 4,096 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-11-30 02:49:27 4,096 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-11-08 01:18:15 794,624 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-11-30 02:49:27 794,624 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-11-08 01:18:14 249,856 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-11-30 02:49:26 249,856 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-11-08 01:18:15 23,040 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-11-30 02:49:27 23,040 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-11-08 01:18:14 286,720 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-11-30 02:49:26 286,720 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-11-08 01:18:13 409,600 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-11-30 02:49:26 409,600 -c--a-r C:\WINDOWS\Installer\{90120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-08-07 01:51:46 1,139,488 -c--a-w C:\WINDOWS\system32\3ivx.dll
+ 2007-08-07 01:51:52 324,320 -c--a-w C:\WINDOWS\system32\3ivxVfWCodec.dll
+ 2007-03-28 22:20:50 110,592 -c--a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 05:15:26 233,472 -c--a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 03:03:18 96,256 -c--a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 00:00:16 36,864 -c--a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 02:42:44 86,016 -c--a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2006-02-16 07:20:20 4,608 -c--a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-25 07:08:32 348,160 -c--a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2004-05-04 04:01:02 139,264 -c--a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 02:04:10 45,056 -c--a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-09 23:50:02 159,832 -c--a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 02:05:38 94,208 -c--a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-16 07:35:38 180,224 -c--a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 05:15:38 122,880 -c--a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2006-06-30 03:13:38 8,704 -c--a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 03:08:42 49,152 -c--a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2006-08-01 02:23:10 69,632 -c--a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2006-08-23 02:06:08 1,388,544 -c--a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2006-08-17 00:38:14 10,752 -c--a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 00:49:54 61,440 -c--a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-17 21:46:18 779,264 -c--a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 03:25:34 417,792 -c--a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-08 23:42:24 90,112 -c--a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-18 23:55:58 208,896 -c--a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 05:57:00 9,728 -c--a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-16 22:50:12 14,336 -c--a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-15 23:58:12 33,280 -c--a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 03:42:36 266,240 -c--a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 03:33:14 62,976 -c--a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 02:13:10 13,312 -c--a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-17 21:53:08 69,632 -c--a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-17 21:49:50 167,936 -c--a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-04-18 06:16:04 353,840 -c--a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 03:42:48 35,328 -c--a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 1997-09-17 19:12:32 9,488 -c--a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 06:23:40 69,632 -c--a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2006-08-02 01:39:06 73,728 -c--a-w C:\WINDOWS\system32\asuninst.exe
+ 2007-12-04 05:55:33 15,360 -c--a-w C:\WINDOWS\system32\BASSMOD.dll
+ 2006-12-01 05:30:01 6,201 -c--a-w C:\WINDOWS\system32\bpk.dat
+ 2005-12-07 01:31:00 202,752 -c--a-r C:\WINDOWS\system32\CddbCdda.dll
- 2007-04-17 05:45:28 92,504 -c--a-w C:\WINDOWS\system32\cdm.dll
+ 2007-04-16 11:45:28 92,504 -c--a-w C:\WINDOWS\system32\cdm.dll
+ 2004-06-04 15:34:36 86,016 -c--a-w C:\WINDOWS\system32\CNMCP6d.exe
+ 2004-06-07 05:00:00 116,736 -c--a-w C:\WINDOWS\system32\CNMLM6d.DLL
+ 2004-06-07 05:00:00 7,680 -c--a-w C:\WINDOWS\system32\CNMVS6d.DLL
+ 2007-09-28 16:05:40 739,840 -c--a-w C:\WINDOWS\system32\DivX.dll
+ 2007-09-28 16:05:40 823,296 -c--a-w C:\WINDOWS\system32\divx_xx07.dll
+ 2007-09-28 16:05:40 823,296 -c--a-w C:\WINDOWS\system32\divx_xx0c.dll
+ 2007-09-28 16:05:40 802,816 -c--a-w C:\WINDOWS\system32\divx_xx11.dll
+ 2007-09-28 16:08:18 156,992 -c--a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
+ 2007-09-28 16:07:54 524,288 -c--a-w C:\WINDOWS\system32\DivXsm.exe
+ 2007-08-07 01:52:58 25,312 -c--a-w C:\WINDOWS\system32\DivXVfWCodec.dll
+ 2007-09-28 16:05:08 12,288 -c--a-w C:\WINDOWS\system32\DivXWMPExtType.dll
- 2007-04-17 05:45:28 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2007-04-16 11:45:28 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2004-08-03 12:01:26 25,856 -c--a-w C:\WINDOWS\system32\dllcache\usbprint.sys
- 2007-04-17 05:45:48 549,720 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
+ 2007-04-16 11:45:48 549,720 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
- 2007-04-17 05:45:20 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
+ 2007-04-16 11:45:20 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
- 2007-04-17 05:45:54 1,710,936 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2007-04-16 11:45:54 1,710,936 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
- 2007-04-17 05:45:42 325,976 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
+ 2007-04-16 11:45:42 325,976 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
- 2007-04-17 05:47:36 33,624 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2007-04-16 11:47:36 33,624 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
- 2007-04-17 05:43:44 203,096 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2007-04-16 11:45:36 203,096 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2007-09-28 16:05:50 81,920 -c--a-w C:\WINDOWS\system32\dpl100.dll
+ 2007-09-28 16:05:42 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
+ 2007-09-28 16:05:42 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll
+ 2007-09-28 16:05:44 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
+ 2007-09-28 16:05:42 593,920 -c--a-w C:\WINDOWS\system32\dpuGUI11.dll
+ 2007-09-28 16:05:42 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
+ 2007-09-28 16:05:42 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll
- 2005-10-26 20:12:50 20,640 -c--a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
+ 2007-09-28 16:07:50 43,528 -c----w C:\WINDOWS\system32\drivers\pxhelp20.sys
- 2004-08-04 12:00:00 27,440 -c--a-w C:\WINDOWS\system32\drivers\secdrv.sys
+ 2003-09-09 04:30:32 11,376 -c--a-r C:\WINDOWS\system32\drivers\secdrv.sys
+ 2007-03-20 00:45:50 479,232 -c--a-w C:\WINDOWS\system32\drivers\UMDF\PCCSWpdDriver.dll
+ 2004-08-03 12:01:26 25,856 -c--a-w C:\WINDOWS\system32\drivers\usbprint.sys
- 2006-09-28 07:55:50 77,568 -c----w C:\WINDOWS\system32\drivers\WudfPf.sys
+ 2006-09-15 11:29:52 76,544 -c----w C:\WINDOWS\system32\drivers\WudfPf.sys
- 2006-09-28 08:00:34 82,944 -c----w C:\WINDOWS\system32\drivers\WudfRd.sys
+ 2006-09-15 11:30:10 82,688 -c----w C:\WINDOWS\system32\drivers\WudfRd.sys
+ 2007-02-22 00:15:56 137,216 -c--a-w C:\WINDOWS\system32\DRVSTORE\nmwcd_F3FA2468AF360A65811B287DD7A88CB715CF7275\nmwcd.sys
+ 2007-02-22 00:15:12 90,624 -c--a-w C:\WINDOWS\system32\DRVSTORE\nmwcd_F3FA2468AF360A65811B287DD7A88CB715CF7275\nmwcdcls.dll
+ 2007-02-22 00:15:12 65,536 -c--a-w C:\WINDOWS\system32\DRVSTORE\nmwcd_F3FA2468AF360A65811B287DD7A88CB715CF7275\nmwcdcocls.dll
+ 2007-02-22 00:15:14 8,320 -c--a-w C:\WINDOWS\system32\DRVSTORE\nmwcdc_F3FA2468AF360A65811B287DD7A88CB715CF7275\nmwcdc.sys
+ 2007-02-22 00:15:14 12,288 -c--a-w C:\WINDOWS\system32\DRVSTORE\nmwcdcj_F3FA2468AF360A65811B287DD7A88CB715CF7275\nmwcdcj.sys
+ 2007-02-22 00:15:14 12,288 -c--a-w C:\WINDOWS\system32\DRVSTORE\nmwcdm2k_F3FA2468AF360A65811B287DD7A88CB715CF7275\nmwcdcm.sys
+ 2007-03-20 00:45:50 479,232 -c--a-w C:\WINDOWS\system32\DRVSTORE\pccswpddri_039E7E24575DBAE6A389611AF28F4EB97729D33E\PCCSWpdDriver.dll
+ 2007-03-20 00:37:46 831,048 -c--a-w C:\WINDOWS\system32\DRVSTORE\pccswpddri_039E7E24575DBAE6A389611AF28F4EB97729D33E\WudfUpdate_01005.dll
+ 2007-09-28 16:05:50 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll
- 2007-11-10 22:23:46 5,427 -c--a-w C:\WINDOWS\system32\EGATHDRV.SYS
+ 2007-12-19 19:18:58 5,427 -c--a-w C:\WINDOWS\system32\EGATHDRV.SYS
- 2007-11-08 05:40:28 117,360 -c--a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-12-03 12:58:21 1,429,080 -c--a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2005-05-24 01:27:16 213,048 -c--a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 04:47:20 94,208 -c--a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 04:49:54 950,272 -c--a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-09-28 16:07:44 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
+ 2007-08-07 01:52:02 66,272 -c--a-w C:\WINDOWS\system32\libfaac.dll
- 2004-02-23 07:00:00 1,386,496 -c--a-w C:\WINDOWS\system32\msvbvm60.dll
+ 2004-02-23 09:42:40 1,386,496 -c--a-w C:\WINDOWS\system32\MSVBVM60.DLL
+ 2007-08-07 01:52:14 443,104 -c--a-w C:\WINDOWS\system32\OpenQuicktimeLib.dll
- 2007-11-08 22:18:04 71,302 -c--a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-03 13:15:38 71,302 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-08 22:18:04 439,598 -c--a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-03 13:15:38 439,598 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2006-12-01 05:31:53 4,204 -c--a-w C:\WINDOWS\system32\pk.bin
+ 2007-06-08 03:46:44 86,070 -c--a-w C:\WINDOWS\system32\pthreadVC2.dll
- 2005-08-12 21:27:22 405,504 -c--a-w C:\WINDOWS\system32\Px.dll
+ 2007-09-28 16:07:48 551,672 -c----w C:\WINDOWS\system32\Px.dll
- 2006-08-18 08:09:26 56,832 -c--a-w C:\WINDOWS\system32\pxcpya64.exe
+ 2007-09-28 16:07:48 66,296 -c----w C:\WINDOWS\system32\pxcpya64.exe
- 2006-08-18 08:09:26 108,544 -c--a-w C:\WINDOWS\system32\pxcpyi64.exe
+ 2007-09-28 16:07:48 120,056 -c----w C:\WINDOWS\system32\pxcpyi64.exe
- 2005-09-01 08:01:00 434,176 -c--a-w C:\WINDOWS\system32\pxdrv.dll
+ 2007-09-28 16:07:48 518,904 -c----w C:\WINDOWS\system32\pxdrv.dll
- 2006-08-18 08:09:26 57,344 -c--a-w C:\WINDOWS\system32\pxhpinst.exe
+ 2007-09-28 16:07:50 72,440 -c----w C:\WINDOWS\system32\pxhpinst.exe
- 2006-08-18 08:09:26 56,320 -c--a-w C:\WINDOWS\system32\pxinsa64.exe
+ 2007-09-28 16:07:48 64,760 -c----w C:\WINDOWS\system32\pxinsa64.exe
- 2006-08-18 08:09:26 109,056 -c--a-w C:\WINDOWS\system32\pxinsi64.exe
+ 2007-09-28 16:07:48 118,520 -c----w C:\WINDOWS\system32\pxinsi64.exe
- 2005-08-12 21:26:20 172,032 -c--a-w C:\WINDOWS\system32\PxMas.dll
+ 2007-09-28 16:07:50 187,128 -c----w C:\WINDOWS\system32\PxMas.dll
- 2005-08-12 21:30:48 1,196,032 -c--a-w C:\WINDOWS\system32\PxSFS.DLL
+ 2007-09-28 16:07:50 1,628,920 -c----w C:\WINDOWS\system32\PxSFS.DLL
- 2005-08-12 21:25:50 339,968 -c--a-w C:\WINDOWS\system32\PxWave.dll
+ 2007-09-28 16:07:50 379,640 -c----w C:\WINDOWS\system32\PxWave.dll
+ 2007-09-28 16:07:52 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll
- 2007-11-16 07:17:31 95,128 -c--a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2007-12-02 23:10:13 31,984 -c--a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2007-08-07 01:52:50 25,312 -c--a-w C:\WINDOWS\system32\SamsungVfWCodec.dll
+ 2006-12-01 05:19:49 24,576 -c--a-w C:\WINDOWS\system32\scvhosthk.dll
+ 2006-12-01 05:19:49 40,960 -c--a-w C:\WINDOWS\system32\scvhostwb.dll
- 2007-04-17 05:47:36 33,624 -c--a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.374\wups.dll
+ 2007-04-16 11:47:36 33,624 -c--a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.374\wups.dll
+ 2007-04-16 11:45:20 43,352 -c--a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.374\wups2.dll
- 2006-09-25 06:58:48 14,640 -c--a-w C:\WINDOWS\system32\spmsg.dll
+ 2006-09-15 16:02:34 14,640 -c----w C:\WINDOWS\system32\spmsg.dll
+ 2004-06-07 05:00:00 68,608 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMCP6d.DLL
+ 2004-06-07 05:00:00 153,600 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMD56d.DLL
+ 2004-06-07 05:00:00 397,824 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMDR6d.DLL
+ 2004-06-07 05:00:00 19,456 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMFU6d.DLL
+ 2004-06-07 05:10:00 22,528 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMOP6d.DLL
+ 2004-06-07 05:00:00 23,280 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP06d.DAT
+ 2004-06-07 05:00:00 27,140 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP16d.DAT
+ 2004-06-07 05:00:00 30,320 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP26d.DAT
+ 2004-06-07 05:00:00 6,656 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPI6d.DLL
+ 2004-06-07 05:00:00 80,896 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPV6d.EXE
+ 2004-06-07 05:00:00 850,944 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSB6d.DLL
+ 2004-06-07 05:00:00 8,704 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSD6d.EXE
+ 2004-06-07 05:00:00 130,048 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSM6d.EXE
+ 2004-06-07 05:00:00 6,656 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSQ6d.EXE
+ 2004-06-07 05:00:00 110,592 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSR6d.DLL
+ 2004-06-07 05:00:00 322,048 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUB6d.DLL
+ 2004-06-07 05:00:00 1,571,840 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUI6d.DLL
+ 2004-06-07 05:00:00 219,648 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUR6d.DLL
+ 2004-06-07 05:00:00 6,656 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMW36d.DLL
+ 2007-01-10 12:05:15 94,274 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBHEALR.DLL
+ 2007-01-10 12:05:15 40,960 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBMMON.DLL
+ 2007-01-10 12:05:16 659,528 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPCDMC32.DLL
+ 2007-01-10 12:05:17 58,368 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPDOMON.DLL
+ 2007-01-10 12:05:22 1,202,688 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ3A041.DLL
+ 2007-01-10 12:05:22 1,117,696 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZ6R041.DLL
+ 2007-01-10 12:05:22 570,368 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZEV041.DLL
+ 2007-01-10 12:05:22 61,952 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZPP041.DLL
+ 2007-01-10 12:05:22 433,664 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZSS041.DLL
+ 2007-01-10 12:05:22 2,337,280 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZST041.DLL
+ 2007-01-10 12:05:22 1,907,200 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZUI041.DLL
+ 2007-02-16 17:45:44 169,984 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\PCLXL.DLL
+ 2004-06-07 05:00:00 68,608 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMCP6d.DLL
+ 2004-06-07 05:00:00 153,600 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMD56d.DLL
+ 2004-06-07 05:00:00 397,824 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMDR6d.DLL
+ 2004-06-07 05:00:00 19,456 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMFU6d.DLL
+ 2004-06-07 05:10:00 22,528 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMOP6d.DLL
+ 2004-06-07 05:00:00 23,280 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMP06d.DAT
+ 2004-06-07 05:00:00 27,140 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMP16d.DAT
+ 2004-06-07 05:00:00 30,320 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMP26d.DAT
+ 2004-06-07 05:00:00 6,656 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMPI6d.DLL
+ 2004-06-07 05:00:00 80,896 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMPV6d.EXE
+ 2004-06-07 05:00:00 850,944 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMSB6d.DLL
+ 2004-06-07 05:00:00 8,704 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMSD6d.EXE
+ 2004-06-07 05:00:00 130,048 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMSM6d.EXE
+ 2004-06-07 05:00:00 6,656 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMSQ6d.EXE
+ 2004-06-07 05:00:00 110,592 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMSR6d.DLL
+ 2004-06-07 05:00:00 322,048 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMUB6d.DLL
+ 2004-06-07 05:00:00 1,571,840 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMUI6d.DLL
+ 2004-06-07 05:00:00 219,648 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMUR6d.DLL
+ 2004-06-07 05:00:00 6,656 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip500008f7\CNMW36d.DLL
+ 2004-06-07 05:00:00 17,920 -c--a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD6d.DLL
+ 2004-06-07 05:00:00 54,272 -c--a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP6d.DLL
+ 2007-09-28 16:07:44 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
+ 2007-03-21 09:54:16 77,312 -c--a-w C:\WINDOWS\system32\TWAIN_32.DLL
+ 2007-03-21 09:54:16 48,560 -c--a-w C:\WINDOWS\system32\TWUNK_16.EXE
+ 2007-03-21 09:54:16 69,632 -c--a-w C:\WINDOWS\system32\TWUNK_32.EXE
- 2005-08-12 08:00:00 28,672 -c--a-w C:\WINDOWS\system32\VXBLOCK.dll
+ 2007-09-28 16:07:48 88,824 -c----w C:\WINDOWS\system32\VXBLOCK.dll
+ 2006-01-18 06:22:42 807,032 -c--a-w C:\WINDOWS\system32\wmv9dmod.dll
- 2007-04-17 05:45:48 549,720 -c--a-w C:\WINDOWS\system32\wuapi.dll
+ 2007-04-16 11:45:48 549,720 -c--a-w C:\WINDOWS\system32\wuapi.dll
- 2007-04-17 05:45:20 53,080 -c--a-w C:\WINDOWS\system32\wuauclt.exe
+ 2007-04-16 11:45:20 53,080 -c--a-w C:\WINDOWS\system32\wuauclt.exe
- 2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
+ 2007-04-16 11:45:54 1,710,936 -c--a-w C:\WINDOWS\system32\wuaueng.dll
- 2007-04-17 05:45:42 325,976 -c--a-w C:\WINDOWS\system32\wucltui.dll
+ 2007-04-16 11:45:42 325,976 -c--a-w C:\WINDOWS\system32\wucltui.dll
- 2006-09-28 09:13:26 95,344 -c--a-w C:\WINDOWS\system32\WUDFCoinstaller.dll
+ 2006-09-15 12:30:16 87,040 -c--a-w C:\WINDOWS\system32\WUDFCoinstaller.dll
- 2006-09-28 07:56:38 146,432 -c--a-w C:\WINDOWS\system32\WudfHost.exe
+ 2006-09-15 12:30:06 142,848 -c--a-w C:\WINDOWS\system32\WudfHost.exe
- 2006-09-28 07:56:16 165,376 -c--a-w C:\WINDOWS\system32\WudfPlatform.dll
+ 2006-09-15 11:29:54 163,840 -c--a-w C:\WINDOWS\system32\WudfPlatform.dll
- 2006-09-28 07:56:14 55,808 -c--a-w C:\WINDOWS\system32\WudfSvc.dll
+ 2006-09-15 12:30:16 55,296 -c--a-w C:\WINDOWS\system32\WudfSvc.dll
+ 2007-03-20 00:37:46 831,048 -c--a-w C:\WINDOWS\system32\WudfUpdate_01005.dll
- 2006-09-28 07:56:38 316,416 -c--a-w C:\WINDOWS\system32\WUDFx.dll
+ 2006-09-15 12:30:16 308,224 -c--a-w C:\WINDOWS\system32\WUDFx.dll
- 2007-04-17 05:47:36 33,624 -c--a-w C:\WINDOWS\system32\wups.dll
+ 2007-04-16 11:47:36 33,624 -c--a-w C:\WINDOWS\system32\wups.dll
- 2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
+ 2007-04-16 11:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
- 2007-04-17 05:43:44 203,096 -c--a-w C:\WINDOWS\system32\wuweb.dll
+ 2007-04-16 11:45:36 203,096 -c--a-w C:\WINDOWS\system32\wuweb.dll
+ 1999-11-18 14:00:00 284,032 -c--a-w C:\WINDOWS\system32\XceedZip.dll
+ 2004-09-04 21:58:04 679,936 -c--a-w C:\WINDOWS\system32\xvidcore.dll
+ 2004-09-04 21:59:50 155,648 -c--a-w C:\WINDOWS\system32\xvidvfw.dll
+ 2003-03-25 07:53:50 11,776 -c--a-w C:\WINDOWS\system32\ZPORT4AS.dll
+ 2007-12-04 11:32:07 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_348.dat
+ 2007-12-02 02:53:24 417,792 -c--a-w C:\WINDOWS\uninstall\Satellite TV for PC Elite\setup.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-09 17:36]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]
"DSS"="C:\WINDOWS\NetMSConfig.exe" [2007-05-27 17:09]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 23:00]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2007-07-24 08:18:49]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-07-24 08:18:47]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-18 18:50:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="lsass.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 2005-07-06 17:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-12-01 14:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-12-01 16:20 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Scripts]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Scripts\Logoff]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Scripts\Logon]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Scripts\Logon\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Scripts\Logon\0\0]
"Script"=stdlogon.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\Loopback-GPO-List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-06 23:46 57344 --a--c--- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS
R1 IBMTPCHK;IBMTPCHK;\??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys
R2 HopperP;WiFi Hopper;C:\WINDOWS\system32\DRIVERS\hopperp.sys
R2 ibmfilter;ibmfilter;\??\C:\WINDOWS\system32\drivers\ibmfilter.sys
R2 PrivateDisk;PrivateDisk;\??\C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\PrivateDiskM.sys
R2 smi2;smi2;\??\C:\Program Files\SMI2\smi2.sys
R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
R3 atmeltpm;atmeltpm;C:\WINDOWS\system32\DRIVERS\atmeltpm.sys
S3 EraserUtilDrv10733;EraserUtilDrv10733;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10733.sys
S3 EraserUtilDrvI4;EraserUtilDrvI4;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI4.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\setup.exe /autorun
\Shell\directx\command - G:\DirectX\dxsetup.exe
\Shell\setup\command - G:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 01:06:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-04 11:33:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-19 05:59:01 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 22:34:21
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 22:36:03 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-18 08:58
C:\ComboFix3.txt ... 2007-11-16 21:55
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 22:56, on 2007-12-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.balwynhs....u/home/home.bhs
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.balwynhs.vic.edu.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.balwynhs.vic.edu.au;172.*;*.education.vic.gov.au;*.sofweb.vic.edu.au;*.vass.vi
c.edu.au;*.eduweb.vic.gov.au;*.edudev.vic.gov.au;*.edumail.vic.gov.au;*.otte.vic.
gov.au;*.icon.edu.vic.gov.au;*.ultranet.vic.edu.au;*.vcaa.vic.edu.au;<local>;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\NetMSConfig.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185221205500
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = balwynhs.vic.edu.au
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WBSrv - C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (file missing)
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe (file missing)

#14 __RiP_ChAiN_

GeekU Teacher

Authentic Member
142 posts

Posted 04 December 2007 - 11:43 PM

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\kopmet.dll
C:\WINDOWS\jetctrl.dll
C:\WINDOWS\nretcip.exe
C:\WINDOWS\NetMSConfig.exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#15 lin0056

Authentic Member

Authentic Member
115 posts

Posted 05 December 2007 - 12:08 AM

My combofix log:

ComboFix 07-12-02.7 - LIN0056 2007-12-05 16:50:09.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.139 [GMT 11:00]
Running from: C:\Documents and Settings\lin0056\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\lin0056\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\jetctrl.dll
C:\WINDOWS\kopmet.dll
C:\WINDOWS\NetMSConfig.exe
C:\WINDOWS\nretcip.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\jetctrl.dll
C:\WINDOWS\kopmet.dll
C:\WINDOWS\NetMSConfig.exe
C:\WINDOWS\nretcip.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-04 19:54 . 2007-12-04 19:54 17,542 ---h-c--- C:\DriveIcon.ico
2007-12-04 19:50 . 2007-12-04 23:14 <DIR> d----c--- C:\Program Files\Bee Icons
2007-12-04 16:54 . 2007-12-04 16:55 <DIR> d----c--- C:\Program Files\AnyReader
2007-12-04 09:20 . 2007-12-04 09:20 <DIR> d----c--- C:\Program Files\VideoLAN
2007-12-04 09:15 . 2007-12-04 09:15 <DIR> d----c--- C:\Program Files\XviD
2007-12-04 09:08 . 2007-12-04 09:08 <DIR> d----c--- C:\Program Files\DScaler5
2007-12-04 08:58 . 2007-12-04 08:58 <DIR> d----c--- C:\Program Files\3ivx
2007-12-04 08:50 . 2007-12-04 15:38 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\DivX
2007-12-04 08:48 . 2007-09-29 03:07 129,784 -----c--- C:\WINDOWS\system32\pxafs.dll
2007-12-04 08:48 . 2007-09-29 03:07 9,464 -----c--- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-04 08:48 . 2007-09-29 03:07 9,336 -----c--- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-04 08:34 . 2007-12-04 08:48 <DIR> d----c--- C:\Program Files\DivX
2007-12-04 08:31 . 2007-12-04 08:31 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\Nokia Multimedia Player
2007-12-04 08:30 . 2007-12-04 08:31 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2007-12-04 08:30 . 2007-12-04 08:31 1,409 --a--c--- C:\WINDOWS\QTFont.for
2007-12-04 00:36 . 2007-12-04 00:36 <DIR> d----c--- C:\Program Files\ElcomSoft
2007-12-04 00:17 . 2007-12-04 00:17 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\Leadertech
2007-12-03 23:25 . 2007-12-03 23:25 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Nokia
2007-12-03 23:23 . 2007-02-22 11:15 137,216 --a--c--- C:\WINDOWS\system32\drivers\nmwcd.sys
2007-12-03 23:23 . 2007-02-22 11:15 65,536 --a--c--- C:\WINDOWS\system32\nmwcdcocls.dll
2007-12-03 22:36 . 2007-12-03 22:38 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\PC Suite
2007-12-03 22:35 . 2007-12-03 22:38 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\Nokia
2007-12-03 22:34 . 2007-12-03 22:35 <DIR> d----c--- C:\Program Files\DIFX
2007-12-03 22:34 . 2007-12-03 22:34 <DIR> d----c--- C:\Program Files\Common Files\PCSuite
2007-12-03 22:34 . 2007-12-05 16:25 <DIR> d----c--- C:\Program Files\Common Files\Nokia
2007-12-03 22:34 . 2007-12-03 23:19 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\PC Suite
2007-12-03 22:33 . 2007-12-03 22:33 <DIR> d----c--- C:\Program Files\PC Connectivity Solution
2007-12-03 22:33 . 2007-12-03 23:42 <DIR> d----c--- C:\Program Files\Nokia
2007-12-03 22:33 . 2007-02-22 11:15 90,624 --a--c--- C:\WINDOWS\system32\nmwcdcls.dll
2007-12-03 22:24 . 2007-12-03 22:24 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Installations
2007-12-03 22:21 . 2007-12-03 22:21 <DIR> d--hsc--- C:\WINDOWS\ftpcache
2007-12-03 22:02 . 2007-12-03 22:02 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\AdobeUM
2007-12-03 22:02 . 2007-12-03 22:02 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\AdobeAUM
2007-12-03 18:27 . 2007-12-03 18:56 <DIR> d----c--- C:\Program Files\Download Direct
2007-12-03 17:37 . 2007-12-03 17:37 <DIR> d--h-c--- C:\WINDOWS\system32\GroupPolicy
2007-12-03 17:03 . 2007-12-03 17:04 <DIR> d----c--- C:\Program Files\RichVideoCodec
2007-12-03 11:21 . 2007-12-03 11:21 244 --ah-c--- C:\sqmnoopt00.sqm
2007-12-03 11:21 . 2007-12-03 11:21 232 --ah-c--- C:\sqmdata00.sqm
2007-12-03 06:04 . 2007-12-03 06:05 <DIR> d----c--- C:\Program Files\Date Cracker 2000
2007-12-03 06:04 . 2007-12-03 06:04 73,216 --a--c--- C:\WINDOWS\temp.000
2007-12-02 22:53 . 2007-12-02 22:53 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-02 13:54 . 2007-12-02 14:15 <DIR> d----c--- C:\Program Files\TVAnts
2007-12-02 13:53 . 2007-12-02 13:53 <DIR> d----c--- C:\WINDOWS\uninstall\Satellite TV for PC Elite
2007-12-02 13:53 . 2007-12-02 13:53 <DIR> d----c--- C:\WINDOWS\uninstall
2007-12-02 13:53 . 2007-12-02 13:53 <DIR> d----c--- C:\Program Files\SatelliteTVforPC
2007-12-02 13:11 . 2007-12-02 13:11 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\TVU Networks
2007-12-02 10:56 . 2007-12-02 10:56 <DIR> d----c--- C:\Program Files\smr-usenet
2007-12-02 10:56 . 2001-03-29 01:38 69,632 --a--c--- C:\WINDOWS\system32\GkSui18.EXE
2007-12-02 09:45 . 2007-12-02 09:45 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\ZipZag
2007-12-02 09:44 . 2007-12-02 09:46 <DIR> d----c--- C:\Program Files\ZipZag
2007-12-01 20:20 . 2007-12-04 09:23 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\vlc
2007-12-01 20:17 . 2007-12-02 13:12 <DIR> d----c--- C:\Program Files\TVU Player
2007-12-01 16:35 . 2007-12-01 16:43 <DIR> d----c--- C:\WINDOWS\system32\dt
2007-12-01 16:29 . 2007-12-01 16:29 0 --a--c--- C:\WINDOWS\WB.ini
2007-12-01 15:48 . 2007-12-01 15:48 <DIR> d----c--- C:\WINDOWS\{hopper}
2007-12-01 15:48 . 2007-12-03 10:01 <DIR> d----c--- C:\Program Files\WiFi Hopper
2007-12-01 15:48 . 2006-05-31 02:36 21,376 --a--c--- C:\WINDOWS\system32\drivers\hopperp.sys
2007-12-01 15:14 . 2007-12-01 15:14 103 --a--c--- C:\WINDOWS\system32\msrcom.dat
2007-12-01 12:31 . 2001-06-11 22:15 115,016 --a--c--- C:\WINDOWS\system32\Msinet.ocx
2007-12-01 09:44 . 2007-12-01 09:44 <DIR> d----c--- C:\Program Files\Download Manager
2007-12-01 09:43 . 2007-12-01 11:23 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\IGN_DLM
2007-12-01 00:43 . 2007-12-01 00:43 479,298 --a--c--- C:\WINDOWS\system32\wbocx.ocx
2007-12-01 00:43 . 2007-12-01 00:43 172,032 --a--c--- C:\WINDOWS\system32\AniGIF.ocx
2007-12-01 00:43 . 2007-12-01 00:43 50,688 --a--c--- C:\WINDOWS\system32\wbhelp2.dll
2007-11-30 21:37 . 2007-11-30 21:37 <DIR> d----c--- C:\Program Files\GameSpot
2007-11-30 20:17 . 2007-11-30 20:17 <DIR> d----c--- C:\Program Files\Uconomix
2007-11-30 17:00 . 2007-11-30 17:18 <DIR> d----c--- C:\Program Files\Spyware Doctor
2007-11-30 17:00 . 2007-11-30 17:00 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\PC Tools
2007-11-30 17:00 . 2007-10-18 00:16 79,688 --a--c--- C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-30 17:00 . 2007-10-18 00:15 62,280 --a--c--- C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-30 17:00 . 2007-10-18 00:14 41,288 --a--c--- C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-30 17:00 . 2007-10-18 00:16 29,000 --a--c--- C:\WINDOWS\system32\drivers\kcom.sys
2007-11-30 16:59 . 2005-09-23 08:29 626,688 --a--c--- C:\WINDOWS\system32\msvcr80.dll
2007-11-30 13:40 . 2007-12-01 15:15 160,564,119 --a--c--- C:\WINDOWS\system32\mfccache.dll
2007-11-29 20:41 . 2007-11-29 20:58 <DIR> d----c--- C:\Program Files\Hide The IP
2007-11-29 20:28 . 2007-12-01 22:40 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\LimeWire
2007-11-29 20:27 . 2007-11-29 20:27 <DIR> d----c--- C:\Program Files\LimeWire
2007-11-29 18:52 . 2007-11-29 18:55 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\XP Visual Tools
2007-11-29 18:50 . 2007-12-03 16:56 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-29 12:49 . 2007-11-29 18:58 <DIR> d----c--- C:\Program Files\Common Files\Stardock
2007-11-29 11:52 . 2007-12-04 23:15 <DIR> d----c--- C:\Program Files\Stardock
2007-11-29 11:52 . 2007-07-11 15:06 42,672 --a--c--- C:\WINDOWS\system32\wbsys.dll
2007-11-29 11:52 . 2005-01-22 18:05 20,480 --a--c--- C:\WINDOWS\system32\wbload.dll
2007-11-29 08:57 . 2007-11-29 09:15 <DIR> d----c--- C:\Program Files\GameSpy Arcade
2007-11-28 15:16 . 2007-11-28 15:16 <DIR> d----c--- C:\WINDOWS\.jagex_cache_32
2007-11-24 19:16 . 2007-11-25 11:39 <DIR> d----c--- C:\Program Files\Halo Server
2007-11-24 16:41 . 2007-11-24 16:41 <DIR> d----c--- C:\Documents and Settings\LocalService\Application Data\Xfire
2007-11-24 09:34 . 2007-11-24 09:34 54 --a--c--- C:\WINDOWS\Composer.INI
2007-11-24 09:33 . 2007-11-28 20:54 <DIR> d----c--- C:\Program Files\Notation
2007-11-24 08:21 . 2007-11-24 08:21 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Musicnotes
2007-11-21 17:03 . 2007-11-22 17:22 <DIR> d----c--- C:\WINDOWS\system32\ActiveScan
2007-11-21 17:03 . 2007-11-22 16:22 30,590 --a--c--- C:\WINDOWS\system32\pavas.ico
2007-11-21 17:03 . 2007-11-22 16:22 2,550 --a--c--- C:\WINDOWS\system32\Uninstall.ico
2007-11-21 17:03 . 2007-11-22 16:22 1,406 --a--c--- C:\WINDOWS\system32\Help.ico
2007-11-20 22:24 . 2007-11-20 22:24 552 --a--c--- C:\WINDOWS\system32\d3d8caps.dat
2007-11-20 17:25 . 2007-11-20 17:25 <DIR> d----c--- C:\Program Files\CEDP Stealer 6.0 for Messenger
2007-11-20 11:40 . 2007-11-20 11:40 <DIR> d----c--- C:\Documents and Settings\lin0056\Application Data\InterVideo
2007-11-19 21:39 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-19 21:39 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-19 21:37 . 2004-06-07 16:00 116,736 --a--c--- C:\WINDOWS\system32\CNMLM6d.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-19 19:18 5,427 -c--a-w C:\WINDOWS\system32\EGATHDRV.SYS
2007-12-05 06:01 --------- dc----w C:\Program Files\Symantec AntiVirus
2007-12-04 12:14 19 -c-h--w C:\Program Files\desktop.ini
2007-12-03 14:28 --------- dc----w C:\Program Files\Common Files\Adobe
2007-12-02 19:04 249,856 -c----w C:\WINDOWS\Setup1.exe
2007-11-30 10:37 5,588 -c--a-w C:\Program Files\install.log
2007-11-22 06:14 --------- dc----w C:\Program Files\Windows Defender
2007-11-22 06:04 --------- dc----w C:\Program Files\Google
2007-11-22 06:04 --------- dc----w C:\Program Files\Digital Line Detect
2007-11-22 06:00 --------- dc----w C:\Program Files\Common Files\Symantec Shared
2007-11-09 11:58 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2007-11-08 01:18 --------- dc----w C:\Program Files\Windows Media Connect
2007-11-08 01:13 --------- dc----w C:\Program Files\Microsoft Works
2007-11-07 05:09 --------- dc----w C:\Program Files\Picasa2
2007-10-21 16:39 267,272 -c--a-w C:\WINDOWS\system32\xactengine2_10.dll
2007-10-21 16:37 17,928 -c--a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-18 00:31 51,224 -c--a-w C:\WINDOWS\system32\sirenacm.dll
2007-10-12 12:19 13,653,824 -c--a-w C:\WINDOWS\system32\xlivefnt.dll
2007-10-12 12:19 10,155,840 -c--a-w C:\WINDOWS\system32\xlive.dll
2007-10-12 04:14 3,734,536 -c--a-w C:\WINDOWS\system32\d3dx9_36.dll
2007-10-12 04:14 1,374,232 -c--a-w C:\WINDOWS\system32\D3DCompiler_36.dll
2007-10-01 22:56 444,776 -c--a-w C:\WINDOWS\system32\d3dx10_36.dll
2007-09-28 16:08 156,992 -c--a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 -c--a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 120,056 -c----w C:\WINDOWS\system32\pxcpyi64.exe
2007-09-28 16:07 118,520 -c----w C:\WINDOWS\system32\pxinsi64.exe
2007-09-28 16:07 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 -c--a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 -c--a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 -c--a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 -c--a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 -c--a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 -c--a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 -c--a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2006-05-30 15:36 21,376 -c--a-w C:\WINDOWS\inf\hopperp.sys
2007-07-23 21:37 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((( snapshot_2007-12-04_22.35.14.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-12-19 21:52:18 8,453,632 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 -c--a-w C:\WINDOWS\system32\shell32.dll
- 2007-06-19 07:24:36 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:04:03 350,720 -c--a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-12-05 05:04:10 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_5dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-09 17:36]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 23:00]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2007-07-24 08:18:49]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-07-24 08:18:47]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-18 18:50:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="lsass.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 2005-07-06 17:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-12-01 14:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-12-01 16:20 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Scripts]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Scripts\Logoff]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Scripts\Logon]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Scripts\Logon\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-35769\Scripts\Logon\0\0]
"Script"=stdlogon.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-23451335-341113855-1709847394-500\Loopback-GPO-List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-06 23:46 57344 --a--c--- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 23:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-11-09 17:36 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS
R1 IBMTPCHK;IBMTPCHK;\??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys
R2 HopperP;WiFi Hopper;C:\WINDOWS\system32\DRIVERS\hopperp.sys
R2 ibmfilter;ibmfilter;\??\C:\WINDOWS\system32\drivers\ibmfilter.sys
R2 PrivateDisk;PrivateDisk;\??\C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\PrivateDiskM.sys
R2 smi2;smi2;\??\C:\Program Files\SMI2\smi2.sys
R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
R3 atmeltpm;atmeltpm;C:\WINDOWS\system32\DRIVERS\atmeltpm.sys
S3 EraserUtilDrv10733;EraserUtilDrv10733;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10733.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\setup.exe /autorun
\Shell\directx\command - G:\DirectX\dxsetup.exe
\Shell\setup\command - G:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 01:06:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-05 05:58:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-19 05:59:01 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 17:01:11
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-05 17:05:47 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-04 22:36
C:\ComboFix3.txt ... 2007-11-18 08:58
.
--- E O F ---

its quite long, heres my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 17:08, on 2007-12-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.balwynhs....u/home/home.bhs
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.balwynhs.vic.edu.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.balwynhs.vic.edu.au;172.*;*.education.vic.gov.au;*.sofweb.vic.edu.au;*.vass.vi
c.edu.au;*.eduweb.vic.gov.au;*.edudev.vic.gov.au;*.edumail.vic.gov.au;*.otte.vic.
gov.au;*.icon.edu.vic.gov.au;*.ultranet.vic.edu.au;*.vcaa.vic.edu.au;<local>;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185221205500
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = balwynhs.vic.edu.au
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WBSrv - C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (file missing)
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe (file missing)

thanks.

Body Background

skin color theme