14 replies to this topic

[stara]

Hello,

I am in serious need of some computer help. I think I have spyware, trojans, or something…I don’t really have any experience with this sort of thing, so I am not sure what’s going on.

I ran malwarebytes and was able to remove a lot of infected files. However, there seem to be between 5-10 infected files that malwarbytes can’t seem to remove upon reboot. At one point, I couldn’t even run malwarbytes but I was able to rename the .exe file and have been running it a lot.

On top of all this, my wireless internet connection is blocked. I have an excellent signal strength with the connection, but can’t actually go online. I can’t even get internet access in safe mode with networking.

In the midst of all this I tried to install CA antivirus. I was able to do a virus scan, and it came up clean with that, but did find spyware. It’s not installed properly, so without an internet connection, it can’t remove them.

I am really frustrated and not sure what to do next. Below is the latest malwarebytes quick scan log results and hjt log. Any help offered would be greatly appreciated!!!

Thanks.


Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

6/13/2009 5:28:32 PM
mbam-log-2009-06-13 (17-28-32).txt

Scan type: Quick Scan
Objects scanned: 89089
Time elapsed: 9 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75cd8906-8271-462c-82ac-f4d101bf2c2a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rjzbvpks (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{75cd8906-8271-462c-82ac-f4d101bf2c2a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\lypsqeo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\gozavhqe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

-------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:59 PM, on 6/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Thomas Lake\Thomas Lake.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wappingersschools.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: (no name) - {75cd8906-8271-462c-82ac-f4d101bf2c2a} - c:\windows\system32\lypsqeo.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NAV] "C:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV\2454B0AB\16.0.0.125\InstStub.exe" /RELAUNCH /RUNONCE /MEDIA "D:\SETUP.EXE" /NOPROMPT
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [] C:\Documents and Settings\Thomas Lake\.exe /i
O4 - HKCU\..\Run: [A00F36A4E7.exe] C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\_A00F36A4E7.exe
O4 - HKCU\..\Run: [A00F168977.exe] C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\_A00F168977.exe
O4 - HKCU\..\Run: [A00F1698C3.exe] C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\_A00F1698C3.exe
O4 - HKCU\..\Run: [A00F1BC70B.exe] C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\_A00F1BC70B.exe
O4 - HKCU\..\Run: [A00F15B947.exe] C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\_A00F15B947.exe
O4 - HKCU\..\Run: [Thomas Lake] C:\Documents and Settings\Thomas Lake\Thomas Lake.exe /i
O4 - HKUS\.DEFAULT\..\Run: [] C:\Documents and Settings\Thomas Lake\.exe /i (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SYS32DLL] SYS32DLL (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\2063829159.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SYSDLL] SYSDLL (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [shv] c:\program Files\MicPhone\antit.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O20 - AppInit_DLLs: C:\WINDOWS\system32\gevumabo.dll ,c:\progra~1\ThunMail\testabd.dll,c:\progra~1\MicPhone\antit.dll
O20 - Winlogon Notify: rjzbvpks - C:\WINDOWS\SYSTEM32\lypsqeo.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: bevtservice - Unknown owner - C:\WINDOWS\System32\bEvtService.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP (caccprovsp) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe (caisafe) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: CA Common Scheduler Service (ccschedulersvc) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (itmrtsvc) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: VET Message Service (vetmsgnt) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe

--
End of file - 11882 bytes

[sjpritch25]

Welcome to malwarebytes




Download DDS and save it to your desktop from here or here or here
Disable any script blocker, and then double click [b]dss.scr to run the tool.

• When done, DDS will open two (2) logs:

• DDS.txt
  
• Attach.txt

• Save both reports to your desktop
  
• In your next reply, please attach both logs. Thanks

[stara]

Thank you!!!

Scans follow: (I wasn't sure if you meant to attach them or just paste; please let me know if you want it attached.) Thank you again. I really appreciate this.

stara

DDS.txt

DDS (Ver_09-05-14.01) - NTFSx86
Run by Thomas Lake at 16:15:03.25 on Sun 06/14/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.183 [GMT -4:00]

AV: CA Anti-Virus *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Thomas Lake\Desktop\dds.scr
C:\Documents and Settings\Thomas Lake\Thomas Lake.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wappingersschools.org/
mStart Page =
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
BHO: : {75cd8906-8271-462c-82ac-f4d101bf2c2a} - c:\windows\system32\lypsqeo.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" -NoStart
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>] c:\documents and settings\thomas lake\.exe /i
uRun: [A00F36A4E7.exe] c:\docume~1\thomas~1\locals~1\temp\_A00F36A4E7.exe
uRun: [A00F168977.exe] c:\docume~1\thomas~1\locals~1\temp\_A00F168977.exe
uRun: [A00F1698C3.exe] c:\docume~1\thomas~1\locals~1\temp\_A00F1698C3.exe
uRun: [A00F1BC70B.exe] c:\docume~1\thomas~1\locals~1\temp\_A00F1BC70B.exe
uRun: [A00F15B947.exe] c:\docume~1\thomas~1\locals~1\temp\_A00F15B947.exe
uRun: [Thomas Lake] c:\documents and settings\thomas lake\Thomas Lake.exe /i
mRun: [S3TRAY2] S3Tray2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [ControlCenter] "c:\program files\ibm fingerprint software\ctlcntr.exe" /startup
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UC_Start] c:\program files\ibm\updater\\ucstartup.exe
mRun: [UC_SMB]
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCTRAY] c:\program files\thinkpad\connectutilities\QCTRAY.EXE
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NAV] "c:\program files\nortoninstaller\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav\2454b0ab\16.0.0.125\inststub.exe" /relaunch /runonce /media "d:\SETUP.EXE" /NOPROMPT
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
dRun: [<NO NAME>] c:\documents and settings\thomas lake\.exe /i
dRun: [SYS32DLL] SYS32DLL
dRun: [Diagnostic Manager] c:\windows\temp\2063829159.exe
dRun: [svc] c:\program files\thunmail\testabd.exe
dRun: [SYSDLL] SYSDLL
dRun: [shv] c:\program files\micphone\antit.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll
Notify: QConGina - QConGina.dll
Notify: rjzbvpks - lypsqeo.dll
AppInit_DLLs: c:\windows\system32\gevumabo.dll ,c:\progra~1\thunmail\testabd.dll,c:\progra~1\micphone\antit.dll
LSA: Notification Packages = scecli pwdmon c:\windows\system32\gevumabo.dll

============= SERVICES / DRIVERS ===============

R0 fazpbtpj;fazpbtpj;c:\windows\system32\drivers\fazpbtpj.sys [1980-1-1 23424]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-2-7 59520]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-2-7 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-2-7 2432]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-2-7 4608]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2005-2-7 16384]
R1 vet-filt;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-6-9 26352]
R1 vet-rec;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-6-9 21104]
R1 vetefile;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-6-9 879760]
R1 vetfddnt;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-6-9 21488]
R1 vetmonnt;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-6-9 32240]
R2 caisafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-6-9 144696]
R2 ccschedulersvc;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2009-6-9 128240]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-9-23 64256]
R2 vetmsgnt;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-6-9 296176]
R3 veteboot;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-6-9 108288]
S0 qofhev;qofhev;c:\windows\system32\drivers\mkoxr.sys --> c:\windows\system32\drivers\mkoxr.sys [?]
S1 ethoydxs;ethoydxs;c:\windows\system32\drivers\ethoydxs.sys [2009-6-5 136192]
S2 bevtservice;bevtservice;c:\windows\system32\bevtservice.exe -k netsvcs --> c:\windows\system32\bEvtService.exe -k netsvcs [?]
S2 eylqmu;eylqmu;c:\windows\system32\drivers\zxsdko.sys --> c:\windows\system32\drivers\zxsdko.sys [?]
S3 isadisk;isadisk;c:\windows\system32\isadisk.sys [1980-1-1 2304]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-2-7 12288]
S3 sndintd;sndintd;c:\windows\system32\sndintd.sys [1980-1-1 2304]

=============== Created Last 30 ================

2009-06-13 22:16 61,440 a------- c:\windows\system32\drivers\isoyb.sys
2009-06-13 18:20 <DIR> --d----- c:\program files\Trend Micro
2009-06-12 22:10 <DIR> --d----- C:\VundoFix Backups
2009-06-12 19:19 61,440 a------- c:\windows\system32\drivers\qklwyx.sys
2009-06-11 21:45 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-10 21:49 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-09 18:26 250,544 a------- c:\windows\system32\KeyHelp.ocx
2009-06-09 18:26 <DIR> --d----- c:\program files\common files\Scanner
2009-06-09 18:25 879,760 a------- c:\windows\system32\drivers\vetefile.sys
2009-06-09 18:25 111,856 a------- c:\windows\system32\isafprod.dll
2009-06-09 18:25 108,288 a------- c:\windows\system32\drivers\veteboot.sys
2009-06-09 18:25 99,568 a------- c:\windows\system32\isafeif.dll
2009-06-09 18:25 83,256 a------- c:\windows\system32\vetredir.dll
2009-06-09 18:25 32,240 a------- c:\windows\system32\drivers\vetmonnt.sys
2009-06-09 18:25 26,352 a------- c:\windows\system32\drivers\vet-filt.sys
2009-06-09 18:25 21,488 a------- c:\windows\system32\drivers\vetfddnt.sys
2009-06-09 18:25 21,104 a------- c:\windows\system32\drivers\vet-rec.sys
2009-06-09 18:24 111,856 a------- c:\windows\system32\wbem\canvprov.dll
2009-06-09 18:24 6,552 a------- c:\windows\system32\wbem\canvprov.mof
2009-06-09 18:24 <DIR> --d----- c:\program files\CA
2009-06-08 21:36 437,248 a------- c:\windows\system32\Installer.exe
2009-06-08 21:36 258,048 a------- c:\windows\system32\wscsvc32.exe
2009-06-08 21:36 82,432 a------- c:\windows\system32\resdll.dll
2009-06-06 21:43 0 a------- c:\windows\system32\34.tmp
2009-06-06 21:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CA
2009-06-06 16:13 <DIR> --dshr-- c:\program files\MicPhone
2009-06-06 16:13 67,584 a------- c:\windows\system32\A0.tmp
2009-06-06 16:13 152,576 a------- c:\windows\system32\9F.tmp
2009-06-06 16:13 80 a------- c:\windows\system32\9D.tmp
2009-06-05 21:17 67,584 a------- c:\windows\system32\36.tmp
2009-06-05 21:17 153,088 a------- c:\windows\system32\35.tmp
2009-06-05 21:16 120 a------- c:\windows\system32\2A.tmp
2009-06-05 21:10 67,584 a------- c:\windows\system32\33.tmp
2009-06-05 21:10 153,088 a------- c:\windows\system32\32.tmp
2009-06-05 20:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Protexis
2009-06-05 20:45 67,584 a------- c:\windows\system32\31.tmp
2009-06-05 20:45 152,064 a------- c:\windows\system32\2F.tmp
2009-06-05 20:44 120 a------- c:\windows\system32\26.tmp
2009-06-05 15:43 67,584 a------- c:\windows\system32\2E.tmp
2009-06-05 15:43 153,088 a------- c:\windows\system32\2C.tmp
2009-06-05 15:43 80 a------- c:\windows\system32\2B.tmp
2009-06-05 15:23 67,584 a------- c:\windows\system32\29.tmp
2009-06-05 15:23 153,088 a------- c:\windows\system32\28.tmp
2009-06-05 15:23 80 a------- c:\windows\system32\27.tmp
2009-06-05 15:17 136,192 a------- c:\windows\system32\drivers\ethoydxs.sys
2009-06-05 15:17 67,584 a------- c:\windows\system32\25.tmp
2009-06-05 15:17 153,088 a------- c:\windows\system32\24.tmp
2009-06-05 15:16 80 a------- c:\windows\system32\23.tmp
2009-06-05 14:45 136,192 a------- c:\windows\system32\drivers\wanatw4.sys
2009-05-25 11:50 1 a------- c:\windows\system32\20.tmp
2009-05-25 11:49 84 a------- c:\windows\system32\1F.tmp
2009-05-25 11:05 <DIR> --d----- c:\windows\system32\LogFiles
2009-05-25 10:09 29,184 a------- c:\windows\system32\jhxm32.dll
2009-05-25 09:17 <DIR> --d----- c:\windows\system32\sysloc
2009-05-24 18:58 41,240 ----h--- c:\documents and settings\thomas lake\Thomas Lake.exe
2009-05-24 18:58 70,144 a------- c:\windows\system32\22.tmp
2009-05-24 18:54 120 a------- c:\windows\system32\1E.tmp
2009-05-24 14:28 107,852 a------- c:\windows\system32\drivers\5df2a0c3.sys
2009-05-24 14:28 22,528 a------- C:\orrx.exe
2009-05-24 14:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\94932966
2009-05-24 14:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\14922974
2009-05-24 14:26 29,696 a------- C:\bpyphcxc.exe
2009-05-24 14:21 1 a------- c:\windows\system32\1C.tmp
2009-05-24 14:21 84 a------- c:\windows\system32\1B.tmp
2009-05-24 11:31 0 a------- c:\windows\system32\1A.tmp
2009-05-22 10:57 70,144 a------- c:\windows\system32\1D.tmp
2009-05-22 10:56 120 a------- c:\windows\system32\19.tmp
2009-05-22 09:18 70,144 a------- c:\windows\system32\30.tmp
2009-05-22 09:18 120 a------- c:\windows\system32\2D.tmp
2009-05-22 08:10 <DIR> --d----- c:\windows\system32\3361
2009-05-22 08:10 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-05-22 08:10 <DIR> --d----- c:\windows\dhcp
2009-05-17 10:40 0 a------- c:\windows\system32\18.tmp
2009-05-17 10:40 1 a------- c:\windows\system32\14.tmp
2009-05-16 19:03 94,208 a------- c:\windows\system32\13.tmp
2009-05-16 19:03 1 a------- c:\windows\system32\12.tmp
2009-05-16 17:27 94,208 a------- c:\windows\system32\17.tmp
2009-05-16 17:27 1 a------- c:\windows\system32\16.tmp
2009-05-16 17:27 84 a------- c:\windows\system32\15.tmp

==================== Find3M ====================

2009-06-14 16:15 107,772 a------- c:\windows\system32\drivers\f8863985.sys
2009-06-14 16:15 107,772 a------- c:\windows\system32\drivers\c4b9cc21.sys
2009-06-14 16:15 107,772 a------- c:\windows\system32\drivers\5e07aa2b.sys
2009-06-14 16:15 107,772 a------- c:\windows\system32\drivers\2b791b1c.sys
2009-06-14 16:15 104,444 a------- c:\windows\system32\drivers\cfa50922.sys
2009-05-25 11:42 159 a------- C:\xcrashdump.dat
2009-05-24 18:50 90,112 a------- c:\windows\DUMP57c0.tmp
2009-05-24 18:49 90,112 a------- c:\windows\DUMP58c4.tmp
2009-05-24 18:47 90,112 a------- c:\windows\DUMP57ba.tmp
2009-05-24 18:46 90,112 a------- c:\windows\DUMP57b9.tmp
2009-05-24 18:45 90,112 a------- c:\windows\DUMP56c7.tmp
2009-05-24 18:44 90,112 a------- c:\windows\DUMP57b3.tmp
2009-05-24 18:43 90,112 a------- c:\windows\DUMP5806.tmp
2009-05-24 18:41 90,112 a------- c:\windows\DUMP5811.tmp
2009-05-24 18:40 90,112 a------- c:\windows\DUMP587f.tmp
2009-05-24 18:39 90,112 a------- c:\windows\DUMP577f.tmp
2009-05-24 18:38 90,112 a------- c:\windows\DUMP5842.tmp
2009-05-24 18:37 90,112 a------- c:\windows\DUMP5c47.tmp
2009-05-24 18:35 90,112 a------- c:\windows\DUMP566c.tmp
2009-05-24 18:34 90,112 a------- c:\windows\DUMP5958.tmp
2009-05-24 18:33 90,112 a------- c:\windows\DUMP5890.tmp
2009-05-24 18:32 90,112 a------- c:\windows\DUMP5bbb.tmp
2009-05-24 18:30 90,112 a------- c:\windows\DUMP5da6.tmp
2009-05-24 18:29 90,112 a------- c:\windows\DUMP57f4.tmp
2009-05-24 18:28 90,112 a------- c:\windows\DUMP58d7.tmp
2009-05-24 18:27 90,112 a------- c:\windows\DUMP56f7.tmp
2009-05-24 18:26 90,112 a------- c:\windows\DUMP57bf.tmp
2009-05-24 18:24 90,112 a------- c:\windows\DUMP561a.tmp
2009-05-24 18:23 90,112 a------- c:\windows\DUMP5790.tmp
2009-05-24 18:22 90,112 a------- c:\windows\DUMP57b8.tmp
2009-05-24 18:21 90,112 a------- c:\windows\DUMP5928.tmp
2009-05-24 18:20 90,112 a------- c:\windows\DUMP587e.tmp
2009-05-24 18:18 90,112 a------- c:\windows\DUMP564b.tmp
2009-05-24 18:17 90,112 a------- c:\windows\DUMP577e.tmp
2009-05-24 18:16 90,112 a------- c:\windows\DUMP58ba.tmp
2009-05-24 18:15 90,112 a------- c:\windows\DUMP57b2.tmp
2009-05-24 18:14 90,112 a------- c:\windows\DUMP5752.tmp
2009-05-24 18:12 90,112 a------- c:\windows\DUMP5872.tmp
2009-05-24 18:11 90,112 a------- c:\windows\DUMP57e0.tmp
2009-05-24 18:10 90,112 a------- c:\windows\DUMP594e.tmp
2009-05-24 18:09 90,112 a------- c:\windows\DUMP57f3.tmp
2009-05-24 18:08 90,112 a------- c:\windows\DUMP586c.tmp
2009-05-24 18:06 90,112 a------- c:\windows\DUMP57b1.tmp
2009-05-24 18:05 90,112 a------- c:\windows\DUMP58cd.tmp
2009-05-24 18:04 90,112 a------- c:\windows\DUMP5676.tmp
2009-05-24 18:03 90,112 a------- c:\windows\DUMP57b7.tmp
2009-05-24 18:02 90,112 a------- c:\windows\DUMP5810.tmp
2009-05-24 18:00 90,112 a------- c:\windows\DUMP56b1.tmp
2009-05-24 17:59 90,112 a------- c:\windows\DUMP57b0.tmp
2009-05-24 17:58 90,112 a------- c:\windows\DUMP57fb.tmp
2009-05-24 17:57 90,112 a------- c:\windows\DUMP569d.tmp
2009-05-24 17:56 90,112 a------- c:\windows\DUMP569c.tmp
2009-05-24 17:54 90,112 a------- c:\windows\DUMP57e8.tmp
2009-05-24 17:53 90,112 a------- c:\windows\DUMP5675.tmp
2009-05-24 17:52 90,112 a------- c:\windows\DUMP56c6.tmp
2009-05-24 17:51 90,112 a------- c:\windows\DUMP56bb.tmp
2009-05-24 17:50 90,112 a------- c:\windows\DUMP581b.tmp
2009-05-24 17:48 90,112 a------- c:\windows\DUMP58b9.tmp
2009-05-24 17:47 90,112 a------- c:\windows\DUMP5638.tmp
2009-05-24 17:46 90,112 a------- c:\windows\DUMP57be.tmp
2009-05-24 17:45 90,112 a------- c:\windows\DUMP584a.tmp
2009-05-24 17:44 90,112 a------- c:\windows\DUMP5841.tmp
2009-05-24 17:41 90,112 a------- c:\windows\DUMP562f.tmp
2009-05-24 17:40 90,112 a------- c:\windows\DUMP581a.tmp
2009-05-24 17:39 90,112 a------- c:\windows\DUMP5819.tmp
2009-05-24 17:38 90,112 a------- c:\windows\DUMP5797.tmp
2009-05-24 17:36 90,112 a------- c:\windows\DUMP5b7f.tmp
2009-05-24 17:35 90,112 a------- c:\windows\DUMP56d8.tmp
2009-05-24 17:34 90,112 a------- c:\windows\DUMP57fa.tmp
2009-05-24 17:33 90,112 a------- c:\windows\DUMP5908.tmp
2009-05-24 17:32 90,112 a------- c:\windows\DUMP5a53.tmp
2009-05-24 17:30 90,112 a------- c:\windows\DUMP5bb3.tmp
2009-05-24 17:29 90,112 a------- c:\windows\DUMP5840.tmp
2009-05-24 17:28 90,112 a------- c:\windows\DUMP5927.tmp
2009-05-24 17:27 90,112 a------- c:\windows\DUMP5837.tmp
2009-05-24 17:25 90,112 a------- c:\windows\DUMP57df.tmp
2009-05-24 17:24 90,112 a------- c:\windows\DUMP580f.tmp
2009-05-24 17:23 90,112 a------- c:\windows\DUMP56c5.tmp
2009-05-24 17:22 90,112 a------- c:\windows\DUMP57b6.tmp
2009-05-24 17:21 90,112 a------- c:\windows\DUMP57f2.tmp
2009-05-24 17:19 90,112 a------- c:\windows\DUMP57ca.tmp
2009-05-24 17:18 90,112 a------- c:\windows\DUMP56a6.tmp
2009-05-24 17:17 90,112 a------- c:\windows\DUMP57c9.tmp
2009-05-24 17:16 90,112 a------- c:\windows\DUMP5854.tmp
2009-05-24 17:15 90,112 a------- c:\windows\DUMP562e.tmp
2009-05-24 17:13 90,112 a------- c:\windows\DUMP577d.tmp
2009-05-24 17:12 90,112 a------- c:\windows\DUMP578f.tmp
2009-05-24 17:11 90,112 a------- c:\windows\DUMP5658.tmp
2009-05-24 17:10 90,112 a------- c:\windows\DUMP56ce.tmp
2009-05-24 17:09 90,112 a------- c:\windows\DUMP56f6.tmp
2009-05-24 17:07 90,112 a------- c:\windows\DUMP58fe.tmp
2009-05-24 17:06 90,112 a------- c:\windows\DUMP57af.tmp
2009-05-24 17:05 90,112 a------- c:\windows\DUMP5931.tmp
2009-05-24 17:04 90,112 a------- c:\windows\DUMP577c.tmp
2009-05-24 17:03 90,112 a------- c:\windows\DUMP5749.tmp
2009-05-24 17:01 90,112 a------- c:\windows\DUMP56ec.tmp
2009-05-24 17:00 90,112 a------- c:\windows\DUMP5619.tmp
2009-05-24 16:59 90,112 a------- c:\windows\DUMP5784.tmp
2009-05-24 16:58 90,112 a------- c:\windows\DUMP5783.tmp
2009-05-24 16:57:09 A------- 90,112 c:\windows\DUMP5926.tmp
2008-12-27 18:34 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122720081228\index.dat

============= FINISH: 16:15:43.31 ===============



ATTACH.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/12/2005 4:12:24 AM
System Uptime: 6/14/2009 4:06:54 PM (0 hours ago)

Motherboard: IBM | | 2373K1U
Processor: Intel® Pentium® M processor 1.70GHz | None | 1694/400mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 33 GiB total, 6.978 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Access IBM
Access IBM Message Center
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Reader 6.0
America Online (Choose which version to remove)
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HYDRAVISION
Atmel Tpm Install 2.1.1.01
AutoUpdate
Bonjour
CA Anti-Virus
CA Internet Security Suite
CA Pest Patrol Realtime Protection
DivX Codec
DivX Player
Free YouTube to iPod Converter version 3.1
Google Update Helper
Google Updater
Hotfix for Windows XP (KB952287)
IBM 32-bit Runtime Environment for Java 2, v1.4.1
IBM Access Connections
IBM Active Protection System
IBM DLA
IBM fingerprint software 4.5.3
IBM Integrated 56K Modem
IBM Rescue and Recovery with Rapid Restore
IBM Themes
IBM ThinkPad Battery MaxiMiser and Power Management Features
IBM ThinkPad Configuration
IBM ThinkPad EasyEject Utility
IBM ThinkPad Keyboard Customizer Utility
IBM ThinkPad Power Management Driver
IBM ThinkPad Presentation Director
IBM ThinkPad UltraNav Driver
IBM ThinkPad UltraNav Wizard
IBM ThinkVantage Technologies Welcome Message
IBM TrackPoint Accessibility Features
IBM Update Connector
Intel® PRO Network Adapters and Drivers
Intel® Sebring API
InterVideo AVControlSDK
InterVideo DeviceService
InterVideo WinDVD
iPod for Windows 2006-06-28
iTunes
Java™ 6 Update 5
LightScribe 1.4.124.1
Malwarebytes' Anti-Malware
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office Basic Edition 2003
Microsoft Office Converter Pack
Microsoft Office XP Web Components
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft XML Parser
MobileMe Control Panel
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
PC-Doctor for Windows
Pure Networks Port Magic
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
ThinkPad FullScreen Magnifier
ThinkPad Software Installer
Uninstall 1.0.0.1
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Wallpapers
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

6/9/2009 9:45:48 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
6/9/2009 9:45:48 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\RarSFX0\basic\setup.exe. Reference error message: The operation completed successfully. .
6/9/2009 9:45:48 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
6/9/2009 9:17:49 AM, error: System Error [1003] - Error code 100000d1, parameter1 e1f18000, parameter2 00000002, parameter3 00000000, parameter4 ed9d2b00.
6/9/2009 5:29:49 PM, error: System Error [1003] - Error code 100000d1, parameter1 e1f04000, parameter2 00000002, parameter3 00000000, parameter4 ed9d2b00.
6/9/2009 5:14:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eectrl
6/9/2009 5:14:06 PM, error: Service Control Manager [7023] - The 6to4 service terminated with the following error: The specified module could not be found.
6/9/2009 5:14:06 PM, error: Service Control Manager [7003] - The DHCP Client service depends on the following nonexistent service: dhcpsrv
6/9/2009 5:14:06 PM, error: Service Control Manager [7000] - The Ulead Burning Helper service failed to start due to the following error: The system cannot find the file specified.
6/9/2009 5:14:06 PM, error: Service Control Manager [7000] - The Task Scheduler service failed to start due to the following error: The system cannot find the file specified.
6/9/2009 5:14:06 PM, error: Service Control Manager [7000] - The eylqmu service failed to start due to the following error: The system cannot find the file specified.
6/9/2009 4:57:43 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
6/9/2009 11:37:08 AM, error: System Error [1003] - Error code 100000d1, parameter1 e1f0a000, parameter2 00000002, parameter3 00000000, parameter4 ed9d2b00.
6/9/2009 10:06:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ANC eectrl Fips IBMTPCHK intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ShockMgr Smapint Tcpip TDSMAPI TPHKDRV TPPWR TSMAPIP vet-filt vet-rec vetefile vetmonnt
6/9/2009 10:06:57 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
6/9/2009 10:06:57 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/9/2009 10:06:57 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/9/2009 10:06:57 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/9/2009 10:06:57 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/8/2009 9:55:38 PM, error: HTTP [15005] - Unable to bind to the underlying transport for 0.0.0.0:2869. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine. The data field contains the error number.
6/8/2009 9:33:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/8/2009 9:32:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
6/8/2009 9:30:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
6/8/2009 9:26:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service PPCtlPriv with arguments "" in order to run the server: {F974178A-A284-440A-BEFC-5B0D11BCDB68}
6/8/2009 9:26:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service CaCCProvSP with arguments "" in order to run the server: {AACF4A1C-BC69-4359-9518-DF3F77E462BF}
6/8/2009 9:23:52 PM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service CaCCProvSP with arguments "" in order to run the server: {AACF4A1C-BC69-4359-9518-DF3F77E462BF}
6/8/2009 9:23:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service iPod Service with arguments "-Service" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
6/8/2009 9:22:14 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ANC eectrl Fips IBMTPCHK intelppm ShockMgr Smapint TDSMAPI TPHKDRV TPPWR TSMAPIP vet-filt vet-rec vetefile vetmonnt
6/8/2009 10:28:37 PM, error: System Error [1003] - Error code 100000d1, parameter1 e1f1a000, parameter2 00000002, parameter3 00000000, parameter4 ed9d2b00.
6/7/2009 8:23:33 PM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service iPod Service with arguments "-Service" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
6/7/2009 4:53:59 AM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
6/13/2009 5:13:40 PM, error: System Error [1003] - Error code 100000d1, parameter1 e2016000, parameter2 00000002, parameter3 00000000, parameter4 ed8ceb00.
6/13/2009 10:19:30 PM, error: Service Control Manager [7000] - The silcmlni service failed to start due to the following error: A device attached to the system is not functioning.
6/12/2009 7:22:41 PM, error: Service Control Manager [7000] - The rwdixi service failed to start due to the following error: A device attached to the system is not functioning.
6/11/2009 10:47:40 PM, error: Service Control Manager [7034] - The avast!antivirus service terminated unexpectedly. It has done this 1 time(s).
6/11/2009 10:47:40 PM, error: Service Control Manager [7031] - The Windows Network Data Management System Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

==== End Of File ===========================

[sjpritch25]

Download Combofix from this webpage: http://www.bleepingc...to-use-combofix

before you save it, please name it fun.exe. Afterwards, make sure its saved to your Desktop!!!!
**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

[stara]

Hi,

I cannot connect to the internet so I can't save combofix to my desktop. I tried to transfer it via flash drive, but it wouldn't work. It erased it right off the flash drive.

Can you please advise as to how I can run combofix without internet connection?

Thank you for all of your help.

[sjpritch25]

okay we can do this another way, but i need another scan.

1. Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
2. Select “Enable Boot Logging” option and press enter.
3. Windows prompts for you to select a Windows Installation (even if there is only one windows installation)
This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows (%systemroot%) folder which can later be accessed to see if there was a troublesome driver.

Please attach ntbtlog.txt into your next reply. Thanks

[stara]

hi,

the ntbtlog attachment is too large to send at once so i am breaking it up into three documents. unfortunately i have to do three seperate posts.

thank you again!

Attached Files

•  ntbtlog.txt   399.51K   17 downloads

[stara]

i seem to have reached my attachment maximum and it is too long to paste into here, unless i do it in many pieces. do you want me to post it piece by piece?

thanks!

[sjpritch25]

According to the requested logs, I see your infected with Virut (polymorphic) file infector trojan. Virut infects all .exe, .scr and possibly htm, html, asp, and php files. You can get more info on virut Here

We can try and clean it up with Kaspersky Rescue Disk, but access to another computer is required.

On a clean computer, download Kaspersky Rescue Disk

Burn the Kaspersky Rescue Disk ISO image to a CD using CD/DVD burning software and ensure its a CD image. The following ISO Recorder can do this too.

Here is a great tutorial on burning an ISO image here.

Setting your BIOS to boot from a CD may be required, go here for instructions.

Once Kaspersky Rescue Disk is burned successfully, reboot your computer, press any key to boot from cd and the following will appear.



Hit Enter to start booting from Kaspersky Rescue Disk.

Please pick your appropriate language and hit Enter

Kaspersky AntiVirus 2009 will appear, do not start a scan yet!!!!

• Click the Update tab, then on the Update now button.
  
• When the update is complete, click on the Settings button.
  
• Under Scan, set Security level to High and On Detection to Disinfection.
  
• Under Threats and exclusions, click the Setttings, tab, and ensure everything is checked.
  
• Click Apply then OK to return to the program.
  
• Click the Scan tab.

• The scan can take a long time, so please be patient and allow it to run to completion.

• When the scan has completed, click the Reports button.
  
• Save the report to your C: drive as KAV2008.txt.
  
• Now reboot your computer and remove the CD and log into Windows.
  
• Navigate to your C:\ drive, and post the KAV2009.txt as an attachment in your next reply.
  
• Any questions please post and i will reply as soon as possible. Thanks

[stara]

thank you! I will give this a try and let you know how it goes.

[stara]

Hi,

I'm having trouble getting kaspesky on a disc. This is what is says at kaspersky.com regarding the resuce disk program:

Dear User,

We are sorry to inform you that the Rescue Disk image is not currently available for download.

We recommend using the BartPE-based recovery disk.

We apologize for the inconvenience.

Sincerely,
Kaspersky Lab

here is where I read this: http://www.kaspersky.com/rescuedisk


Please advise. Thank you!

[sjpritch25]

Sorry for the delay, i was a away the last two days.


Please download ComboFix again, but save it to your USB flash drive as winlogon.exe. Let me know if your successful in copying it to your desktop.

[stara]

Hi,

I saved combofix as winlogon.exe on my usb drive but when I try to run it on the infected computer I get an error message that says something like "alert...it is not safe to continue...the contents may be comprimised...download a fresh copy...note: you may be infected by virut."

I get this error message everytime I try to run it from the usb. I also tried running it from a disc and got the same message. This happened a few days ago when I tried combofix too.

Anything else I can try?

By the way, I appreciate your help and patience.

Thanks.

[sjpritch25]

That's what i was afraid of. unfortunately, you are left with an unfixable machine. My recommendation is to re-install xP. More info go here

[stara]

I was afraid of this too. But I really appreciate your time and help. Thanks.