13 replies to this topic

[thandamilk]

Hi,

My Lenovo T61 running Windows XP SP2 with Norton AV and Spybot SD has been infected with malware recently. Symptoms include slow performance, frequent IE crashes and fatal process errors. I also notice that in normal mode each time IE launches, a command dialogue window opens itself before launching IE. Please see below recent HJT and MAB logs. Will really appreciate your assistance in ridding myself of this nuisance.

HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:10:35, on 7/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.17.109.54:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *ultimatix*;*indelm*;<local>;*.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: CPwmIEBrowserHelper Object - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\TCS\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\TCS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [PTOneClick] C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe
O4 - HKCU\..\Run: [VonageTalk] C:\Program Files\VonageTalk\vonagetalk.exe -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Air Mouse.lnk = C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\TCS\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\TCS\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.onerateld.com
O16 - DPF: {07AB92C1-242F-40C1-B3C5-323DCC7B68D2} (Siebel High Interactivity Framework) - https://crmappweb.ultimatix.net/sales/18382...x_HI_Client.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {28288D59-CEA4-466B-9A20-04AE7C686611} (Contributor Web Client Connector) - https://planning.ultimatix.net/cognos/contr...lientfull82.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {CF27E6B4-C0E0-455E-A6F1-8C88004E8976} (epcInstallerConnector Class) - https://planning.ultimatix.net/cognos/contr...installer82.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tcs.webex.co...bex/ieatgpc.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 13752 bytes

MAB Log:

Malwarebytes' Anti-Malware 1.39
Database version: 2424
Windows 5.1.2600 Service Pack 2

7/14/2009 8:48:50 AM
mbam-log-2009-07-14 (08-48-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 254169
Time elapsed: 52 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\temp\wpv481246909117.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\TCS\Application Data\wiaserva.log (Malware.Trace) -> No action taken.

[Fatdcuk]

Hi and sorry for the delay but its been real busy around here!

Just need to check something out(Fatal exception errors) so please grab the following log.

Download Rootrepeal>>>
http://rootrepeal.googlepages.com/

Extract the file and run rootrepeal.exe

Click on report tab on the bottom right of the software then press scan

Put at check(Tick) in all box's except the 2 SSDT option's then press OK

Place a check(Tick) in drive to be scanned(Usually you will only have to select C).

Please save the logfile generated and copy and paste the contents of that log into your next reply.

[thandamilk]

No problem, thanks for your attention to this post and for your help. Here is the log file as you requested:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/15 16:08
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xF6ABD000 Size: 778240 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF5F98000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP41\A0015932.ini
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP41\A0015933.INI
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090710.003\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Code [Driver: ACPI, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8348d250 Address: 3504

==EOF==

[Fatdcuk]

Ok nothing unusual there,can see the Norton rootkit but no malware there.

Lets try another tool to see if that shines any light on what is causing the issue's.

STEP 01
[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]

[thandamilk]

Here you go. BTW, all the logs I'm posting here are with Windows running in safe mode. Not sure if that makes a difference, but at any step if you need me to be in normal mode let me know.

Thanks.

ComboFix 09-07-14.08 - TCS 07/15/2009 17:01.4.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.998.737 [GMT -5:00]
Running from: c:\documents and settings\TCS\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\TCS\Application Data\wiaserva.log

.
((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 )))))))))))))))))))))))))))))))
.

2009-07-14 14:21 . 2009-07-14 14:21 -------- d-sh--w- C:\found.000
2009-07-08 13:31 . 2009-07-08 13:31 -------- d-----w- c:\program files\Common Files\GSTools
2009-07-08 13:30 . 2009-07-08 13:30 -------- d-----w- c:\program files\cognos
2009-07-08 02:46 . 2009-07-08 02:46 -------- d-----w- c:\program files\Western Digital
2009-06-28 18:12 . 2009-06-28 18:12 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-19 00:25 . 2009-06-19 00:26 -------- d-----w- c:\program files\Safari
2009-06-19 00:20 . 2009-06-19 00:20 -------- d-----w- c:\program files\iPod
2009-06-19 00:20 . 2009-06-19 00:21 -------- d-----w- c:\program files\iTunes
2009-06-19 00:20 . 2009-06-19 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-18 23:52 . 2009-06-18 23:52 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-18 22:48 . 2009-06-05 16:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-18 22:34 . 2009-06-18 22:34 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 21:58 . 2008-05-16 03:14 -------- d-----w- c:\documents and settings\TCS\Application Data\uTorrent
2009-07-14 14:25 . 2009-02-25 23:22 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-14 14:08 . 2007-10-02 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-14 04:41 . 2008-10-20 00:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 04:40 . 2009-04-13 17:55 3775175 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-14 04:36 . 2007-11-25 17:55 1324 ----a-w- c:\documents and settings\TCS\Local Settings\Application Data\d3d9caps.dat
2009-07-14 04:28 . 2009-04-13 23:56 -------- d-----w- c:\program files\VonageTalk
2009-07-14 04:05 . 2008-05-16 03:14 -------- d-----w- c:\program files\uTorrent
2009-07-14 04:03 . 2007-11-25 06:55 -------- d-----w- c:\documents and settings\TCS\Application Data\Skype
2009-07-14 03:03 . 2007-11-25 06:56 -------- d-----w- c:\documents and settings\TCS\Application Data\skypePM
2009-07-13 18:36 . 2008-10-20 00:25 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 18:36 . 2008-10-20 00:25 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 13:34 . 2007-11-04 05:35 -------- d-----w- c:\program files\UltimateBet
2009-06-19 00:20 . 2008-05-27 11:24 -------- d-----w- c:\program files\Common Files\Apple
2009-06-18 23:31 . 2008-10-28 14:21 -------- d-----w- c:\program files\QuickTime
2009-06-18 22:50 . 2007-11-12 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-05 16:42 . 2008-05-27 11:25 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 16:42 . 2007-10-03 06:42 -------- d-----w- c:\program files\Google
2009-06-01 03:42 . 2009-06-01 03:42 390664 ----a-w- c:\documents and settings\TCS\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-28 14:52 . 2009-05-28 14:52 221184 ----a-w- c:\documents and settings\TCS\Application Data\webex\PlugIns\T26L\824\ataudio.dll
2009-05-28 14:52 . 2009-05-28 14:52 307200 ----a-w- c:\documents and settings\TCS\Application Data\webex\PlugIns\T26L\824\ateditor.dll
2009-05-28 14:52 . 2009-05-28 14:52 46408 ----a-w- c:\documents and settings\TCS\Application Data\webex\PlugIns\T26L\824\atauthor.exe
2009-05-28 14:52 . 2009-05-28 14:52 212992 ----a-w- c:\documents and settings\TCS\Application Data\webex\PlugIns\T26L\824\atrpui.dll
2009-05-28 14:52 . 2009-05-28 14:52 401408 ----a-w- c:\documents and settings\TCS\Application Data\webex\PlugIns\T26L\824\atrecply.dll
2009-05-28 14:51 . 2007-11-02 13:11 -------- d-----w- c:\documents and settings\TCS\Application Data\webex
2009-05-28 14:51 . 2008-10-15 14:48 27976 ----a-w- c:\documents and settings\TCS\Application Data\webex\PlugIns\T26L\ptgpcdec.dll
2009-05-11 22:51 . 2009-05-11 22:48 68720 ----a-w- c:\documents and settings\TCS_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-08 14:59 . 2009-03-20 17:56 3296 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-05-08 14:59 . 2009-03-20 17:56 3296 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-05-08 14:59 . 2009-03-20 17:56 168 --sh--r- c:\documents and settings\All Users\Application Data\053A780C57.sys
2009-05-08 14:59 . 2009-03-20 17:56 168 --sh--r- c:\documents and settings\All Users\Application Data\053A780C57.sys
2009-05-08 12:31 . 2007-10-03 06:50 68720 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-07 15:44 . 2006-04-30 06:55 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 03:01 . 2009-05-01 03:01 45056 ----a-r- c:\documents and settings\TCS\Application Data\Microsoft\Installer\{578145B3-3831-4D85-BB53-4A9D90F821DE}\NewShortcut89_1D243F0013894C63A7E9B17E967D1901.exe
2009-05-01 03:01 . 2009-05-01 03:01 45056 ----a-r- c:\documents and settings\TCS\Application Data\Microsoft\Installer\{578145B3-3831-4D85-BB53-4A9D90F821DE}\NewShortcut84_1D243F0013894C63A7E9B17E967D1901.exe
2009-05-01 03:01 . 2009-05-01 03:01 45056 ----a-r- c:\documents and settings\TCS\Application Data\Microsoft\Installer\{578145B3-3831-4D85-BB53-4A9D90F821DE}\NewShortcut83_1D243F0013894C63A7E9B17E967D1901.exe
2009-05-01 03:01 . 2009-05-01 03:01 45056 ----a-r- c:\documents and settings\TCS\Application Data\Microsoft\Installer\{578145B3-3831-4D85-BB53-4A9D90F821DE}\NewShortcut80_1D243F0013894C63A7E9B17E967D1901.exe
2009-04-29 04:56 . 2006-04-30 06:56 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-04-30 06:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-27 15:59 . 2008-10-15 14:48 1336648 ----a-w- c:\documents and settings\TCS\Application Data\webex\PlugIns\T26L\824\webexmgr.dll
2009-04-27 15:59 . 2008-10-15 14:48 708608 ----a-w- c:\documents and settings\TCS\Application Data\webex\PlugIns\T26L\824\pfwres.dll
2009-04-17 10:09 . 2006-04-30 06:55 1847936 ----a-w- c:\windows\system32\win32k.sys
2009-07-03 19:31 . 2008-08-27 18:35 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-05 16:14 . 2008-10-17 13:36 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-05-05 16:14 . 2008-10-17 13:36 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-10-17 13:36 . 2008-10-17 13:36 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2008-10-17 13:36 . 2008-10-17 13:36 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"cdloader"="c:\documents and settings\TCS\Application Data\mjusbsp\cdloader2.exe" [2007-12-21 50520]
"Google Update"="c:\documents and settings\TCS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"PTOneClick"="c:\program files\WebEx\Productivity Tools\ptoneclk.exe" [2009-01-31 165192]
"VonageTalk"="c:\program files\VonageTalk\vonagetalk.exe" [2007-10-22 4509696]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"AirCardEnabler"="c:\program files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe" [2003-05-23 163840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-24 185896]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-07-29 176128]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 275800]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

c:\documents and settings\TCS\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Air Mouse.lnk - c:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2009-1-19 268288]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-9-11 576104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-10-2 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-15 05:17 89600 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 02:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-03-28 02:51 32768 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd ACGina

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Sametime\\STConnect7.5.1\\jre\\bin\\sametime75.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Temp\\HP_WebRelease\\Setup\\HPZnet01.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Interactive Intelligence\\Interaction Client .NET Edition\\InteractionClient.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Documents and Settings\\TCS\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Air Mouse\\Air Mouse\\Air Mouse.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\VonageTalk\\vonagetalk.exe"=
"c:\\Documents and Settings\\TCS\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [3/2/2007 7:49 PM 100656]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/2/2007 7:47 PM 19760]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [5/10/2009 1:39 AM 33792]
R3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [10/11/2007 12:33 AM 58240]
S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [10/3/2007 1:25 AM 4442]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 5:42 PM 156968]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/15/2007 12:10 AM 11152]
S3 AIR555;Sierra Wireless AirCard 555 NIC + Modem (NIC Interface);c:\windows\system32\drivers\air555.sys [10/16/2007 7:04 AM 125608]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [12/15/2007 9:53 PM 16512]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/10/2009 8:04 PM 101936]
S3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;c:\windows\system32\drivers\ewusbmdm.sys [1/14/2008 10:34 PM 88960]
S3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;c:\windows\system32\drivers\ewusbser.sys [1/14/2008 10:34 PM 65152]
S3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [10/3/2007 1:12 AM 81280]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [10/19/2008 7:25 PM 38160]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 9:48 PM 116664]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [9/13/2006 2:42 PM 35264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2009-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2071645476-1119719685-3435165419-1005Core.job
- c:\documents and settings\TCS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:18]

2009-07-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2071645476-1119719685-3435165419-1005UA.job
- c:\documents and settings\TCS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:18]

2007-10-02 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-10-03 16:14]

2009-07-13 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-10-02 20:46]

2009-07-14 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyServer = 172.17.109.54:8080
uInternet Settings,ProxyOverride = *ultimatix*;*indelm*;<local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\TCS\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: onerateld.com
Trusted Zone: turbotax.com
Trusted Zone: ultimatix.net\www
DPF: {07AB92C1-242F-40C1-B3C5-323DCC7B68D2} - hxxps://crmappweb.ultimatix.net/sales/18382/applets/SiebelAx_HI_Client.cab
DPF: {28288D59-CEA4-466B-9A20-04AE7C686611} - hxxps://planning.ultimatix.net/cognos/contributor/controls/clientfull82.cab
DPF: {CF27E6B4-C0E0-455E-A6F1-8C88004E8976} - hxxps://planning.ultimatix.net/cognos/contributor/controls/epcwebinstaller82.cab
FF - ProfilePath - c:\documents and settings\TCS\Application Data\Mozilla\Firefox\Profiles\ciwigeu5.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\TCS\Application Data\Mozilla\Firefox\Profiles\ciwigeu5.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\TCS\Application Data\Mozilla\Firefox\Profiles\ciwigeu5.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\TCS\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: XUL Cache: {16B12FBB-6CCD-4DAB-B94A-37046778C294} - c:\documents and settings\TCS\Local Settings\Application Data\{16B12FBB-6CCD-4DAB-B94A-37046778C294}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-15 17:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1012)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll

- - - - - - - > 'lsass.exe'(1084)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
Completion time: 2009-07-15 17:14
ComboFix-quarantined-files.txt 2009-07-15 22:14
ComboFix2.txt 2009-04-14 18:24

Pre-Run: 3,117,608,960 bytes free
Post-Run: 3,215,994,880 bytes free

280 --- E O F --- 2009-06-10 10:03

[Fatdcuk]

Ok still nothing unusual jumping out from that log,

Time to give MSRT a run out

Please download and run the MSRT>>>
http://www.microsoft...ve/default.mspx

Post back details on anything that it detects and removes.

[thandamilk]

Well, I downloaded and ran MSRT but it seems to have frozen excruciatingly close to completion. I can see that the blue progress bar has completely filled out, it shows the running time as 03:48:28 and it has scanned 1762380 files. Files infected - 0. Unfortunately, it hasn't moved in the last 30 minutes or so and I'm afraid it will not produce a log file that I can share with you at this time. I'm posting this from my other machine as I re-start the infected laptop.

I'm surprised to hear you say that nothing is showing up in the logs. The reason I started this post was actually that MAB reported 5 infections but would crash when I would try to "remove selected infections". Not sure whether the original MAB log I posted shows infections of any kind?

Also, I'm not sure if running these on safe mode vs normal mode make any difference. I tried booting into normal mode to run MSRT but the system is just very unstable and just hangs 3-4 minutes after booting up.

I will try running MSRT again and post back with the log if it doesn't end up freezing again. In the meantime, if there is anything else you would like me to run / try, please let me know.

[Fatdcuk]

Hi ya it is somewhat puzzling,

MBAM only picked up on some orphaned files/keys as i supsect the active infection had been already attacked and removed.

Rootrepeal and combofix is showing up no Rootkit activity and combofix is not indicating that any of the system files have been patched.

I will ask for a second opinion from a couple of folks but TBH i cant see any active malware in your logs for looking.

There is the possibility that either the infection has previously corrupted something in the OS or possibly in the installed softwares.

Hope to get back to you shortly on it but for now do you have the OS install disk available as it might be 1 avenue to try to resolve the issue's

[thandamilk]

Reporting back after about 24 hours of use since I last posted. Here's what's going on now:

- I ran a MAB full scan in safe mode soon after your last post and it found 3 infections which it was able to remove
- After re-starting in normal mode I ran another full scan and it found nothing this time - 0 infections
- The machine continues to be extremely unstable though - crashing and freezing frequently, mostly when I'm using any of the web browsers - IE, Chrome or Firefox
- It runs more stable on safe mode, but even in safe mode there are way too many hangs
- When booting into safe mode it now gives an error message which I think has to do with ComboFix, saying it can not find "HIDEC.exe"
- When booting into normal mode it gives an error saying it can not find AcSvc.exe

Unfortunately, I do not have an install kit handy so can't re-install the OS. I'm hoping you have some inputs from some of the other folks you mentioned you were going to speak with.

Below are the two MAB logs from the scans mentioned in my first two bullets. Let me know if you see anything revealing. My fear is this has now moved on from being a malware issue to being a "somethings-broken-in-the-OS-but-we-can't-find-out-what", which am sure is out of the scope of what you can help me with. Look forwrd to your response.


Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 2

7/16/2009 5:30:48 PM
mbam-log-2009-07-16 (17-30-45).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 249007
Time elapsed: 42 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 2

7/16/2009 7:18:22 PM
mbam-log-2009-07-16 (19-18-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 246266
Time elapsed: 1 hour(s), 27 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Fatdcuk]

Hi ya,

Unfortunetly now afew more folks baffled...is strange the AcSvc.exe error as earliar HJT log show's it as being present on the computer and even more baffling is the missing file on safemode booting,the file listed is not recognized as core OS file so immediately it becomes suspicious but is no longer loading.

I'm going to logically try to troubleshoot this but at the end of the day if i cant find active malware to attack then i'm very limited as to how i can assist in improving your situation.

2 tasks then to do(both in regular mode).

Not that i see any search hijacker's onboard but would rather flush certain change's made by malware if they are present on your pc.

Please download GooredFix and save it to your Desktop.
http://jpshortstuff....m/GooredFix.exe
Select "2. Fix Goored" by typing 2 and pressing Enter.
Make sure all instances of Firefox are closed at this point.
Type y at the prompt and press Enter again.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Second log i would like to see

Download and install Autoruns.
http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx

When you first run it it will generate an extensive listing and the word "Ready" will appear in the bottom left of the sofware GUI.
At this point goto options and place check(tick) against verify coded signatures and hide Microsoft & windows entries.Next press F5 button to refresh.

Once Ready status by software is gained then goto File option.Select "Export as" and save output file as Autoruns.txt

Can you please then copy and paste the contents of that text file into your next reply for analysis.

Thanks in advance

[thandamilk]

Hi! Both logs are appended below. On a related note though, as soon as I started up and before I ran either of the two tools you shared, Spybot popped up the following alert:

Category: System Startup global entry
Change: Value Deleted
Entry: UserFaultCheck
Old Data: %systemroot%\system32\dumprep 0 -u

I don't know whether to accept or deny this change - so if you know what this is, let me know.

Here are the logs:

GooredFix by jpshortstuff (12.07.09)
Log created at 11:43 on 17/07/2009 (TCS)
Firefox version 3.0.9 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{16B12FBB-6CCD-4DAB-B94A-37046778C294} -> Success!
Deleting C:\Documents and Settings\TCS\Local Settings\Application Data\{16B12FBB-6CCD-4DAB-B94A-37046778C294} -> Success!

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [11:43 19/10/2007]
{B13721C7-F507-4982-B2E5-502A71474FED} [12:44 28/10/2008]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [15:34 07/03/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [15:08 11/08/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [22:59 14/12/2008]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [18:27 27/03/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [22:59 14/12/2008]

-=E.O.F=-


Autoruns

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ Adobe Reader Speed Launcher Adobe Acrobat SpeedLauncher (Verified) Adobe Systems, Incorporated c:\program files\adobe\reader 8.0\reader\reader_sl.exe
+ AdobeCS4ServiceManager Adobe CS4 Service Manager (Verified) Adobe Systems Incorporated c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe
+ AirCardEnabler Network Adapter Manager (Not verified) Sierra Wireless Inc. c:\program files\sierra wireless inc\network adapter manager\network adapter manager.exe
+ ccApp Symantec User Session (Verified) Symantec Corporation c:\program files\common files\symantec shared\ccapp.exe
+ HP Software Update Hewlett-Packard Product Assistant (Not verified) Hewlett-Packard Co. c:\program files\hp\hp software update\hpwuschd2.exe
+ iTunesHelper iTunesHelper Module (Verified) Apple Inc. c:\program files\itunes\ituneshelper.exe
+ MaxMenuMgr FreeAgent™ Launcher (Verified) Seagate Technology, LLC c:\program files\seagate\seagatemanager\freeagent status\stxmenumgr.exe
+ QuickTime Task QuickTime Task (Not verified) Apple Inc. c:\program files\quicktime\qttask.exe
+ SunJavaUpdateSched Java™ Platform SE binary (Verified) Sun Microsystems, Inc. c:\program files\java\jre6\bin\jusched.exe
+ TkBellExe RealNetworks Scheduler (Verified) RealNetworks, Inc. c:\program files\common files\real\update_ob\realsched.exe
+ vptray Symantec AntiVirus (Verified) Symantec Corporation c:\program files\symantec antivirus\vptray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ Air Mouse.lnk AirMouse c:\program files\air mouse\air mouse\air mouse.exe
+ Bluetooth.lnk Bluetooth Tray Application (Verified) Broadcom Corporation c:\program files\thinkpad\bluetooth software\bttray.exe
+ HP Digital Imaging Monitor.lnk HP Digital Imaging Monitor (Verified) Hewlett Packard c:\program files\hp\digital imaging\bin\hpqtra08.exe
+ WinZip Quick Pick.lnk WinZip Executable (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzqkpick.exe
C:\Documents and Settings\TCS\Start Menu\Programs\Startup
+ Adobe Gamma.lnk Adobe Gamma Loader (Not verified) Adobe Systems, Inc. c:\program files\common files\adobe\calibration\adobe gamma loader.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ cdloader magicJack USB Softphone (cdloader2) (Verified) magicJack, L.P. c:\documents and settings\tcs\application data\mjusbsp\cdloader2.exe
+ Google Update Google Installer (Verified) Google Inc c:\documents and settings\tcs\local settings\application data\google\update\googleupdate.exe
+ PTOneClick WebEx One-Click Application (Verified) WebEx Communications Inc. c:\program files\webex\productivity tools\ptoneclk.exe
+ SpybotSD TeaTimer System settings protector (Verified) Safer Networking Ltd. c:\program files\spybot - search & destroy\teatimer.exe
+ VonageTalk c:\program files\vonagetalk\vonagetalk.exe
HKLM\SOFTWARE\Classes\Protocols\Filter
+ x-sdch Fast Search (Verified) Google Inc c:\program files\google\google toolbar\component\fastsearch_a8904fb862bd9564.dll
HKLM\SOFTWARE\Classes\Protocols\Handler
+ ms-itss Microsoft® InfoTech Storage System Library (Not verified) Microsoft Corporation c:\program files\common files\microsoft shared\information retrieval\msitss.dll
+ skype4com Skype for COM API (Verified) Skype Technologies SA c:\program files\common files\skype\skype4com.dll
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
+ LDVPMenu Symantec AntiVirus (Verified) Symantec Corporation c:\program files\common files\symantec shared\ssc\vpshell2.dll
+ WinRAR c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
+ MBAMShlExt Malwarebytes' Anti-Malware (Verified) Malwarebytes Corporation c:\program files\malwarebytes' anti-malware\mbamext.dll
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
+ WinRAR c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
HKLM\Software\Classes\Directory\Shellex\DragDropHandlers
+ WinRAR c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers
+ Monitor BTNCopy Module (Not verified) Broadcom Corporation. c:\windows\system32\btncopy.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ CDR Column Provider Windows XP Shell Extension (Verified) Corel Corporation c:\program files\common files\corel\shared\shell extension\shellxp.dll
+ PDF Shell Extension PDF Shell Extension (Not verified) Adobe Systems, Inc. c:\program files\common files\adobe\acrobat\activex\pdfshell.dll
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
+ LDVPMenu Symantec AntiVirus (Verified) Symantec Corporation c:\program files\common files\symantec shared\ssc\vpshell2.dll
+ MBAMShlExt Malwarebytes' Anti-Malware (Verified) Malwarebytes Corporation c:\program files\malwarebytes' anti-malware\mbamext.dll
+ WinRAR c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ 7-Zip Shell Extension (Verified) Lenovo (Japan) Ltd c:\program files\thinkvantage\sma\7z\7-zip.dll
+ CDR Icon Handler Windows XP Shell Extension (Verified) Corel Corporation c:\program files\common files\corel\shared\shell extension\shellxp.dll
+ CDR Property Handler Windows XP Shell Extension (Verified) Corel Corporation c:\program files\common files\corel\shared\shell extension\shellxp.dll
+ CDR Property Sheet Windows XP Shell Extension (Verified) Corel Corporation c:\program files\common files\corel\shared\shell extension\shellxp.dll
+ CDR Thumbnail Provider Windows XP Shell Extension (Verified) Corel Corporation c:\program files\common files\corel\shared\shell extension\shellxp.dll
+ CMX Icon Handler Windows XP Shell Extension (Verified) Corel Corporation c:\program files\common files\corel\shared\shell extension\shellxp.dll
+ CMX Property Sheet Windows XP Shell Extension (Verified) Corel Corporation c:\program files\common files\corel\shared\shell extension\shellxp.dll
+ CMX Thumbnail Provider Windows XP Shell Extension (Verified) Corel Corporation c:\program files\common files\corel\shared\shell extension\shellxp.dll
+ CPT Icon Handler Windows XP Shell Extension (Verified) Corel Corporation c:\program files\common files\corel\shared\shell extension\shellxp.dll
+ CPT Property Handler Windows XP Shell Extension (Verified) Corel Corporation c:\program files\common files\corel\shared\shell extension\shellxp.dll
+ CPT Property Sheet Windows XP Shell Extension (Verified) Corel Corporation c:\program files\common files\corel\shared\shell extension\shellxp.dll
+ CPT Thumbnail Provider Windows XP Shell Extension (Verified) Corel Corporation c:\program files\common files\corel\shared\shell extension\shellxp.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ DriveLetterAccess Drive Letter Access Component (Not verified) Sonic Solutions c:\windows\system32\dla\dlashx_w.dll
+ iTunes iTunes Mini Player DLL (Verified) Apple Inc. c:\program files\itunes\itunesminiplayer.dll
+ LDVP Shell Extensions Symantec AntiVirus (Verified) Symantec Corporation c:\program files\common files\symantec shared\ssc\vpshell2.dll
+ Monitor BTNCopy Module (Not verified) Broadcom Corporation. c:\windows\system32\btncopy.dll
+ My Bluetooth Places BTNeighborhood DLL (Not verified) Broadcom Corporation. c:\windows\system32\btneighborhood.dll
+ Shell Extensions for RealOne Player RealPlayer Shell Extensions (Verified) RealNetworks, Inc. c:\program files\real\realplayer\rpshell.dll
+ UnlockerShellExtension c:\program files\unlocker\unlockercom.dll
+ WinRAR shell extension c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ Adobe PDF Reader Link Helper Adobe PDF Helper for Internet Explorer (Verified) Adobe Systems, Incorporated c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll
+ CPwmIEBrowserHelper Object Password Manager IE Browser Helper Object (Verified) Lenovo (United States) Inc. c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
+ DriveLetterAccess Drive Letter Access Component (Not verified) Sonic Solutions c:\windows\system32\dla\dlashx_w.dll
+ HP Print Clips Leo (Framework) - add-on for Internet Explorer (Verified) Hewlett-Packard Company c:\program files\hp\smart web printing\hpswp_framework.dll
+ HP Print Enhancer hpswp_printenhancer dll (Verified) Hewlett-Packard Company c:\program files\hp\smart web printing\hpswp_printenhancer.dll
+ Java™ Plug-In 2 SSV Helper Java™ Platform SE binary (Not verified) Sun Microsystems, Inc. c:\program files\java\jre6\bin\jp2ssv.dll
+ JQSIEStartDetectorImpl Class Java™ Quick Starter binary (Not verified) Sun Microsystems, Inc. c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
+ Spybot-S&D IE Protection SBSD IE Protection (Verified) Safer Networking Ltd. c:\program files\spybot - search & destroy\sdhelper.dll
HKLM\Software\Microsoft\Internet Explorer\Extensions
+ Send to &Bluetooth Device... c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
+ UltimateBet c:\documents and settings\tcs\start menu\programs\ultimatebet\ultimatebet.lnk
Task Scheduler
+ AppleSoftwareUpdate.job Apple Software Update (Verified) Apple Inc. c:\program files\apple software update\softwareupdate.exe
+ GoogleUpdateTaskUserS-1-5-21-2071645476-1119719685-3435165419-1005Core.job Google Installer (Verified) Google Inc c:\documents and settings\tcs\local settings\application data\google\update\googleupdate.exe
+ GoogleUpdateTaskUserS-1-5-21-2071645476-1119719685-3435165419-1005UA.job Google Installer (Verified) Google Inc c:\documents and settings\tcs\local settings\application data\google\update\googleupdate.exe
+ PMTask.job c:\program files\thinkpad\utilities\pwmidtsk.exe
+ Spybot - Search & Destroy - Scheduled Task.job Spybot - Search & Destroy (Verified) Safer Networking Ltd. c:\program files\spybot - search & destroy\spybotsd.exe
HKLM\System\CurrentControlSet\Services
+ AcPrfMgrSvc Access Connections Profile Manager Service (Not verified) Lenovo c:\program files\thinkpad\connectutilities\acprfmgrsvc.exe
+ AcSvc Access Connections Main Service (Not verified) Lenovo c:\program files\thinkpad\connectutilities\acsvc.exe
+ Adobe LM Service AdobeLM Service (Not verified) Adobe Systems c:\program files\common files\adobe systems shared\service\adobelmsvc.exe
+ Apple Mobile Device Provides the interface to Apple mobile devices. (Verified) Apple Inc. c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
+ Bonjour Service Bonjour allows applications like iTunes and Safari to advertise and discover services on the local network. Having Bonjour running enables you to connect to hardware devices like Apple TV and software services like iTunes sharing and AirTunes. If you disable Bonjour, any network service that explicitly depends on it will fail to start. (Verified) Apple Inc. c:\program files\bonjour\mdnsresponder.exe
+ btwdins Handles installation and removal of Bluetooth devices. (Verified) Broadcom Corporation c:\program files\thinkpad\bluetooth software\bin\btwdins.exe
+ ccEvtMgr Event propagation and logging service (Verified) Symantec Corporation c:\program files\common files\symantec shared\ccevtmgr.exe
+ ccSetMgr Settings storage and management service (Verified) Symantec Corporation c:\program files\common files\symantec shared\ccsetmgr.exe
+ DefWatch Monitors and maintains virus definitions. (Verified) Symantec Corporation c:\program files\symantec antivirus\defwatch.exe
+ EvtEng Manages the event trace messages for all the components of Intel® PROSet/Wireless software. (Not verified) Intel Corporation c:\program files\intel\wireless\bin\evteng.exe
+ FLEXnet Licensing Service This service performs licensing functions on behalf of FLEXnet enabled products. (Verified) Acresso Software Inc. c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe
+ FreeAgentGoNext Service Seagate Service (Verified) Seagate Technology, LLC c:\program files\seagate\seagatemanager\sync\freeagentservice.exe
+ gusvc Google Updater keeps your Google software up to date. If Google Updater Service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. (Verified) Google Inc c:\program files\google\common\google updater\googleupdaterservice.exe
+ hpqcxs08 HP CUE Context Manager Objects (Not verified) Hewlett-Packard Co. c:\program files\hp\digital imaging\bin\hpqcxs08.dll
+ hpqddsvc This service detects and monitors CUE devices on the system. (Not verified) Hewlett-Packard Co. c:\program files\hp\digital imaging\bin\hpqddsvc.dll
+ IDriverT Provides support for the Running Object Table for InstallShield Drivers (Not verified) Macrovision Corporation c:\program files\common files\installshield\driver\1050\intel 32\idrivert.exe
+ idsvc Securely enables the creation, management, and disclosure of digital identities. (Not verified) Microsoft Corporation c:\windows\microsoft.net\framework\v3.0\windows communication foundation\infocard.exe
+ iPod Service iPod hardware management services (Verified) Apple Inc. c:\program files\ipod\bin\ipodservice.exe
+ IPSSVC IPS Core Service (Verified) Lenovo (Japan) Ltd. c:\windows\system32\ipssvc.exe
+ JavaQuickStarterService Prefetches JRE files for faster startup of Java applets and applications (Verified) Sun Microsystems, Inc. c:\program files\java\jre6\bin\jqs.exe
+ libusbd LibUsb-Win32 - Generic USB Library (Not verified) http://libusb-win32.sourceforge.net c:\windows\system32\libusbd-nt.exe
+ LiveUpdate LiveUpdate Core Engine (Verified) Symantec Corporation c:\program files\symantec\liveupdate\lucomserver_3_2.exe
+ Lotus Notes Single Logon IBM Lotus Notes/Domino (Not verified) IBM Corp c:\windows\system32\nslsvice.exe
+ Multi-user Cleanup Service IBM Lotus Notes/Domino (Not verified) IBM Corp c:\lotus\notes\ntmulti.exe
+ Net Driver HPZ12 Dot4Net Module (Not verified) Hewlett-Packard c:\windows\system32\hpzinw12.dll
+ PEVSystemStart File not found: start
+ Pml Driver HPZ12 PmlDrv Module (Not verified) Hewlett-Packard c:\windows\system32\hpzipm12.dll
+ PSI_SVC_2 This service provides Protexis licensing functionalty. (Verified) Protexis Inc. c:\program files\common files\protexis\license service\psiservice_2.exe
+ RegSrvc Intel® PROSet/Wireless Registry Service (Not verified) Intel Corporation c:\program files\intel\wireless\bin\regsrvc.exe
+ S24EventMonitor Wireless Management Service for Intel® PROSet/Wireless (Not verified) Intel Corporation c:\program files\intel\wireless\bin\s24evmon.exe
+ SavRoam Symantec AntiVirus Roaming Service (Verified) Symantec Corporation c:\program files\symantec antivirus\savroam.exe
+ SNDSrvc Symantec Network Drivers Service (Verified) Symantec Corporation c:\program files\common files\symantec shared\sndsrvc.exe
+ SPBBCSvc Symantec SPBBC (Verified) Symantec Corporation c:\program files\common files\symantec shared\spbbc\spbbcsvc.exe
+ SUService (Not verified) c:\program files\lenovo\system update\suservice.exe
+ Symantec AntiVirus Provides real-time virus scanning, reporting, and management functionality for Symantec AntiVirus. (Verified) Symantec Corporation c:\program files\symantec antivirus\rtvscan.exe
+ ThinkVantage Registry Monitor Service ThinkVantage Registry Monitor Service (Verified) Lenovo (United States) Inc. c:\program files\common files\lenovo\tvt_reg_monitor_svc.exe
+ TPHDEXLGSVC ThinkVantage Active Protection System - HDD Logger Module (Verified) Lenovo (Japan) Ltd. c:\windows\system32\tphdexlg.exe
+ TSSCoreService tvttcsd Application (Verified) Lenovo (United States) Inc. c:\program files\lenovo\client security solution\tvttcsd.exe
+ TVersityMediaServer c:\program files\tversity\media server\mediaserver.exe
+ TVT Scheduler ThinkVantage Scheduler (Not verified) Lenovo Group Limited c:\program files\common files\lenovo\scheduler\tvtsched.exe
+ UTSCSI UTSCSI Application c:\windows\system32\utscsi.exe
HKLM\System\CurrentControlSet\Services
+ AegisP AEGIS Protocol (IEEE 802.1x) v3.6.0.0 (Not verified) Meetinghouse Data Communications c:\windows\system32\drivers\aegisp.sys
+ ANC IBM Access Connections - ANC (Not verified) IBM Corp. c:\windows\system32\drivers\anc.sys
+ ASPI ASPI for WIN32 Kernel Driver (Not verified) Adaptec c:\windows\system32\drivers\aspi32.sys
+ catchme File not found: C:\DOCUME~1\TCS\LOCALS~1\Temp\catchme.sys
+ Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys
+ DLABOIOM Drive Letter Access Component (Not verified) Sonic Solutions c:\windows\system32\dla\dlaboiom.sys
+ DLACDBHM Shared Driver Component (Not verified) Sonic Solutions c:\windows\system32\drivers\dlacdbhm.sys
+ DLADResN Drive Letter Access Component (Not verified) Sonic Solutions c:\windows\system32\dla\dladresn.sys
+ DLAIFS_M Drive Letter Access Component (Not verified) Sonic Solutions c:\windows\system32\dla\dlaifs_m.sys
+ DLAOPIOM Drive Letter Access Component (Not verified) Sonic Solutions c:\windows\system32\dla\dlaopiom.sys
+ DLAPoolM Drive Letter Access Component (Not verified) Sonic Solutions c:\windows\system32\dla\dlapoolm.sys
+ DLARTL_N Shared Driver Component (Not verified) Sonic Solutions c:\windows\system32\drivers\dlartl_n.sys
+ DLAUDF_M Drive Letter Access Component (Not verified) Sonic Solutions c:\windows\system32\dla\dlaudf_m.sys
+ DLAUDFAM Drive Letter Access Component (Not verified) Sonic Solutions c:\windows\system32\dla\dlaudfam.sys
+ DRVMCDB Device Driver (Not verified) Sonic Solutions c:\windows\system32\drivers\drvmcdb.sys
+ DRVNDDM Device Driver Manager (Not verified) Sonic Solutions c:\windows\system32\drivers\drvnddm.sys
+ eeCtrl Symantec Eraser Control Driver (Verified) Symantec Corporation c:\program files\common files\symantec shared\eengine\eectrl.sys
+ EraserUtilRebootDrv Symantec Eraser Utility Driver (Verified) Symantec Corporation c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys
+ hwcdcmdm0 USB Modem/Serial Device Driver (Not verified) Huawei Technologies Co., Ltd. c:\windows\system32\drivers\ewusbmdm.sys
+ hwdatacard USB Modem/Serial Device Driver (Not verified) Huawei Technologies Co., Ltd. c:\windows\system32\drivers\ewusbmdm.sys
+ hwusbser USB Modem/Serial Device Driver (Not verified) QUALCOMM Incorporated c:\windows\system32\drivers\ewusbser.sys
+ IBMTPCHK c:\windows\system32\drivers\ibmbldid.sys
+ lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys
+ libusb0 c:\windows\system32\drivers\libusb0.sys
+ NAVENG AV Engine (Verified) Symantec Corporation c:\program files\common files\symantec shared\virusdefs\20090710.003\naveng.sys
+ NAVEX15 AV Engine (Verified) Symantec Corporation c:\program files\common files\symantec shared\virusdefs\20090710.003\navex15.sys
+ PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
+ PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys
+ PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys
+ PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys
+ PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys
+ pmem Physical Memory Driver (Not verified) Microsoft Corporation c:\windows\system32\drivers\pmemnt.sys
+ PxHelp20 Px Engine Device Driver for Windows 2000/XP (Verified) Sonic Solutions c:\windows\system32\drivers\pxhelp20.sys
+ s24trans WLAN Transport (Not verified) Intel Corporation c:\windows\system32\drivers\s24trans.sys
+ SAVRT AutoProtect (Verified) Symantec Corporation c:\program files\symantec antivirus\savrt.sys
+ SAVRTPEL SAVRTPEL (Verified) Symantec Corporation c:\program files\symantec antivirus\savrtpel.sys
+ Shockprf Shockproof Disk Driver (Verified) Lenovo (Japan) Ltd. c:\windows\system32\drivers\apsx86.sys
+ smihlp SMI helper driver (Verified) UPEK Inc. c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys
+ SPBBCDrv SPBBC Driver (Verified) Symantec Corporation c:\program files\common files\symantec shared\spbbc\spbbcdrv.sys
+ SymEvent Symantec Event Library (Verified) Symantec Corporation c:\windows\system32\drivers\symevent.sys
+ SYMREDRV Redirector Filter Driver (Verified) Symantec Corporation c:\windows\system32\drivers\symredrv.sys
+ SYMTDI Network Dispatch Driver (Verified) Symantec Corporation c:\windows\system32\drivers\symtdi.sys
+ tmcomm TrendMicro Common Module (Verified) Trend Micro, Inc. c:\windows\system32\drivers\tmcomm.sys
+ TPDIGIMN APS Digitizer Activity Monitor (Verified) Lenovo (Japan) Ltd. c:\windows\system32\drivers\apshm86.sys
+ TPPWRIF c:\windows\system32\drivers\tppwrif.sys
+ TSMAPIP (Verified) Lenovo (Japan) Ltd. c:\windows\system32\drivers\tsmapip.sys
+ TVTPktFilter File not found: system32\DRIVERS\tvtpktfilter.sys
+ UIUSys File not found: system32\DRIVERS\UIUSYS.SYS
+ WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
+ msacm.ac3filter c:\windows\system32\ac3filter.acm
+ vidc.DIVX DivX (Not verified) DivX, Inc. c:\windows\system32\divx.dll
+ VIDC.FFDS c:\windows\system32\ff_vfw.dll
+ VIDC.WMV3 Windows Media Video 9 VCM (Not verified) Microsoft Corporation c:\windows\system32\wmv9vcm.dll
+ vidc.XVID File not found: xvidvfw.dll
+ vidc.yv12 DivX (Not verified) DivX, Inc. c:\windows\system32\divx.dll
HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
+ AC3Filter File not found: C:\Program Files\Cucusoft\iPhone-converter\Filter\ac3filter.ax
+ Cucusoft DataExtractor 5 (2007.4) File not found: C:\Program Files\Cucusoft\iPhone-converter\DataExt.dll
+ DivX Decoder Filter DivX® Decoder Filter (Not verified) DivX, Inc. c:\windows\system32\divxdec.ax
+ DivX Demux DivX® Media Filter (Not verified) DivXNetworks c:\windows\system32\divxmedia.ax
+ DivX Subtitle Decoder DivX® Media Filter (Not verified) DivXNetworks c:\windows\system32\divxmedia.ax
+ ffdshow Audio Decoder DirectShow and VFW video and audio decoding/encoding/processing filter c:\program files\ffdshow\ffdshow.ax
+ ffdshow Audio Processor DirectShow and VFW video and audio decoding/encoding/processing filter c:\program files\ffdshow\ffdshow.ax
+ ffdshow raw video filter DirectShow and VFW video and audio decoding/encoding/processing filter c:\program files\ffdshow\ffdshow.ax
+ ffdshow Video Decoder DirectShow and VFW video and audio decoding/encoding/processing filter c:\program files\ffdshow\ffdshow.ax
+ FLV Source FLV Splitter (Not verified) Gabest c:\program files\tversity codec pack\flvsplitter.ax
+ FLV Splitter FLV Splitter (Not verified) Gabest c:\program files\tversity codec pack\flvsplitter.ax
+ FLV4 Video Decoder FLV Splitter (Not verified) Gabest c:\program files\tversity codec pack\flvsplitter.ax
+ HP VTK Frame Grabber Filter HP Video Toolkit (Not verified) Hewlett-Packard Co. c:\program files\common files\hp\digital imaging\bin\hpqvtk01.dll
+ HP VTK MPEG-1 Encoder HP Video Toolkit (Not verified) Hewlett-Packard Co. c:\program files\common files\hp\digital imaging\bin\hpqvtk01.dll
+ HP VTK Resize Filter HP Video Toolkit (Not verified) Hewlett-Packard Co. c:\program files\common files\hp\digital imaging\bin\hpqvtk01.dll
+ HP VTK Rotate Filter HP Video Toolkit (Not verified) Hewlett-Packard Co. c:\program files\common files\hp\digital imaging\bin\hpqvtk01.dll
+ InterVideo Audio Decoder IVIAUDIO (Not verified) InterVideo Inc. c:\program files\intervideo\common\bin\iviaudio.ax
+ InterVideo Audio Processor c:\program files\intervideo\common\bin\iviaudioprocess.ax
+ InterVideo Navigator IVINAV (Not verified) InterVideo Inc. c:\program files\intervideo\common\bin\ivinav.ax
+ InterVideo Video Decoder IVIVIDEO (Not verified) InterVideo Inc. c:\program files\intervideo\common\bin\ivivideo.ax
+ Microsoft MPEG-4 Video Decompressor Microsoft MPEG-4 Video Decompressor (Not verified) Microsoft Corporation c:\windows\system32\mp4sds32.ax
+ MP4 Source MP4 Splitter (Not verified) Gabest c:\program files\tversity codec pack\mp4splitter.ax
+ MP4 Splitter MP4 Splitter (Not verified) Gabest c:\program files\tversity codec pack\mp4splitter.ax
+ Mpa Source Mpa Splitter (Not verified) Gabest c:\program files\tversity codec pack\mpasplitter.ax
+ Mpa Splitter Mpa Splitter (Not verified) Gabest c:\program files\tversity codec pack\mpasplitter.ax
+ MPEG4 Video Source MP4 Splitter (Not verified) Gabest c:\program files\tversity codec pack\mp4splitter.ax
+ MPEG4 Video Splitter MP4 Splitter (Not verified) Gabest c:\program files\tversity codec pack\mp4splitter.ax
+ QTSrc CLQTSrc (Not verified) Cyberlink c:\program files\cucusoft\iphone-converter\filter\quicktime.dll
+ RealAudio Decoder RealMedia Splitter (Not verified) Gabest c:\program files\cucusoft\iphone-converter\filter\realmedia.dll
+ RealMedia Source RealMedia Splitter (Not verified) Gabest c:\program files\cucusoft\iphone-converter\filter\realmedia.dll
+ RealMedia Splitter RealMedia Splitter (Not verified) Gabest c:\program files\cucusoft\iphone-converter\filter\realmedia.dll
+ RealPlayer Audio Filter Audio Filter Plugin (Verified) RealNetworks, Inc. c:\program files\real\realplayer\rdsf3260.dll
+ RealPlayer Transcode Filter Audio Filter Plugin (Verified) RealNetworks, Inc. c:\program files\real\realplayer\rdsf3260.dll
+ RealPlayer Video Filter Audio Filter Plugin (Verified) RealNetworks, Inc. c:\program files\real\realplayer\rdsf3260.dll
+ RealVideo Decoder RealMedia Splitter (Not verified) Gabest c:\program files\cucusoft\iphone-converter\filter\realmedia.dll
+ Windows Media Audio Voice v9 Decoder Windows Media Audio Voice Decoder (Not verified) Microsoft Corporation c:\windows\system32\wmavds32.ax
+ XviD MPEG-4 Video Decoder File not found: C:\WINDOWS\system32\xvid.ax
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ ACNotify Access Connections Notify Support Module (Not verified) Lenovo c:\program files\thinkpad\connectutilities\acnotify.dll
+ NavLogon Symantec AntiVirus Logon Notification (Verified) Symantec Corporation c:\windows\system32\navlogon.dll
+ psfus Logon stub (Not verified) UPEK Inc. c:\windows\system32\psqlpwd.dll
+ tpfnf2 (Verified) Lenovo (Japan) Ltd c:\program files\lenovo\hotkey\notifyf2.dll
+ tphotkey c:\program files\lenovo\hotkey\tphklock.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
+ vrlogon.dll GINA replacement (Not verified) UPEK Inc. c:\windows\system32\vrlogon.dll
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
+ mdnsNSP Bonjour Namespace Provider (Not verified) Apple Inc. c:\program files\bonjour\mdnsnsp.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ Bluetooth Printer Port bthcrp DLL (Not verified) Broadcom Corporation. c:\windows\system32\bthcrp.dll
+ CutePDF Writer Monitor (Verified) Acro Software Inc. c:\windows\system32\cpwmon2k.dll
+ HP Standard TCP/IP Port Standard TCP/IP Port Monitor DLL (Not verified) Hewlett Packard c:\windows\system32\hptcpmon.dll
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
+ msapsspc.dll DPA Client for 32 bit platforms (Not verified) Microsoft Corporation c:\windows\system32\msapsspc.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
+ ACGina Access Connections Gina Module (Not verified) Lenovo c:\program files\thinkpad\connectutilities\acgina.dll
+ psqlpwd Logon stub (Not verified) UPEK Inc. c:\windows\system32\psqlpwd.dll
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
+ npnotes Lotus Notes Single Logon (Not verified) Lotus Development c:\windows\system32\npnotes.dll
+ RDPNP Microsoft Terminal Services (Not verified) Microsoft Corporation c:\windows\system32\drprov.dll

[Fatdcuk]

Hi ya,

If possible could you locate and the following file and upload to VirusTotal for malware checking.
http://www.virustotal.com

Please post back a link to the report generated as i will need to verify some support data on the file from it.

pmem Physical Memory Driver (Not verified) Microsoft Corporation c:\windows\system32\drivers\pmemnt.sys

[thandamilk]

Here's a link to the report:
http://www.virustotal.com/analisis/240fa16...1397-1247868883

Thanks

[Fatdcuk]

Hi ya,

That file was legitimate...I hate it when M$ dont verify their own files as this is usually the domain of malware trying to pretend to be legitimate system file but alas not the case here.

After some heavy duty researching I cant find any malware underneath the surface with my tools.
The HIDEC.exe process which is used to hide windows/command box's was probaly installed by one of your resident softwares.Something has corrupted this process and now i believe that is the root of the command box's opening up with browser use etc

As to what is causing the issue's again, it might be damaged software installs, damaged OS or software conflicts.Unfortunetly i cant diagnose that across board and if the patient was in front of me i would attempt to uninstall software's and reinstall them to see if that made any difference + attempt to get OS repair install.