Jump to content


Photo
- - - - -

DNSChanger Trojan


  • This topic is locked This topic is locked
20 replies to this topic

#1 jason8

jason8

    New Member

  • Members
  • Pip
  • 11 posts

Posted 18 March 2009 - 11:17 AM

I downloaded a virus, and I can't seem to get rid of it. First it redirected me to spam sites on google searches. While trying to get rid of it, I realized that I couldn't access malwarebytes.org. Additionally, it wouldn't let me download update antivirus software automatically. I downloaded the update for Malwarebytes from another computer and had to rename it to get it to run. Also I can't run Malicious Software Removal Tool from Microsoft.

After cleaning several files tagged "DNSChanger" by Malwarebytes, I can't access the internet anymore on that computer. I am pretty sure its a related problem, but otherwise I will figure out how to fix it after removing the virus.

I also scanned by computer with Avast Antivirus which didn't find anything.

Thanks in advance for your help, and let me know if I need to post any additional information.

Here are the log files. I have run Malwarebytes several times. I have included the logs from each time it found something.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:38 AM, on 3/18/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\tp4serv.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Palm\Hotsync.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [LenovoOobeOffers] c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: HotSync Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O13 - Gopher Prefix:
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://aolsvc.aol.co...houseplayer.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://aolsvc.aol.co...esPlayer_v4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10243 bytes


I have run Malwarebytes several times while trying to get rid of this virus. The most recent scan is here:

Malwarebytes' Anti-Malware 1.34
Database version: 1826
Windows 6.0.6001 Service Pack 1

3/18/2009 11:16:11 AM
mbam-log-2009-03-18 (11-16-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 190310
Time elapsed: 39 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Previous Scans:
Malwarebytes' Anti-Malware 1.34
Database version: 1826
Windows 6.0.6001 Service Pack 1

3/18/2009 10:32:30 AM
mbam-log-2009-03-18 (10-32-30).txt

Scan type: Quick Scan
Objects scanned: 61343
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

Another Scan:
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 6.0.6001 Service Pack 1

3/18/2009 8:36:27 AM
mbam-log-2009-03-18 (08-36-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 188546
Time elapsed: 39 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 12
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a39f92ca-9cb1-41ea-b483-2ef38205c041}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a39f92ca-9cb1-41ea-b483-2ef38205c041}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cb64bf83-6737-43d3-9bd0-87ca88191a59}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a39f92ca-9cb1-41ea-b483-2ef38205c041}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a39f92ca-9cb1-41ea-b483-2ef38205c041}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cb64bf83-6737-43d3-9bd0-87ca88191a59}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{a39f92ca-9cb1-41ea-b483-2ef38205c041}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{a39f92ca-9cb1-41ea-b483-2ef38205c041}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{cb64bf83-6737-43d3-9bd0-87ca88191a59}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-2-9-97-100011695-100002976-100002995-3318.com (Trojan.Agent) -> Quarantined and deleted successfully.

First Scan:
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 6.0.6001 Service Pack 1

3/18/2009 2:29:34 AM
mbam-log-2009-03-18 (02-29-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 143042
Time elapsed: 41 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#2 dan12

dan12

    Advanced Member

  • Experts
  • PipPipPip
  • 119 posts

Posted 18 March 2009 - 01:03 PM

welcome to malwarebytes forum

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan

#3 jason8

jason8

    New Member

  • Members
  • Pip
  • 11 posts

Posted 18 March 2009 - 02:13 PM

Hi Dan,

Thanks for your help.

I am running Windows Vista with only a single user.

Here is the list of programs from HijackThis:

Access Help
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.3
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
avast! Antivirus
Bonjour
Business Contact Manager for Outlook 2007
Business Contact Manager for Outlook 2007
Client Security Solution
Empire XP 5
EOS USB WIA Driver
Help Center
HijackThis 2.0.2
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
iTunes
Java™ 6 Update 11
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6
Lenovo Registration
Lenovo System Interface Driver
Maintenance Manager
Malwarebytes' Anti-Malware
Message Center
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Small Business Connectivity Components
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
MobileMe Control Panel
Mozilla Firefox (3.0.7)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Netflix Movie Viewer
On Screen Display
Palm Desktop 6.2 for Windows
PC-Doctor 5 for Windows
Picasa 2
Presentation Director
Productivity Center Supplement for ThinkPad
QuickTime
Registry patch for Windows Vista USB S3 PM Enablement
Registry patch of Changing Timing of IDLE IRP by Finger Print Driver for Windows Vista
Registry Patch of Enabling Device Initiated Power Management(DIPM) on SATA for Windows Vista
Rescue and Recovery
Risk II (remove only)
Risk®
Safari
SoundMAX
System Migration Assistant
System Update
TBS WMP Plug-in
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Mobility Center Customization
ThinkPad Modem
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad TrackPoint Driver
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Productivity Center
ThinkVantage Technologies Welcome Message
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 0.9.4
Vuze
Wallpapers
Windows Driver Package - Intel (e1express) Net (03/24/2007 9.7.237.0)
Windows Driver Package - Intel (iaStor) hdc (02/12/2007 7.0.0.1020)
Windows Driver Package - Intel hdc (11/15/2006 8.2.0.1011)
Windows Driver Package - Intel hdc (11/15/2006 8.2.0.1011)
Windows Driver Package - Intel hdc (12/06/2006 6.8.0.3002)
Windows Driver Package - Intel System (09/15/2006 7.0.0.1011)
Windows Driver Package - Intel System (09/15/2006 8.0.0.1008)
Windows Driver Package - Intel System (09/15/2006 8.0.0.1010)
Windows Driver Package - Intel System (09/15/2006 8.2.0.1000)
Windows Driver Package - Intel USB (09/15/2006 8.0.0.1008)
Windows Driver Package - Lenovo (IBMPMDRV) System (05/31/2007 1.43)
Windows Live Toolbar
Windows Live Toolbar
Windows Media Player Firefox Plugin
WinRAR archiver

#4 dan12

dan12

    Advanced Member

  • Experts
  • PipPipPip
  • 119 posts

Posted 18 March 2009 - 02:25 PM

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Vuze

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

-------------------

  • Please create a BOOTLOG
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows

    If you're already running inside Windows you can enable it the following way.
  • Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  • Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  • After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  • From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
  • Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
  • The tab is called BOOT on Vista. Then choose Boot log



RootRepeal - Rootkit Detector

  • Please download the following tool: RootRepeal - Rootkit Detector
  • Direct download link is here: RootRepeal.rar
  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
  • Extract the program file to a new folder such as C:\RootRepeal
  • Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the same location where you ran it from, such as C:\RootRepeal
  • Save it as your_name_rootrepeal.txt - where your_name is your forum name
  • This makes it more easy to track who the log belongs to.
  • Then open that log and select all and copy/paste it back on your next reply please.
  • Quit the RootRepeal program.


Post both logs

#5 jason8

jason8

    New Member

  • Members
  • Pip
  • 11 posts

Posted 18 March 2009 - 03:47 PM

Hi Dan,

I removed Vuze and uTorrent from my computer.

I attached the log files as there were too big for the message.

Thanks again for your help!

Attached Files



#6 dan12

dan12

    Advanced Member

  • Experts
  • PipPipPip
  • 119 posts

Posted 18 March 2009 - 07:06 PM

Start Root Repeal and click on the Drivers tab and then click the Scan button.
Then right click on this file: gaopdxsprbwnwxmcttbnfcyiqvcxmcceydeqhp.sys and select Dump File
This will bring up a Dump to file dialog box. Browse or select your Desktop where you created the BadFiles folder.
Then type in the name gaopdxsprbwnwxmcttbnfcyiqvcxmcceydeqhp.sys and save it in that folder.
You can quit Root Repeal now.

Then zip up that file and upload it to: uploads.malwarebytes.org

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista


---------------------

Now can you update malwarebytes as you need the latest definitions then do a quick scan.

Post the malwarebytes scan

#7 jason8

jason8

    New Member

  • Members
  • Pip
  • 11 posts

Posted 18 March 2009 - 09:18 PM

I uploaded the zipped file.

Here is the latest scan results.

Malwarebytes' Anti-Malware 1.34
Database version: 1863
Windows 6.0.6001 Service Pack 1

3/18/2009 10:11:02 PM
mbam-log-2009-03-18 (22-11-02).txt

Scan type: Quick Scan
Objects scanned: 62356
Time elapsed: 4 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\Ariff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HDExtrem (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HDExtrem (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HDExtrem\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

#8 jason8

jason8

    New Member

  • Members
  • Pip
  • 11 posts

Posted 18 March 2009 - 10:29 PM

I forgot to include this in the last message, but I still have the virus.

#9 dan12

dan12

    Advanced Member

  • Experts
  • PipPipPip
  • 119 posts

Posted 19 March 2009 - 01:07 AM

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click GooredFix.exe to run it.
  • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.



Please download DDS from Tech Support Forum and save it to your desktop.

Double click on dds to run it. If you receive a UAC prompt, please allow it.

When done, DDS.txt will open. Another file, Attach.txt will open after a short while. Please save these 2 files to your desktop as they will be deleted once you close them.

Please attach Attach.txt in your next reply by scrolling down to Upload attachment and clicking on Browse....

An image is below for your reference:

Posted Image

In your next reply, please post:

  • DDS.txt
  • Attach.txt (attached to this topic)

Post gooredlog.txt
and the dds reports.

#10 jason8

jason8

    New Member

  • Members
  • Pip
  • 11 posts

Posted 19 March 2009 - 08:03 AM

Here are the logs:

GooredFix v1.92 by jpshortstuff
Log created at 08:53 on 19/03/2009 running Option #1 (Ariff)
Firefox version 3.0.7 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"


DDS (Ver_09-03-16.01) - NTFSx86
Run by Ariff at 8:56:06.89 on Thu 03/19/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2006.1049 [GMT -4:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\tp4serv.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Palm\Hotsync.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Windows\System32\TPHDEXLG.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
D:\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
mDefault_Page_URL = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TrackPointSrv] tp4serv.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [LenovoOobeOffers] c:\swtools\lenovowelcome\lenovooobeoffers.exe /filepath="c:\swshare\firstrun.txt"
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\users\ariff\appdata\roaming\micros~1\windows\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-big-island-blends/gamehouseplayer.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/chnz/default/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://aolsvc.aol.com/onlinegames/free-trial-burger-shop/GoBitGamesPlayer_v4.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\users\ariff\appdata\roaming\mozilla\firefox\profiles\doiozk5o.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\ariff\appdata\roaming\mozilla\firefox\profiles\doiozk5o.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-3-18 26624]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-3-2 100656]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-3-2 19760]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-16 114768]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2007-2-19 13744]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWR32V.SYS [2007-10-9 12080]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-16 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-3-16 51792]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-4-14 28933976]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2007-3-30 55936]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-1-8 569344]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-1-22 22832]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2006-9-13 35264]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]

=============== Created Last 30 ================

2009-03-18 21:45 0 a------- c:\windows\system32\settings.dat
2009-03-18 15:48 <DIR> --d----- c:\windows\pss
2009-03-18 10:20 <DIR> --d----- c:\program files\Trend Micro
2009-03-18 01:47 <DIR> --d----- c:\users\ariff\appdata\roaming\Malwarebytes
2009-03-18 01:37 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-18 01:37 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-18 01:37 <DIR> --d----- c:\programdata\Malwarebytes
2009-03-18 01:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-18 01:37 <DIR> --d----- c:\progra~2\Malwarebytes
2009-03-18 01:26 <DIR> --d----- c:\program files\Enigma Software Group
2009-03-18 00:52 26,624 a------- c:\windows\system32\drivers\fsbts.sys
2009-03-17 22:19 81,984 a------- c:\windows\system32\bdod.bin
2009-03-17 22:09 850 a------- c:\windows\system32\ProductTweaks.xml
2009-03-17 22:09 385 a------- c:\windows\system32\user_gensett.xml
2009-03-17 22:05 <DIR> --d----- c:\users\ariff\appdata\roaming\BitDefender
2009-03-17 22:04 <DIR> --d----- c:\programdata\BitDefender
2009-03-17 22:04 <DIR> --d----- c:\program files\BitDefender
2009-03-17 22:04 <DIR> --d----- c:\progra~2\BitDefender
2009-03-17 22:02 <DIR> --d----- c:\program files\common files\BitDefender
2009-03-16 16:10 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-03-15 23:25 <DIR> --d----- c:\programdata\Lavasoft
2009-03-15 11:01 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-15 10:01 <DIR> --d----- c:\programdata\avg8
2009-03-15 10:01 <DIR> --d----- c:\progra~2\avg8
2009-03-10 20:24 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-10 20:24 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-10 20:24 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-10 20:24 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-10 20:24 268,288 a------- c:\windows\system32\schannel.dll
2009-03-10 20:24 2,033,152 a------- c:\windows\system32\win32k.sys
2009-02-18 19:00 <DIR> --d----- c:\users\ariff\appdata\roaming\j2 Global
2009-02-18 18:59 <DIR> --d----- c:\users\ariff\appdata\roaming\eFax Messenger
2009-02-18 18:59 <DIR> --d----- c:\programdata\eFax Messenger 4.4 Setup
2009-02-18 18:59 <DIR> --d----- c:\progra~2\eFax Messenger 4.4 Setup
2009-02-18 18:59 0 a------- c:\windows\system32\eFax_4_4_Port
2009-02-18 18:59 <DIR> --d----- c:\programdata\eFax Messenger 4.4 Output
2009-02-18 18:59 <DIR> --d----- c:\progra~2\eFax Messenger 4.4 Output
2009-02-18 18:58 <DIR> --d----- c:\program files\eFax Messenger 4.4

==================== Find3M ====================

2009-03-17 21:20 1,732 a------- C:\tvtpktfilter.dat
2009-02-19 18:37 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-15 02:11 827,392 a------- c:\windows\system32\wininet.dll
2008-10-23 18:14 174 a--sh--- c:\program files\desktop.ini
2008-10-23 18:11 143,360 a------- c:\windows\inf\infstrng.dat
2008-10-23 18:11 86,016 a------- c:\windows\inf\infstor.dat
2008-10-23 18:11 51,200 a------- c:\windows\inf\infpub.dat
2008-10-23 18:05 665,600 a------- c:\windows\inf\drvindex.dat
2008-10-02 16:55 98,240 a------- c:\users\ariff\appdata\roaming\GDIPFONTCACHEV1.DAT
2008-07-18 14:57 32 a----r-- c:\programdata\hash.dat
2008-07-18 14:57 32 a----r-- c:\progra~2\hash.dat
2006-11-02 08:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 8:56:41.38 ===============

Attached Files



#11 jason8

jason8

    New Member

  • Members
  • Pip
  • 11 posts

Posted 19 March 2009 - 08:09 AM

FYI: your instructions for downloading DDS didn't work. I had to register at techsupportforum and do a search to find it.

#12 dan12

dan12

    Advanced Member

  • Experts
  • PipPipPip
  • 119 posts

Posted 19 March 2009 - 02:37 PM

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingc...to-use-combofix
----------------------------------------------



GMER
  • Download GMER by GMER from here
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerrk.txt
  • Click on the >>> tab
  • This will open up the rest of the tabs for you
  • Click on the Autostart tab
  • Click on Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerautos.txt
  • Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic



Post back:
Gmer reports
Combofix report.
A new HijackThis log.

#13 jason8

jason8

    New Member

  • Members
  • Pip
  • 11 posts

Posted 19 March 2009 - 03:56 PM

Here are the reports requested:

ComboFix 09-03-18.01 - Ariff 2009-03-19 16:03:42.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2006.901 [GMT -4:00]
Running from: D:\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gaopdxsprbwnwxmcttbnfcyiqvcxmcceydeqhp.sys
c:\windows\system32\gaopdxvtpkqdpdrivoqcjgperqkwcefvybnxfv.dll
c:\windows\system32\x64

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))
.

2009-03-19 16:19 . 2009-03-19 16:19 <DIR> d-------- C:\A
2009-03-18 22:13 . 2009-03-19 16:02 4 --a------ c:\windows\System32\gaopdxcounter
2009-03-18 21:45 . 2009-03-18 21:45 0 --a------ c:\windows\System32\settings.dat
2009-03-18 10:20 . 2009-03-18 10:20 <DIR> d-------- c:\program files\Trend Micro
2009-03-18 01:47 . 2009-03-18 01:47 <DIR> d-------- c:\users\Ariff\AppData\Roaming\Malwarebytes
2009-03-18 01:37 . 2009-03-18 01:37 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-03-18 01:37 . 2009-03-18 01:37 <DIR> d-------- c:\programdata\Malwarebytes
2009-03-18 01:37 . 2009-03-18 08:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-18 01:37 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-03-18 01:37 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-03-18 01:26 . 2009-03-18 11:26 <DIR> d-------- c:\program files\Enigma Software Group
2009-03-18 00:52 . 2009-03-18 00:52 26,624 --a------ c:\windows\System32\drivers\fsbts.sys
2009-03-17 22:19 . 2009-03-18 00:15 81,984 --a------ c:\windows\System32\bdod.bin
2009-03-17 22:09 . 2009-03-17 22:09 850 --a------ c:\windows\System32\ProductTweaks.xml
2009-03-17 22:09 . 2009-03-17 22:09 385 --a------ c:\windows\System32\user_gensett.xml
2009-03-17 22:05 . 2009-03-17 22:05 <DIR> d-------- c:\users\Ariff\AppData\Roaming\BitDefender
2009-03-17 22:04 . 2009-03-17 22:07 <DIR> d-------- c:\users\All Users\BitDefender
2009-03-17 22:04 . 2009-03-17 22:07 <DIR> d-------- c:\programdata\BitDefender
2009-03-17 22:04 . 2009-03-17 22:04 <DIR> d-------- c:\program files\BitDefender
2009-03-17 22:02 . 2009-03-18 00:17 <DIR> d-------- c:\program files\Common Files\BitDefender
2009-03-16 16:10 . 2009-03-16 16:10 <DIR> d-------- c:\program files\Alwil Software
2009-03-16 16:10 . 2009-02-05 16:06 51,792 --a------ c:\windows\System32\drivers\aswMonFlt.sys
2009-03-15 23:25 . 2009-03-16 15:02 <DIR> d-------- c:\users\All Users\Lavasoft
2009-03-15 23:25 . 2009-03-16 15:02 <DIR> d-------- c:\programdata\Lavasoft
2009-03-15 11:01 . 2009-03-15 11:01 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-15 10:01 . 2009-03-16 15:14 <DIR> d-------- c:\users\All Users\avg8
2009-03-15 10:01 . 2009-03-16 15:14 <DIR> d-------- c:\programdata\avg8
2009-03-15 08:46 . 2009-03-15 08:48 <DIR> d-------- c:\users\Ariff\AppData\Roaming\vlc
2009-03-10 20:24 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-10 20:24 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-10 20:24 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-10 20:24 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-10 20:24 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-10 20:24 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-19 19:47 19,456 ----a-w c:\windows\System32\gaopdxvtpkqdpdrivoqcjgperqkwcefvybnxfv.dll
2009-03-18 19:49 --------- d-----w c:\program files\Vuze
2009-03-18 19:48 --------- d-----w c:\users\Ariff\AppData\Roaming\Azureus
2009-03-18 01:20 1,732 ----a-w C:\tvtpktfilter.dat
2009-03-16 15:06 --------- d-----w c:\users\Ariff\AppData\Roaming\Lenovo
2009-03-12 12:52 --------- d-----w c:\program files\Windows Mail
2009-02-19 22:37 410,984 ----a-w c:\windows\System32\deploytk.dll
2009-02-18 23:00 --------- d-----w c:\users\Ariff\AppData\Roaming\j2 Global
2009-02-18 22:59 --------- d-----w c:\users\Ariff\AppData\Roaming\eFax Messenger
2009-02-18 22:59 --------- d-----w c:\programdata\eFax Messenger 4.4 Setup
2009-02-18 22:59 --------- d-----w c:\programdata\eFax Messenger 4.4 Output
2009-02-18 22:59 --------- d-----w c:\program files\eFax Messenger 4.4
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-10-23 22:14 174 --sha-w c:\program files\desktop.ini
2008-10-02 20:55 98,240 ----a-w c:\users\Ariff\AppData\Roaming\GDIPFONTCACHEV1.DAT
2008-07-18 18:57 32 ----a-r c:\users\All Users\hash.dat
2008-07-18 18:57 32 ----a-r c:\programdata\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2007-06-17 321072]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2007-06-17 214576]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-01-08 536576]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-22 120368]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 136600]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-06-29 419112]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-06-29 124200]
"LenovoOobeOffers"="c:\swtools\LenovoWelcome\LenovoOobeOffers.exe" [2006-12-29 28672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-28 1167360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"TrackPointSrv"="tp4serv.exe" [2006-11-20 c:\windows\System32\tp4serv.exe]
"TpShocks"="TpShocks.exe" [2007-03-29 c:\windows\System32\TpShocks.exe]

c:\users\Ariff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2007-06-07 1392640]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{44B5F46D-57F1-4EE4-B2BF-C4AB7C32AB05}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{6FCE7109-8E6B-42FF-B0F8-FD79242A7731}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{1C6A5920-AD58-4BE2-820C-2859C64D0249}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{5A9D48FE-706F-45F3-8E3B-F340D3B5F2F3}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{21108B40-A96E-4B77-818E-F35B1A050A0A}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{7B48665B-054E-4CB0-B553-DE7802547895}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{57D2E341-FABE-46EC-B9F3-3414C04DD313}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{607E4C0E-3630-4A37-A9FF-ECE68491A945}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{2649E947-0572-4ECB-8113-A27CE0B7C04E}"= UDP:c:\users\Ariff\AppData\Local\Temp\WZSE0.TMP\SymNRT.exe:Norton Removal Tool
"{B4403ACF-A270-4B9B-9DA2-AA2B9E1701EC}"= TCP:c:\users\Ariff\AppData\Local\Temp\WZSE0.TMP\SymNRT.exe:Norton Removal Tool
"TCP Query User{271166E4-E381-4361-9FC4-565A8BCC3A01}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{609A578D-9C0F-442D-A846-C44B6827632A}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{80CCC2FB-82C1-427D-A5C9-437771CAAD87}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B5E30F59-3CB6-4917-BCF6-F26D71701306}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{D4266620-862C-4FB4-BFB0-A62B1E44F7ED}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{632B3EB6-F629-497A-893B-F8554740FB30}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"{A4332871-1A36-4EE6-B60D-254B33F30962}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{A6BC63FF-EA91-43DE-B4E5-79CF1595F0A3}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 fsbts;fsbts;c:\windows\System32\drivers\fsbts.sys [2009-03-18 26624]
R0 Shockprf;Shockprf;c:\windows\System32\drivers\ApsX86.sys [2007-03-02 100656]
R0 TPDIGIMN;TPDIGIMN;c:\windows\System32\drivers\ApsHM86.sys [2007-03-02 19760]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2009-03-16 114768]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\System32\drivers\smiif32.sys [2007-02-19 13744]
R1 TPPWRIF;TPPWRIF;c:\windows\System32\drivers\TPPWR32V.SYS [2007-10-09 12080]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2009-03-16 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2009-03-16 51792]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\System32\drivers\tp4track.sys [2007-01-22 22832]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\System32\drivers\tvti2c.sys [2006-09-13 35264]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2006-11-02 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-19 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 15:54]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe


.
------- Supplementary Scan -------
.
uStart Page =
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-big-island-blends/gamehouseplayer.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://aolsvc.aol.com/onlinegames/free-trial-burger-shop/GoBitGamesPlayer_v4.cab
FF - ProfilePath - c:\users\Ariff\AppData\Roaming\Mozilla\Firefox\Profiles\doiozk5o.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\Ariff\AppData\Roaming\Mozilla\Firefox\Profiles\doiozk5o.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-19 16:18:29
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

[0] 0x32302D39

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5680)
c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\US\PWMRT32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\PWMIF32V.DLL
c:\windows\system32\Sensor.dll
c:\windows\system32\igfxdev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\ibmpmsvc.exe
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\System32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\HOTKEY\TPHKSVC.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\System32\rundll32.exe
c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE
c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmplayer.exe
.
**************************************************************************
.
Completion time: 2009-03-19 16:28:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-19 20:28:15

Pre-Run: 23,917,305,856 bytes free
Post-Run: 24,739,049,472 bytes free

240 --- E O F --- 2009-03-14 07:11:36






GMER 1.0.15.14939 - http://www.gmer.net
Autostart scan 2009-03-19 16:44:41
Windows 6.0.6001 Service Pack 1


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\Windows\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui@DLLName = igfxdev.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AcPrfMgrSvc@ = C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
AcSvc@ = C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
Apple Mobile Device@ = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
aswUpdSv@ = "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
avast! Antivirus@ = "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
Bonjour Service@ = "C:\Program Files\Bonjour\mDNSResponder.exe"
IBMPMSVC@ = %SystemRoot%\system32\ibmpmsvc.exe
IPSSVC@ = %SystemRoot%\system32\IPSSVC.EXE
MSSQL$MSSMLBIZ@ = "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ
slsvc@ = %SystemRoot%\system32\SLsvc.exe
SUService@ = "c:\Program Files\Lenovo\System Update\SUService.exe"
ThinkVantage Registry Monitor Service@ = "C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe"
TPHDEXLGSVC@ = System32\TPHDEXLG.exe
TPHKSVC@ = C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
TSSCoreService@ = "C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe"
TVT Backup Protection Service@ = "C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe"
TVT Backup Service@ = "C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe"
TVT Scheduler@ = "c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe"
tvtnetwk@ = C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
WSearch@ = %systemroot%\system32\SearchIndexer.exe /Embedding
XAudioService@ = %SystemRoot%\system32\DRIVERS\xaudio.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@TPFNF7C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r /*file not found*/ = C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r /*file not found*/
@TrackPointSrvtp4serv.exe = tp4serv.exe
@TPHOTKEYC:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe = C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
@PWMTRVrundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor = rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
@BLOGrundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog = rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
@TpShocksTpShocks.exe = TpShocks.exe
@EZEJMNAPC:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe = C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
@TVT Scheduler ProxyC:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe = C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
@AwaySchC:\Program Files\Lenovo\AwayTask\AwaySch.EXE = C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
@LPManagerC:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe = C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
@SunJavaUpdateSched"C:\Program Files\Java\jre6\bin\jusched.exe" = "C:\Program Files\Java\jre6\bin\jusched.exe"
@ACTrayC:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe = C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
@ACWLIconC:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe = C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
@LenovoOobeOffersc:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt" = c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"
@IgfxTrayC:\Windows\system32\igfxtray.exe = C:\Windows\system32\igfxtray.exe
@HotKeysCmdsC:\Windows\system32\hkcmd.exe = C:\Windows\system32\hkcmd.exe
@PersistenceC:\Windows\system32\igfxpers.exe = C:\Windows\system32\igfxpers.exe
@AppleSyncNotifierC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
@SoundMAXPnPC:\Program Files\Analog Devices\Core\smax4pnp.exe = C:\Program Files\Analog Devices\Core\smax4pnp.exe
@Adobe Reader Speed Launcher"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
@QuickTime Task"C:\Program Files\QuickTime\QTTask.exe" -atboottime = "C:\Program Files\QuickTime\QTTask.exe" -atboottime
@iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe" = "C:\Program Files\iTunes\iTunesHelper.exe"
@eFax 4.4"C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R = "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{F02C1A0D-BE21-4350-88B0-7367FC96EF3C} /*Computers and Devices*/%systemroot%\system32\NetworkExplorer.dll = %systemroot%\system32\NetworkExplorer.dll
@{4A1E5ACD-A108-4100-9E26-D2FAFA1BA486} /*IGD Property Sheet Handler*/%SystemRoot%\System32\icsigd.dll = %SystemRoot%\System32\icsigd.dll
@{92dbad9f-5025-49b0-9078-2d78f935e341} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{b9815375-5d7f-4ce2-9245-c9d4da436930} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{f8b8412b-dea3-4130-b36c-5e8be73106ac} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{5FA29220-36A1-40f9-89C6-F4B384B7642E} /*Shell Message Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{8856f961-340a-11d0-a96b-00c04fd705a2} /*Microsoft Web Browser*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{CC6EEFFB-43F6-46c5-9619-51D571967F7D} /*Web Publishing Wizard*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll
@{add36aa8-751a-4579-a266-d66f5202ccbb} /*Print Ordering via the Web*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll
@{6b33163c-76a5-4b6c-bf21-45de9cd503a1} /*Shell Publishing Wizard Object*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll
@{176d6597-26d3-11d1-b350-080036a75b03} /*ICM Scanner Management*/%SystemRoot%\System32\colorui.dll = %SystemRoot%\System32\colorui.dll
@{5DB2625A-54DF-11D0-B6C4-0800091AA605} /*ICM Monitor Management*/%SystemRoot%\System32\colorui.dll = %SystemRoot%\System32\colorui.dll
@{675F097E-4C4D-11D0-B6C1-0800091AA605} /*ICM Printer Management*/%SystemRoot%\system32\colorui.dll = %SystemRoot%\system32\colorui.dll
@{DBCE2480-C732-101B-BE72-BA78E9AD5B27} /*ICC Profile*/%SystemRoot%\system32\colorui.dll = %SystemRoot%\system32\colorui.dll
@{b2c761c6-29bc-4f19-9251-e6195265baf1} /*Color Control Panel Applet*/(null) =
@{74246bfc-4c96-11d0-abef-0020af6b0b7a} /*Device Manager*/%SystemRoot%\System32\devmgr.dll = %SystemRoot%\System32\devmgr.dll
@{7A979262-40CE-46ff-AEEE-7884AC3B6136} /*Add New Hardware*/(null) =
@{3e7efb4c-faf1-453d-89eb-56026875ef90} /*Get Programs Online*/(null) =
@{1b24a030-9b20-49bc-97ac-1be4426f9e59} /*ActiveDirectory Folder*/(null) =
@{34449847-FD14-4fc8-A75A-7432F5181EFB} /*ActiveDirectory Folder*/(null) =
@{C8494E42-ACDD-4739-B0FB-217361E4894F} /*Sam Account Folder*/(null) =
@{E29F9716-5C08-4FCD-955A-119FDB5A522D} /*Sam Account Folder*/(null) =
@{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0} /*Control Panel command object for Start menu*/(null) =
@{E44E5D18-0652-4508-A4E2-8A090067BCB0} /*Default Programs command object for Start menu*/(null) =
@{6dfd7c5c-2451-11d3-a299-00c04f8ef6af} /*Folder Options*/(null) =
@{97e467b4-98c6-4f19-9588-161b7773d6f6} /*Office Document Property Handler*/%SystemRoot%\system32\propsys.dll = %SystemRoot%\system32\propsys.dll
@{2C2577C2-63A7-40e3-9B7F-586602617ECB} /*Explorer Query Band*/(null) =
@{DC1C5A9C-E88A-4dde-A5A1-60F82A20AEF7} /*File Open Dialog*/%SystemRoot%\System32\comdlg32.dll = %SystemRoot%\System32\comdlg32.dll
@{C0B4E2F3-BA21-4773-8DBA-335EC946EB8B} /*File Save Dialog*/%SystemRoot%\System32\comdlg32.dll = %SystemRoot%\System32\comdlg32.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\Windows\system32\dfshim.dll = C:\Windows\system32\dfshim.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\Windows\system32\dfshim.dll = C:\Windows\system32\dfshim.dll
@{92337A8C-E11D-11D0-BE48-00C04FC30DF6} /*OlePrn.PrinterURL*/%SystemRoot%\system32\oleprn.dll = %SystemRoot%\system32\oleprn.dll
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft XPS Properties*/%SystemRoot%\system32\XPSSHHDR.DLL = %SystemRoot%\system32\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft XPS Thumbnail*/%SystemRoot%\system32\XPSSHHDR.DLL = %SystemRoot%\system32\XPSSHHDR.DLL
@{38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b} /*View Available Networks*/(null) =
@{13D3C4B8-B179-4ebb-BF62-F704173E7448} /*Windows Contact Preview Handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} /*Contacts folder*/(null) =
@{4F58F63F-244B-4c07-B29F-210BE59BE9B4} /*.group shell extension handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{8082C5E6-4C27-48ec-A809-B8E1122E8F97} /*.contact shell extension handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{16C2C29D-0E5F-45f3-A445-03E03F587B7D} /*group_wab_auto_file*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{CF67796C-F57F-45F8-92FB-AD698826C602} /*contact_wab_auto_file*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} /*Compatibility Property Page*/%windir%\system32\acppage.dll = %windir%\system32\acppage.dll
@{4026492f-2f69-46b8-b9bf-5654fc07e423} /*Windows Firewall*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\Windows\system32\extmgr.dll = C:\Windows\system32\extmgr.dll
@{fcfeecae-ee1b-4849-ae50-685dcf7717ec} /*Problem Reports and Solutions*/(null) =
@{a304259d-52b8-4526-8b1a-a1d6cecc8243} /*iSCSI Initiator*/(null) =
@{11dbb47c-a525-400b-9e80-a54615a090c0} /*Execute Folder*/ExplorerFrame.dll = ExplorerFrame.dll
@{90b9bce2-b6db-4fd3-8451-35917ea1081b} /*Search Execute Command*/ExplorerFrame.dll = ExplorerFrame.dll
@{911051fa-c21c-4246-b470-070cd8df6dc4} /*.cab or .zip files*/(null) =
@{da67b8ad-e81b-4c70-9b91b417b5e33527} /*Windows Search Shell Service*/(null) =
@{a38b883c-1682-497e-97b0-0a3a9e801682} /*IPropertyStore Handler for Images*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll
@{C7657C4A-9F68-40fa-A4DF-96BC08EB3551} /*Photo Thumbnail Provider*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll
@{3F30C968-480A-4C6C-862D-EFC0897BB84B} /*Photo Thumbnail Extractor*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll
@{BC65FB43-1958-4349-971A-210290480130} /*Network Explorer Property Sheet Handler*/%SystemRoot%\System32\NcdProp.dll = %SystemRoot%\System32\NcdProp.dll
@{d3e34b21-9d75-101a-8c3d-00aa001a1652} /*Bitmap Image*/(null) =
@{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} /*Video Media Properties Handler*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll
@{E598560B-28D5-46aa-A14A-8A3BEA34B576} /*Windows Photo Gallery Viewer Video Verbs*/%ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/
@{00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3} /*Microsoft.ScannersAndCameras*/(null) =
@{0a4286ea-e355-44fb-8086-af3df7645bd9} /*Windows Media Player*/C:\PROGRA~1\WI4EB4~1\wmpband.dll = C:\PROGRA~1\WI4EB4~1\wmpband.dll
@{BB6B2374-3D79-41DB-87F4-896C91846510} /*EMDFileProperties*/emdmgmt.dll = emdmgmt.dll
@{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} /*Audio Media Properties Handler*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll
@{89D83576-6BD1-4c86-9454-BEB04E94C819} /*MAPI Search Namespace Extension*/%systemroot%\system32\mssvp.dll = %systemroot%\system32\mssvp.dll
@{7A0F6AB7-ED84-46B6-B47E-02AA159A152B} /*Sync Center Simple Conflict Presenter*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{9D687A4C-1404-41ef-A089-883B6FBECDE6} /*Windows Photo Gallery Viewer Autoplay Handler*/(null) =
@{37efd44d-ef8d-41b1-940d-96973a50e9e0} /*Windows Sidebar Properties*/(null) =
@{00f20eb5-8fd6-4d9d-b75e-36801766c8f1} /*PhotoAcqDropTarget*/%ProgramFiles%\Windows Photo Gallery\PhotoAcq.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoAcq.dll /*file not found*/
@{BC48B32F-5910-47F5-8570-5074A8A5636A} /*Sync Results Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{ED228FDF-9EA8-4870-83B1-96B02CFE0D52} /*Games Folder*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll
@{E413D040-6788-4C22-957E-175D1C513A34} /*Sync Center Conflict Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{67718415-c450-4f3c-bf8a-b487642dc39b} /*Windows Features*/(null) =
@{91ADC906-6722-4B05-A12B-471ADDCCE132} /*Touch Band*/%SystemRoot%\System32\TouchX.dll = %SystemRoot%\System32\TouchX.dll
@{2781761E-28E0-4109-99FE-B9D127C57AFE} /*Windows Defender IOfficeAntiVirus implementation*/%ProgramFiles%\Windows Defender\MpOav.dll /*file not found*/ = %ProgramFiles%\Windows Defender\MpOav.dll /*file not found*/
@{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A} /*Windows Photo Gallery Viewer Image Verbs*/%ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/
@{4B534112-3AF6-4697-A77C-D62CE9B9E7CF} /*Sync Center Event Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{F1390A9A-A3F4-4E5D-9C5F-98F3BD8D935C} /*Sync Setup Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{4E5BFBF8-F59A-4e87-9805-1F9B42CC254A} /*GameUX.RichGameMediaThumbnail*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll
@{d8559eb9-20c0-410e-beda-7ed416aecc2a} /*Windows Defender*/(null) =
@{576C9E85-1300-4EF5-BF6B-D00509F4EDCD} /*Sync Center Handler Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{5ea4f148-308c-46d7-98a9-49041b1dd468} /*Mobility Center Control Panel*/(null) =
@{289978AC-A101-4341-A817-21EBA7FD046D} /*Sync Center Conflict Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{877ca5ac-cb41-4842-9c69-9136e42d47e2} /*File Backup Index*/%systemroot%\system32\sdshext.dll = %systemroot%\system32\sdshext.dll
@{71D99464-3B6B-475C-B241-E15883207529} /*Sync Results Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{B32D3949-ED98-4DBB-B347-17A144969BBA} /*Sync Center Item Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{2E9E59C0-B437-4981-A647-9C34B9B90891} /*Sync Setup Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF} /*Sync Center Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{CB1B7F8C-C50A-4176-B604-9E24DEE8D4D1} /*Welcome Center*/oobefldr.dll = oobefldr.dll
@{F04CC277-03A2-4277-96A9-77967471BDFF} /*Sync Center Conflict Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{53BEDF0B-4E5B-4183-8DC9-B844344FA104} /*Microsoft Windows MAPI Preview Handler*/%SystemRoot%\system32\mssvp.dll = %SystemRoot%\system32\mssvp.dll
@{6b9228da-9c15-419e-856c-19e768a13bdc} /*Windows gadget DropTarget*/%ProgramFiles%\Windows Sidebar\sbdrop.dll /*file not found*/ = %ProgramFiles%\Windows Sidebar\sbdrop.dll /*file not found*/
@{8E25992B-373E-486E-80E5-BD23AE417E66} /*Sync Center Device Notification Sink*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{031EE060-67BC-460d-8847-E4A7C5E45A27} /*Windows Media Player Rich Preview Handler*/(null) =
@{1FA9085F-25A2-489B-85D4-86326EEDCD87} /*Manage Wireless Networks*/%SystemRoot%\system32\wlanpref.dll = %SystemRoot%\system32\wlanpref.dll
@{7dda204b-2097-47c9-8323-c40bb840ae44} /*XPS document*/(null) =
@{ECDD6472-2B9B-4b4b-AE36-F316DF3C8D60} /*RichGameMediaPropertyStore Class*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll
@{BD7A2E7B-21CB-41b2-A086-B309680C6B7E} /*Client Side Cache Namespace Extension*/%systemroot%\system32\mssvp.dll = %systemroot%\system32\mssvp.dll
@{c5a40261-cd64-4ccf-84cb-c394da41d590} /*Video Thumbnail Extractor*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll
@{23170F69-40C1-278A-1000-000100020000} /*7-Zip Shell Extension*/C:\Program Files\ThinkVantage\SMA\7z\7-zip.dll = C:\Program Files\ThinkVantage\SMA\7z\7-zip.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office10\msohev.dll = C:\Program Files\Microsoft Office\Office10\msohev.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
@{6872d785-fe43-44cb-9b2a-2df4c5eb13b2} /*eFax Messenger - Shell Extension*/C:\Program Files\eFax Messenger 4.4\J2GShell.dll = C:\Program Files\eFax Messenger 4.4\J2GShell.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Program Files\Alwil Software\Avast4\ashShell.dll = C:\Program Files\Alwil Software\Avast4\ashShell.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HotShellExt_40@{6872D785-FE43-44cb-9B2A-2DF4C5EB13B2} = C:\Program Files\eFax Messenger 4.4\J2GShell.dll
LavasoftShellExt@{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} = C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll /*file not found*/
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
LavasoftShellExt@{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} = C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll /*file not found*/
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
@{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}C:\Program Files\AVG\AVG8\avgssie.dll /*file not found*/ = C:\Program Files\AVG\AVG8\avgssie.dll /*file not found*/
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre6\bin\ssv.dll = C:\Program Files\Java\jre6\bin\ssv.dll
@{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}c:\Program Files\Windows Live Toolbar\msntb.dll = c:\Program Files\Windows Live Toolbar\msntb.dll
@{DBC80044-A445-435b-BC74-9C25C1C588A9}C:\Program Files\Java\jre6\bin\jp2ssv.dll = C:\Program Files\Java\jre6\bin\jp2ssv.dll
@{F040E541-A427-4CF7-85D8-75E3E0F476C5}C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll = C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Page =
@Local PageC:\Windows\system32\blank.htm = C:\Windows\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\Windows\System32\msvidctl.dll
its@CLSID = %SystemRoot%\System32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = %SystemRoot%\System32\itss.dll
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\Windows\System32\msvidctl.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ >>>
000000000001@LibraryPath = %SystemRoot%\system32\NLAapi.dll
000000000002@LibraryPath = %SystemRoot%\system32\napinsp.dll
000000000003@LibraryPath = %SystemRoot%\system32\pnrpnsp.dll
000000000004@LibraryPath = %SystemRoot%\system32\pnrpnsp.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll

C:\Users\Ariff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup = HotSync Manager.lnk

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup = Microsoft Office.lnk

---- EOF - GMER 1.0.15 ----



GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-19 16:43:08
Windows 6.0.6001 Service Pack 1


---- Kernel code sections - GMER 1.0.15 ----

? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\Windows\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[660] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00060002
IAT C:\Windows\system32\services.exe[660] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00060000

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service system32\drivers\gaopdxtqifyvbvqinimokrxywxhxdecpptcbxe.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxtqifyvbvqinimokrxywxhxdecpptcbxe.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxtqifyvbvqinimokrxywxhxdecpptcbxe.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxqfiwfsuleqbnaixvgjlgkpheutvfpqtv.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxtqifyvbvqinimokrxywxhxdecpptcbxe.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxtqifyvbvqinimokrxywxhxdecpptcbxe.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxqfiwfsuleqbnaixvgjlgkpheutvfpqtv.dll

---- Files - GMER 1.0.15 ----

File C:\RRbackups\common 0 bytes
File C:\RRbackups\common\bmgrmode.dat 29 bytes
File C:\RRbackups\common\css.dat 8192 bytes
File C:\RRbackups\common\hints.dat 8192 bytes
File C:\RRbackups\common\mnd.dat 8192 bytes
File C:\RRbackups\common\regcerts.dat 8192 bytes
File C:\RRbackups\common\restore.log 110 bytes
File C:\RRbackups\common\rr.log 37245 bytes
File C:\RRbackups\common\rr_bcdenum.dat 3573 bytes
File C:\RRbackups\common\SAM 61440 bytes
File C:\RRbackups\common\seccache.dat 8192 bytes
File C:\RRbackups\common\secpolicy.dat 24576 bytes
File C:\RRbackups\common\settings.dat 32768 bytes
File C:\RRbackups\common\system.dat 12288 bytes
File C:\RRbackups\common\tvtcmn.dat 8192 bytes
File C:\RRbackups\common\tvtns.bin 23 bytes
File C:\RRbackups\common\usersids.dat 14560 bytes
File C:\RRbackups\Documents and Settings 0 bytes
File C:\RRbackups\Documents and Settings\Administrator 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3379704915-2511611895-1017500158-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2365545147-1999384947-2466353664-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2365545147-1999384947-2466353664-500\24cc6214-2e04-4747-84ae-32c6cc4ef7a0 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2365545147-1999384947-2466353664-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-3379704915-2511611895-1017500158-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-3379704915-2511611895-1017500158-500\1b5aca88-bfca-4a90-9696-b674982e0f79 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-3379704915-2511611895-1017500158-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Ariff 0 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData 0 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming 0 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Lenovo\Client Security Solution\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3379704915-2511611895-1017500158-1003 0 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3379704915-2511611895-1017500158-1003\6b29ae44e85efac3c72ff4d1865d73f1_4dd2b3c3-435f-4030-81f6-f1bf1bb6f0e1 53 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3379704915-2511611895-1017500158-1003\83aa4cc77f591dfc2374580bbd95f6ba_4dd2b3c3-435f-4030-81f6-f1bf1bb6f0e1 45 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3379704915-2511611895-1017500158-1003\8f71098770f72c7a67cd8f1151619865_4dd2b3c3-435f-4030-81f6-f1bf1bb6f0e1 54 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3379704915-2511611895-1017500158-1003\b28694882625b9a2e9c631ab875e38e2_4dd2b3c3-435f-4030-81f6-f1bf1bb6f0e1 46 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3379704915-2511611895-1017500158-1003\cb9806374345b8842b48b4e820940706_4dd2b3c3-435f-4030-81f6-f1bf1bb6f0e1 1721 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Protect\S-1-5-21-2365545147-1999384947-2466353664-500 0 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Protect\S-1-5-21-2365545147-1999384947-2466353664-500\24cc6214-2e04-4747-84ae-32c6cc4ef7a0 388 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Protect\S-1-5-21-2365545147-1999384947-2466353664-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Protect\S-1-5-21-3379704915-2511611895-1017500158-1003 0 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Protect\S-1-5-21-3379704915-2511611895-1017500158-1003\25f1db0d-a1a9-4b30-bb4a-286b62e6c707 388 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Protect\S-1-5-21-3379704915-2511611895-1017500158-1003\6a463803-dc84-4b4e-a1a0-b34568dcd3b5 388 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Protect\S-1-5-21-3379704915-2511611895-1017500158-1003\99a8d76e-9275-4a37-beab-41eee94698c9 388 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Protect\S-1-5-21-3379704915-2511611895-1017500158-1003\bf6fd9b1-d9b2-4975-bae6-5e45dcda11ac 388 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Protect\S-1-5-21-3379704915-2511611895-1017500158-1003\cdfd7bc0-b3ca-4a48-89cf-592e7038b94a 388 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Protect\S-1-5-21-3379704915-2511611895-1017500158-1003\d9bcece1-e39e-4546-8078-4f68141428de 388 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\Protect\S-1-5-21-3379704915-2511611895-1017500158-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Ariff\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Default 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect\S-1-5-21-2365545147-1999384947-2466353664-500 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect\S-1-5-21-2365545147-1999384947-2466353664-500\24cc6214-2e04-4747-84ae-32c6cc4ef7a0 388 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect\S-1-5-21-2365545147-1999384947-2466353664-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect\S-1-5-21-2365545147-1999384947-2466353664-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect\S-1-5-21-2365545147-1999384947-2466353664-500\24cc6214-2e04-4747-84ae-32c6cc4ef7a0 388 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect\S-1-5-21-2365545147-1999384947-2466353664-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\ProgramData 0 bytes
File C:\RRbackups\ProgramData\Microsoft 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_4dd2b3c3-435f-4030-81f6-f1bf1bb6f0e1 52 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_4dd2b3c3-435f-4030-81f6-f1bf1bb6f0e1 47 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_4dd2b3c3-435f-4030-81f6-f1bf1bb6f0e1 54 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\b973ec0ff915c48a18fe09064ce3a22d_4dd2b3c3-435f-4030-81f6-f1bf1bb6f0e1 56 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_4dd2b3c3-435f-4030-81f6-f1bf1bb6f0e1 893 bytes

---- EOF - GMER 1.0.15 ----


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:43 PM, on 3/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\tp4serv.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Palm\Hotsync.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [LenovoOobeOffers] c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: HotSync Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O13 - Gopher Prefix:
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://aolsvc.aol.co...houseplayer.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://aolsvc.aol.co...esPlayer_v4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9294 bytes

#14 dan12

dan12

    Advanced Member

  • Experts
  • PipPipPip
  • 119 posts

Posted 19 March 2009 - 05:04 PM

Hi, before you continue with below, please move combofix exe onto the desktop as the scripts will only work from there.

* IMPORTANT !!! Save ComboFix.exe to your Desktop


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\System32\gaopdxcounter
c:\windows\System32\gaopdxvtpkqdpdrivoqcjgperqkwcefvybnxfv.dll
Folder::
c:\program files\Vuze
c:\users\Ariff\AppData\Roaming\Azureus
DirLook::
C:\A
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00




Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Update malwarebytes do me a quick scan.




Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

Post combofix report
malwarebytes report
Eset report

#15 jason8

jason8

    New Member

  • Members
  • Pip
  • 11 posts

Posted 19 March 2009 - 07:03 PM

I am now able to log into malwarebytes.org from the infected computer and update software using the update feature. Here are the reports:

ComboFix 09-03-18.01 - Ariff 2009-03-19 18:47:03.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2006.1149 [GMT -4:00]
Running from: c:\users\Ariff\Desktop\ComboFix.exe
Command switches used :: c:\users\Ariff\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\System32\gaopdxcounter
c:\windows\System32\gaopdxvtpkqdpdrivoqcjgperqkwcefvybnxfv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Vuze
c:\program files\Vuze\plugins\azemp\azemp_2.0.30.jar
c:\program files\Vuze\plugins\azemp\azemp_2.0.30.zip
c:\program files\Vuze\plugins\azemp\azemp_2.0.32.jar
c:\program files\Vuze\plugins\azemp\azemp_2.0.32.zip
c:\program files\Vuze\plugins\azemp\azmplay.exe.bak
c:\program files\Vuze\plugins\azemp\cp1250-a.raw.bak
c:\program files\Vuze\plugins\azemp\cp1250-b.raw.bak
c:\program files\Vuze\plugins\azemp\font.desc.bak
c:\program files\Vuze\plugins\azemp\osd-mplayer-a.raw.bak
c:\program files\Vuze\plugins\azemp\osd-mplayer-b.raw.bak
c:\program files\Vuze\plugins\azemp\plugin.properties.bak
c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.30
c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.32
c:\users\Ariff\AppData\Roaming\Azureus
c:\users\Ariff\AppData\Roaming\Azureus\.certs
c:\users\Ariff\AppData\Roaming\Azureus\.keystore
c:\users\Ariff\AppData\Roaming\Azureus\.lock
c:\users\Ariff\AppData\Roaming\Azureus\active\00DCA34D18A01039AA3E6CEC33B020AC17E0D3C8.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\00DCA34D18A01039AA3E6CEC33B020AC17E0D3C8.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\0A8D042F6CDBC59BD6AB5B2A56820523B925E520.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\0A8D042F6CDBC59BD6AB5B2A56820523B925E520.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\0DC0E5384A0AFA1F5A4C01763FEB16D86DF53EF8.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\0DC0E5384A0AFA1F5A4C01763FEB16D86DF53EF8.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\2BF78C67ED6122FDD9B722160370036E5F3389AD.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\2BF78C67ED6122FDD9B722160370036E5F3389AD.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\36AAB823D9F8F3AAAFF62D061912E82C0BDB06BD.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\36AAB823D9F8F3AAAFF62D061912E82C0BDB06BD.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\37058BDD554BD768A6922B8D987A77C33DC25D50.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\37058BDD554BD768A6922B8D987A77C33DC25D50.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\37AD858360E30CD1456F5C2D97C2DD430CB36810.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\37AD858360E30CD1456F5C2D97C2DD430CB36810.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\3B2DCBB98AF0B531CDE3CC6184D6FE661A1F9478.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\3B2DCBB98AF0B531CDE3CC6184D6FE661A1F9478.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\3C79F42FE63899A312D9C45B09D82A0545603569.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\3C79F42FE63899A312D9C45B09D82A0545603569.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\465E3928A6B18C85D7671BECA2D5F9563E96D4CD.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\465E3928A6B18C85D7671BECA2D5F9563E96D4CD.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\472BBAD3E87171444DC7AC4EFB442E22620236C8.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\472BBAD3E87171444DC7AC4EFB442E22620236C8.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\49DA1751BC5691B4CEA6C8F0285B6E412A4301BA.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\49DA1751BC5691B4CEA6C8F0285B6E412A4301BA.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\4B9191A4EFE0AEFAF297D40B8F0167178155FB88.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\4B9191A4EFE0AEFAF297D40B8F0167178155FB88.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\502ABBD6F04D7DA5AB20F2FB3D94EC87A2F8D8E3.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\502ABBD6F04D7DA5AB20F2FB3D94EC87A2F8D8E3.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\519AEBABE085AF1D011B8918753CEB5C6B05663A.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\519AEBABE085AF1D011B8918753CEB5C6B05663A.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\559F7A2B40448DD3E72320AEBB0403A52D84EA42.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\559F7A2B40448DD3E72320AEBB0403A52D84EA42.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\6159BE349ACAEA528DEB25667F0296663E679D97.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\6159BE349ACAEA528DEB25667F0296663E679D97.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\6379EF7C6BFE4893285DC2F2B62172576A1775EC.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\6379EF7C6BFE4893285DC2F2B62172576A1775EC.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\66A41CAFC41D2EE64135389EC7EF52574D2BB456.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\66A41CAFC41D2EE64135389EC7EF52574D2BB456.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\677A66510BCA52FA7D5B1C65178FEC4CD89C8089.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\677A66510BCA52FA7D5B1C65178FEC4CD89C8089.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\8302347F87A039729606A4D8DE5538DBF71A76B2.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\8302347F87A039729606A4D8DE5538DBF71A76B2.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\8C3AD9C391D76DB562FB2B249908B4BC6FCC1141.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\8C3AD9C391D76DB562FB2B249908B4BC6FCC1141.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\8DDDD33A355BB177973BA132912FFEC10C8A1FF2.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\8DDDD33A355BB177973BA132912FFEC10C8A1FF2.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\92CB76CC604BBDA4D319C124477DCBEFCFC8B2B5.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\92CB76CC604BBDA4D319C124477DCBEFCFC8B2B5.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\95EF272662CEAEDCBA9A62314627FCBADF3AF411.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\95EF272662CEAEDCBA9A62314627FCBADF3AF411.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\961045C0E9BC1CE79F6A13D875EBDB86F2C64788.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\961045C0E9BC1CE79F6A13D875EBDB86F2C64788.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\97153F8D3DD514FBA5030C8BF75A8057273A8A2B.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\97153F8D3DD514FBA5030C8BF75A8057273A8A2B.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\9727C41BF543DF5DE00E7FC218563E8B635E522B.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\9727C41BF543DF5DE00E7FC218563E8B635E522B.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\9C651626604FCB4E7D615510D7D5454F152EA1ED.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\9C651626604FCB4E7D615510D7D5454F152EA1ED.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\A45D3C0ECC269CC98A8D46ACC878477414361A64.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\A45D3C0ECC269CC98A8D46ACC878477414361A64.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\ADB5CC30413AB34683039D9208A4EAF8B0D81D3A.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\ADB5CC30413AB34683039D9208A4EAF8B0D81D3A.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\B37FC4AD6BA0FD550018651FFD44436AB6F8F322.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\B37FC4AD6BA0FD550018651FFD44436AB6F8F322.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\B57D28B9D40B2B7765339C38B4C1701186D57D42.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\B57D28B9D40B2B7765339C38B4C1701186D57D42.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\BB04BE3A8281758859945CC56708D43E6226C420.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\BB04BE3A8281758859945CC56708D43E6226C420.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\C70F7B5D17136FFB1BB35973C3EB8321F9145F2F.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\C70F7B5D17136FFB1BB35973C3EB8321F9145F2F.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\C9D0980409AE6219F8D83C097229315B4B03BAFE.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\C9D0980409AE6219F8D83C097229315B4B03BAFE.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\cache.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\CB642911185B17B26845D5C229C5249139765A68.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\CB642911185B17B26845D5C229C5249139765A68.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\CFA94B7EDADBE7D4D0BA670AEB5F8EECA475DD4E.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\CFA94B7EDADBE7D4D0BA670AEB5F8EECA475DD4E.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\D87704C80F07847C8DBAB0BDF8B8303D0E296843.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\D87704C80F07847C8DBAB0BDF8B8303D0E296843.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\DA2FBA1D64C9893FB0AF13D5B63CD7A98D184870.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\DA2FBA1D64C9893FB0AF13D5B63CD7A98D184870.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\DB0290B2FF929A339BDB7B8D5E1BC0A9C70481E1.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\DB0290B2FF929A339BDB7B8D5E1BC0A9C70481E1.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\DB1F1AB99FC5C5279701C72D2DF5D3708415078F.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\DB1F1AB99FC5C5279701C72D2DF5D3708415078F.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\F231F95BB6E9531A4F6F7B3437C553B2BAE0D3A4.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\F231F95BB6E9531A4F6F7B3437C553B2BAE0D3A4.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\active\F3EF2D6C1B113284EA0EB20060834CD6CACAB008.dat
c:\users\Ariff\AppData\Roaming\Azureus\active\F3EF2D6C1B113284EA0EB20060834CD6CACAB008.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\azureus.config
c:\users\Ariff\AppData\Roaming\Azureus\azureus.config.bak
c:\users\Ariff\AppData\Roaming\Azureus\azureus.statistics
c:\users\Ariff\AppData\Roaming\Azureus\azureus.statistics.bak
c:\users\Ariff\AppData\Roaming\Azureus\banips.config
c:\users\Ariff\AppData\Roaming\Azureus\banips.config.bak
c:\users\Ariff\AppData\Roaming\Azureus\dht\addresses.dat
c:\users\Ariff\AppData\Roaming\Azureus\dht\contacts.dat
c:\users\Ariff\AppData\Roaming\Azureus\dht\diverse.dat
c:\users\Ariff\AppData\Roaming\Azureus\dht\general.dat
c:\users\Ariff\AppData\Roaming\Azureus\dht\net3\addresses.dat
c:\users\Ariff\AppData\Roaming\Azureus\dht\net3\contacts.dat
c:\users\Ariff\AppData\Roaming\Azureus\dht\net3\diverse.dat
c:\users\Ariff\AppData\Roaming\Azureus\dht\net3\version.dat
c:\users\Ariff\AppData\Roaming\Azureus\dht\version.dat
c:\users\Ariff\AppData\Roaming\Azureus\downloads.config
c:\users\Ariff\AppData\Roaming\Azureus\downloads.config.bak
c:\users\Ariff\AppData\Roaming\Azureus\filters.config
c:\users\Ariff\AppData\Roaming\Azureus\friends.config
c:\users\Ariff\AppData\Roaming\Azureus\friends.config.bak
c:\users\Ariff\AppData\Roaming\Azureus\ipfilter.cache
c:\users\Ariff\AppData\Roaming\Azureus\logs\alerts_1.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\clientid_1.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\debug_1.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\debug_2.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\Friends_1.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\Friends_2.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\MetaSearch_1.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\NetStatus_1.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\seltrace_1.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\Subscriptions_1.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\Subscriptions_2.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\thread_1.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\thread_2.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\v3.ads_1.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\v3.CMsgr_1.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\v3.Friends_1.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\v3.Friends_2.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\v3.PMsgr_1.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\v3.PMsgr_2.log
c:\users\Ariff\AppData\Roaming\Azureus\logs\v3.Stream_1.log
c:\users\Ariff\AppData\Roaming\Azureus\metasearch.config
c:\users\Ariff\AppData\Roaming\Azureus\metasearch.config.bak
c:\users\Ariff\AppData\Roaming\Azureus\net\pm_12271.dat
c:\users\Ariff\AppData\Roaming\Azureus\net\pm_default.dat
c:\users\Ariff\AppData\Roaming\Azureus\restart.bat
c:\users\Ariff\AppData\Roaming\Azureus\sidebarauto.config
c:\users\Ariff\AppData\Roaming\Azureus\sidebarauto.config.bak
c:\users\Ariff\AppData\Roaming\Azureus\subs\00C60E73A94959D3C5D4.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\01FE0E4954FEEB299706.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\06270FB98175E23E00A9.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\079309D716EBB036BF0E.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\0D0FF1C71C2194E11100.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\0FE936F39496E6C3AD41.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\1041117ED503ECD4AB77.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\12533BF9649105ABA27A.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\1CDB6F40970260B34CA4.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\205CEDDD9891E1423B83.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\21B6F154E1FA75E4DF0A.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\232E059D82033345DD27.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\23C07FC046663EDB38E5.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\24916A26657351AD0B01.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\28CF14B604BFE173EEFF.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\2A233C727E6172C57301.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\2DD34BCB85CDDCB979F0.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\2F7D51E79B34BE84F742.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\318B32AFAD098CC62036.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\38F14939A1ADE522383C.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\3B9C23FFA42A2CC78BBA.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\3C1C33756A83CC05D595.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\400B09C6BFC041C77125.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\428870FB845DFB86BDFF.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\444E8665CD8C08BD0B9F.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\475A6FF4074864929368.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\47D01B51E6FACC969E1D.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\49D0477CAD9099C40114.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\4CD6D96573CE7093FB98.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\4D2F3143D5971D4C97C6.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\4E411D2A8D942FFE4239.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\4E52720D295BF1A3277A.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\4E6F16113D942726FDAD.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\4F1DB6C9A4B5C2FD9322.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\4F2AA8C2D919E9835A62.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\4F3F92E98BE8E4C00295.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\52C6D09A02BBB590C252.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\54004C0B7ADCCE4069C9.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\55FE78596CBE2CF7764A.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\580197E6E223B7A1880F.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\581765478D3517627C73.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\5921A7EDD0414D667279.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\59A9D23FCE5DD3F9A01B.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\5A4946D476CB61EF9301.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\5CBA0BA6AAA42E09B126.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\5D5273D7B1D9FC6F5DB0.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\632A20E73961F1C133F2.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\6824755C86CF5244EBB4.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\685E7B660440237CFEC6.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\687B5D8D87F188977E5D.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\6FB0D550E3DA1B8C43E7.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\6FB8BCCFEA8FE00EB21F.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\6FBF43E807DB1DD90620.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\708C5D9333EC9E54E297.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\720656AEC46D91C8884F.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\722FEC9BA057A883FE52.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\743517466E51A760F1BF.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\75E7C685442E0B9CF0A2.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\7909F5B40DC4D75BFD4D.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\7EB198584F3721914E9D.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\81A7761D77C8EA6078BE.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\829E59C40EFFE22EB406.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\82B3CE84AA524F9CCE1B.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\82D458D763232EEB0D99.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\83F9D7CFBA5E7496ACC5.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\84D0A870B90178B4385A.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\853F48E435813E211432.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\862ED94A0D650F0528FB.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\87E23B1872099785E348.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\884BFCC11810F8634E63.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\8A5BD23E3B028751EDFD.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\8B1E6C4034996C6AB105.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\8D4D7A716C06C0215F0B.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\8DEE8A3BA393B281D415.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\8F7CF980EB704A78D737.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\9167E16C9B7944056AC7.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\9254940660E4E3494FFF.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\95E9EEC090852F315CB2.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\977B3EA04CF30CDAADA0.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\9C6DAC5110C84CAB5104.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\9CDF05AF3B141145BD88.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\9ECE7AE52148CDE6E331.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\A02687E2040D5B436B65.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\A10ECCF6F09A0E9648DA.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\A150C3C4AA1B06CFFD99.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\A22853C315AC12F49921.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\A366D643354D8D1D473F.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\A6875C9905F5F324D605.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\A8C1F452C6DA7C51AA2B.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\AA18A55630A89D766D85.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\AA87B3E7C836CF81E7C9.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\AB313308E428258CD9FB.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\AB4948B77D9DC5F80176.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\AE238A40E189FF666A5E.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\AF734186BA1B192A332E.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\B24CA87F32C5C5D1D013.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\B29BD07C692B8CD27FE1.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\B3B665EB16D3D3582A95.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\B3FBE4B83465EBED04B7.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\B4D5B57BBCFD58B8C221.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\B5A81529F8BA072CAAD2.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\B6BD0A8CD88D02ED0DB4.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\B6CEB5BFFDDC613A43FA.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\BB70503B0ADD17584737.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\BF03DC5BA33F6E695087.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\BFF8CA6650753157FB90.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\C2A4AEC6DB11687F9CF7.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\C6CF5B82995260E98360.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\C72B65EE9283EBBD372E.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\C868FF325124E3D0D58F.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\C9DF7F9D20748DA1F9DE.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\C9EBC80E3E1D103634DB.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\CC32395F9DD8D167753C.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\CE275B7D9043458D6329.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\D4DC7B0724CCACD2381E.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\D6E3934F43595CE28329.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\D90C3196F2CD3CAB1BF8.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\D9780F2A5372F623EA0C.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\DB46258AA3101DDC426F.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\DB8EBA0A8243FAC1DD16.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\DCD20AB6684A16AA1475.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\DD1DDEFCBFF11B42CC1C.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\E2F3D368F2164BB25AD5.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\E535E64ED7F808F51C88.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\EFBCFDD325EF447273DC.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\F07279E115F3777EF5CF.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\F139789903AEA233F570.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\F17D43DC1C7E39AC1264.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\F22408C9FFA0BB3CD408.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\F26EBF155755E66CF0A9.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\F74244D5E8756F83A9CF.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\F7486CB941CD72221E5B.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\F94212E63870F6010DCF.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\F9BBFAC20B1890A3BBF2.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\FB842F38FBD17B46F780.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\FE19099D09356C10463B.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subs\FED4B05C6A3390A2B335.vuze
c:\users\Ariff\AppData\Roaming\Azureus\subscriptions.config
c:\users\Ariff\AppData\Roaming\Azureus\subscriptions.config.bak
c:\users\Ariff\AppData\Roaming\Azureus\tables.config
c:\users\Ariff\AppData\Roaming\Azureus\tables.config.bak
c:\users\Ariff\AppData\Roaming\Azureus\timingstats.dat
c:\users\Ariff\AppData\Roaming\Azureus\tmp\AZU3632094690505561219.tmp
c:\users\Ariff\AppData\Roaming\Azureus\tmp\AZU4881323536414465062.tmp
c:\users\Ariff\AppData\Roaming\Azureus\tmp\AZU5799766307833997531.tmp
c:\users\Ariff\AppData\Roaming\Azureus\tmp\AZU7308508674508632893.tmp
c:\users\Ariff\AppData\Roaming\Azureus\tmp\AZU7711508844528430423.tmp
c:\users\Ariff\AppData\Roaming\Azureus\tmp\AZU7808120684248526963.tmp
c:\users\Ariff\AppData\Roaming\Azureus\tmp\AZU8803688610425132332.tmp
c:\users\Ariff\AppData\Roaming\Azureus\tmp\AZU8872472703279328282.tmp
c:\users\Ariff\AppData\Roaming\Azureus\torrents\24.Redemption.2008.EXTENDED.DVDRip.XviD-SAiNTS.4535701.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\AZU14015.tmp
c:\users\Ariff\AppData\Roaming\Azureus\torrents\AZU15296.tmp
c:\users\Ariff\AppData\Roaming\Azureus\torrents\AZU1576115404602869277.tmp
c:\users\Ariff\AppData\Roaming\Azureus\torrents\AZU19729.tmp
c:\users\Ariff\AppData\Roaming\Azureus\torrents\AZU37780.tmp
c:\users\Ariff\AppData\Roaming\Azureus\torrents\AZU4161079164177730405.tmp
c:\users\Ariff\AppData\Roaming\Azureus\torrents\AZU51977.tmp
c:\users\Ariff\AppData\Roaming\Azureus\torrents\AZU51986.tmp
c:\users\Ariff\AppData\Roaming\Azureus\torrents\AZU53570.tmp
c:\users\Ariff\AppData\Roaming\Azureus\torrents\AZU56417.tmp
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Battlestar.Galactica.S04E01.HDTV.XviD-LOL.[MFD].avi.4117453.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Battlestar.Galactica.S04E02.HDTV.XviD-LOL.4130117.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Battlestar.Galactica.S04E03.The.Ties.That.Bind.HDTV.XviD-FQM.4143072.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Battlestar.Galactica.S04E04.Escape.Velocity.HDTV.XviD-FQM.4157299.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Battlestar.Galactica.S04E05.The.Road.Less.Travelled.HDTV.XviD-FQ.4170067.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Battlestar.Galactica.S04E06.PROPER.HDTV.XviD-BiA.[eztv].4187091.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Battlestar.Galactica.S04E08.HDTV.XviD-BiA__.4208572.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Battlestar.Galactica.S04E09.HDTV.XviD-LMAO.[eztv].4226190.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Battlestar_Galactica_S04E07_Guess_Whats_Coming_to_Dinner_HDTV_Xv.4191837.TP
B.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Battlestar_Galactica_S04E10_Revelations_HDTV_XviD.4238645.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Burn_After_Reading_R5_XViD-PUKKA.4467799.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Doctor.Who.2008.S04E08.PROPER.WS.PDTV.XviD-BiA.[eztv].4215116.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Doctor_Who_2008_-_Season_4___Christmas_Special.4279445.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Doctor_Who_2008_S04E09_Forest_Of_The_Dead_[BBC_One]_[Xvid]_[Fran.4227197.TP
B.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Doctor_Who_2008_S04E10_Midnight_[BBC_One]_[Xvid]_[Frank_UK].avi.4240078.TPB
.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Doctor_Who_2008_S04E11_Turn_Left_[BBC_One]_[Xvid]_[Frank_UK].avi.4252774.TP
B.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Doctor_Who_2008_S04E12_The_Stolen_Earth_[BBC_One]_[Xvid]_[Frank_.4266246.TP
B.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Doctor_Who_2008_S04E13_Journey__s_End_[BBC_One]_[Xvid]_[Frank_UK.4278581.TP
B.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Eleventh.Hour.1x04.Savant.HDTV.XviD-FoV.avi.4477957.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Eleventh.Hour.S01E01.HDTV.XviD-NoTV.avi.4437099.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Eleventh.Hour.S01E02.HDTV.XviD-NoTV.avi.4450163.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Eleventh.Hour.S01E03.HDTV.XviD-NoTV.avi.4463889.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Eleventh.Hour.S01E05.HDTV.XviD-NoTV.avi.4492355.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Eleventh.Hour.US.S01E06.HDTV.XviD-XOR.avi.4507404.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Eleventh.Hour.US.S01E07.HDTV.XviD-XOR.avi.4523128.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\eleventh_hour_s01e04_ws_pdtv_xvid.4422405.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Entourage.S05E09.HDTV.XviD-0TV.avi.4484060.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Entourage.S05E10.HDTV.XviD-0TV.avi.4498403.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Entourage.S05E11.HDTV.XviD-0TV.avi.4513959.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Entourage.S05E12.HDTV.XviD-0TV.avi.4529586.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Heroes.S03E02.HDTV.XviD-XOR.avi.4409762.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Leverage.S01E04.The.Miracle.Job.HDTV.XviD-FQM.avi.4598360.TPB[1].torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Role.Models[2008][Unrated.Edition]DvDrip-aXXo.4735181.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Sex.Drive[2008][Unrated.Edition]DvDrip-aXXo.4706663.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Slumdog_Millionaire_(2008)_Soundtrack_-_A.R._Rahman.4550082.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\The_Eleventh_Hour.3596803.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\The_Incredible_Hulk[2008]DvDrip-aXXo.4398065.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Tropic.Thunder[2008]DvDrip-aXXo.4479112.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\True.Blood.S01E09.HDTV.XviD-0TV.avi.4484034.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\True.Blood.S01E10.HDTV.XviD-0TV.avi.4498389.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\True.Blood.S01E11.HDTV.XviD-0TV.avi.4514161.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\True.Blood.S01E12.Season.Finale.HDTV.XviD-0TV.avi.4529576.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\torrents\Twilight.2008.DvDrip-NoRar__.4752496.TPB.torrent
c:\users\Ariff\AppData\Roaming\Azureus\tracker.config
c:\users\Ariff\AppData\Roaming\Azureus\tracker.config.bak
c:\users\Ariff\AppData\Roaming\Azureus\unsentdata.config
c:\users\Ariff\AppData\Roaming\Azureus\unsentdata.config.bak
c:\users\Ariff\AppData\Roaming\Azureus\update.log
c:\users\Ariff\AppData\Roaming\Azureus\update.properties
c:\users\Ariff\AppData\Roaming\Azureus\v3.Friends.dat
c:\users\Ariff\AppData\Roaming\Azureus\v3.Friends.dat.bak
c:\users\Ariff\AppData\Roaming\Azureus\VuzeActivities.config
c:\users\Ariff\AppData\Roaming\Azureus\VuzeActivities.config.bak
c:\windows\system32\gaopdxcounter

.
((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))
.

2009-03-18 21:45 . 2009-03-18 21:45 0 --a------ c:\windows\System32\settings.dat
2009-03-18 10:20 . 2009-03-18 10:20 <DIR> d-------- c:\program files\Trend Micro
2009-03-18 01:47 . 2009-03-18 01:47 <DIR> d-------- c:\users\Ariff\AppData\Roaming\Malwarebytes
2009-03-18 01:37 . 2009-03-18 01:37 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-03-18 01:37 . 2009-03-18 01:37 <DIR> d-------- c:\programdata\Malwarebytes
2009-03-18 01:37 . 2009-03-18 08:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-18 01:37 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-03-18 01:37 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-03-18 01:26 . 2009-03-18 11:26 <DIR> d-------- c:\program files\Enigma Software Group
2009-03-18 00:52 . 2009-03-18 00:52 26,624 --a------ c:\windows\System32\drivers\fsbts.sys
2009-03-17 22:19 . 2009-03-18 00:15 81,984 --a------ c:\windows\System32\bdod.bin
2009-03-17 22:09 . 2009-03-17 22:09 850 --a------ c:\windows\System32\ProductTweaks.xml
2009-03-17 22:09 . 2009-03-17 22:09 385 --a------ c:\windows\System32\user_gensett.xml
2009-03-17 22:05 . 2009-03-17 22:05 <DIR> d-------- c:\users\Ariff\AppData\Roaming\BitDefender
2009-03-17 22:04 . 2009-03-17 22:07 <DIR> d-------- c:\users\All Users\BitDefender
2009-03-17 22:04 . 2009-03-17 22:07 <DIR> d-------- c:\programdata\BitDefender
2009-03-17 22:04 . 2009-03-17 22:04 <DIR> d-------- c:\program files\BitDefender
2009-03-17 22:02 . 2009-03-18 00:17 <DIR> d-------- c:\program files\Common Files\BitDefender
2009-03-16 16:10 . 2009-03-16 16:10 <DIR> d-------- c:\program files\Alwil Software
2009-03-16 16:10 . 2009-02-05 16:06 51,792 --a------ c:\windows\System32\drivers\aswMonFlt.sys
2009-03-15 23:25 . 2009-03-16 15:02 <DIR> d-------- c:\users\All Users\Lavasoft
2009-03-15 23:25 . 2009-03-16 15:02 <DIR> d-------- c:\programdata\Lavasoft
2009-03-15 11:01 . 2009-03-15 11:01 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-15 10:01 . 2009-03-16 15:14 <DIR> d-------- c:\users\All Users\avg8
2009-03-15 10:01 . 2009-03-16 15:14 <DIR> d-------- c:\programdata\avg8
2009-03-15 08:46 . 2009-03-15 08:48 <DIR> d-------- c:\users\Ariff\AppData\Roaming\vlc
2009-03-10 20:24 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-10 20:24 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-10 20:24 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-10 20:24 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-10 20:24 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-10 20:24 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 01:20 1,732 ----a-w C:\tvtpktfilter.dat
2009-03-16 15:06 --------- d-----w c:\users\Ariff\AppData\Roaming\Lenovo
2009-03-12 12:52 --------- d-----w c:\program files\Windows Mail
2009-02-19 22:37 410,984 ----a-w c:\windows\System32\deploytk.dll
2009-02-18 23:00 --------- d-----w c:\users\Ariff\AppData\Roaming\j2 Global
2009-02-18 22:59 --------- d-----w c:\users\Ariff\AppData\Roaming\eFax Messenger
2009-02-18 22:59 --------- d-----w c:\programdata\eFax Messenger 4.4 Setup
2009-02-18 22:59 --------- d-----w c:\programdata\eFax Messenger 4.4 Output
2009-02-18 22:59 --------- d-----w c:\program files\eFax Messenger 4.4
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-10-23 22:14 174 --sha-w c:\program files\desktop.ini
2008-10-02 20:55 98,240 ----a-w c:\users\Ariff\AppData\Roaming\GDIPFONTCACHEV1.DAT
2008-07-18 18:57 32 ----a-r c:\users\All Users\hash.dat
2008-07-18 18:57 32 ----a-r c:\programdata\hash.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\A ----

c:\a\


((((((((((((((((((((((((((((( SnapShot@2009-03-19_16.25.48.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-19 21:52:54 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-03-19 21:52:54 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-03-19 20:18:13 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-03-19 21:55:17 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-03-19 20:18:13 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-03-19 21:56:00 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2009-03-19 19:50:49 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-19 21:54:01 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-19 19:50:49 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-19 21:54:01 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-19 19:50:49 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-19 21:54:01 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-19 20:10:48 118,872 ----a-w c:\windows\System32\perfc009.dat
+ 2009-03-19 22:45:06 118,872 ----a-w c:\windows\System32\perfc009.dat
- 2009-03-19 20:10:48 642,392 ----a-w c:\windows\System32\perfh009.dat
+ 2009-03-19 22:45:06 642,392 ----a-w c:\windows\System32\perfh009.dat
- 2009-03-19 20:04:34 13,416 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3379704915-2511611895-1017500158-1003_UserData.bin
+ 2009-03-19 21:55:14 13,504 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3379704915-2511611895-1017500158-1003_UserData.bin
- 2009-03-19 20:04:34 64,032 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-19 21:55:14 64,128 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-03-19 20:04:28 52,754 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-03-19 21:55:11 52,786 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2007-06-17 321072]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2007-06-17 214576]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-01-08 536576]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-22 120368]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 136600]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-06-29 419112]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-06-29 124200]
"LenovoOobeOffers"="c:\swtools\LenovoWelcome\LenovoOobeOffers.exe" [2006-12-29 28672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-28 1167360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"TrackPointSrv"="tp4serv.exe" [2006-11-20 c:\windows\System32\tp4serv.exe]
"TpShocks"="TpShocks.exe" [2007-03-29 c:\windows\System32\TpShocks.exe]

c:\users\Ariff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2007-06-07 1392640]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{44B5F46D-57F1-4EE4-B2BF-C4AB7C32AB05}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{6FCE7109-8E6B-42FF-B0F8-FD79242A7731}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{1C6A5920-AD58-4BE2-820C-2859C64D0249}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{5A9D48FE-706F-45F3-8E3B-F340D3B5F2F3}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{21108B40-A96E-4B77-818E-F35B1A050A0A}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{7B48665B-054E-4CB0-B553-DE7802547895}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{57D2E341-FABE-46EC-B9F3-3414C04DD313}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{607E4C0E-3630-4A37-A9FF-ECE68491A945}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{2649E947-0572-4ECB-8113-A27CE0B7C04E}"= UDP:c:\users\Ariff\AppData\Local\Temp\WZSE0.TMP\SymNRT.exe:Norton Removal Tool
"{B4403ACF-A270-4B9B-9DA2-AA2B9E1701EC}"= TCP:c:\users\Ariff\AppData\Local\Temp\WZSE0.TMP\SymNRT.exe:Norton Removal Tool
"TCP Query User{271166E4-E381-4361-9FC4-565A8BCC3A01}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{609A578D-9C0F-442D-A846-C44B6827632A}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{80CCC2FB-82C1-427D-A5C9-437771CAAD87}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B5E30F59-3CB6-4917-BCF6-F26D71701306}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{D4266620-862C-4FB4-BFB0-A62B1E44F7ED}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{632B3EB6-F629-497A-893B-F8554740FB30}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"{A4332871-1A36-4EE6-B60D-254B33F30962}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{A6BC63FF-EA91-43DE-B4E5-79CF1595F0A3}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 fsbts;fsbts;c:\windows\System32\drivers\fsbts.sys [2009-03-18 26624]
R0 Shockprf;Shockprf;c:\windows\System32\drivers\ApsX86.sys [2007-03-02 100656]
R0 TPDIGIMN;TPDIGIMN;c:\windows\System32\drivers\ApsHM86.sys [2007-03-02 19760]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2009-03-16 114768]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\System32\drivers\smiif32.sys [2007-02-19 13744]
R1 TPPWRIF;TPPWRIF;c:\windows\System32\drivers\TPPWR32V.SYS [2007-10-09 12080]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2009-03-16 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2009-03-16 51792]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 28933976]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [2007-03-30 55936]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-01-08 569344]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\System32\drivers\tp4track.sys [2007-01-22 22832]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\System32\drivers\tvti2c.sys [2006-09-13 35264]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2006-11-02 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-19 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 15:54]
.
.
------- Supplementary Scan -------
.
uStart Page =
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-big-island-blends/gamehouseplayer.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://aolsvc.aol.com/onlinegames/free-trial-burger-shop/GoBitGamesPlayer_v4.cab
FF - ProfilePath - c:\users\Ariff\AppData\Roaming\Mozilla\Firefox\Profiles\doiozk5o.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\Ariff\AppData\Roaming\Mozilla\Firefox\Profiles\doiozk5o.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-19 18:50:31
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000006CF7EC81760B04637C 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2009-03-19 18:52:28
ComboFix-quarantined-files.txt 2009-03-19 22:52:25
ComboFix2.txt 2009-03-19 20:28:40

Pre-Run: 24,371,298,304 bytes free
Post-Run: 25,819,660,288 bytes free

587 --- E O F --- 2009-03-14 07:11:36



Malwarebytes' Anti-Malware 1.34
Database version: 1873
Windows 6.0.6001 Service Pack 1

3/19/2009 6:58:20 PM
mbam-log-2009-03-19 (18-58-20).txt

Scan type: Quick Scan
Objects scanned: 60486
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Eset Report

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3949 (20090319)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=bfc6b2735e49954a9672e375a00e908a
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-03-19 11:55:49
# local_time=2009-03-19 07:55:49 (-0500, Eastern Daylight Time)
# country="United States"
# osver=6.0.6001 NT Service Pack 1
# scanned=384156
# found=1
# scan_time=2870
C:\Qoobox\Quarantine\C\Windows\System32\gaopdxvtpkqdpdrivoqcjgperqkwcefvybnxfv.dll.vir a variant of Win32/Kryptik.KL trojan 5A585DBE5F3BBD4DA89B05BE1915793D

#16 dan12

dan12

    Advanced Member

  • Experts
  • PipPipPip
  • 119 posts

Posted 19 March 2009 - 07:10 PM

Things are looking a lot better, I will need to look over the returned reports and will get back to you at some point tomorrow as it's late here. :(

#17 dan12

dan12

    Advanced Member

  • Experts
  • PipPipPip
  • 119 posts

Posted 20 March 2009 - 07:11 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Rootkit::
c:\windows\TEMP\TMP0000006CF7EC81760B04637C

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Post a fresh HJT log and let me know how things are with the pc.

#18 jason8

jason8

    New Member

  • Members
  • Pip
  • 11 posts

Posted 22 March 2009 - 11:13 PM

Hi Dan,

I haven't noticed any signs of the virus recently. Thanks again for your help with the virus removal.

Here are the requested logs:

ComboFix 09-03-18.01 - Ariff 2009-03-20 23:19:42.3 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2006.1232 [GMT -4:00]
Running from: c:\users\Ariff\Desktop\ComboFix.exe
Command switches used :: c:\users\Ariff\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.

2009-03-19 19:00 . 2009-03-19 19:55 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-03-18 21:45 . 2009-03-18 21:45 0 --a------ c:\windows\System32\settings.dat
2009-03-18 10:20 . 2009-03-18 10:20 <DIR> d-------- c:\program files\Trend Micro
2009-03-18 01:47 . 2009-03-18 01:47 <DIR> d-------- c:\users\Ariff\AppData\Roaming\Malwarebytes
2009-03-18 01:37 . 2009-03-18 01:37 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-03-18 01:37 . 2009-03-18 01:37 <DIR> d-------- c:\programdata\Malwarebytes
2009-03-18 01:37 . 2009-03-18 08:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-18 01:37 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-03-18 01:37 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-03-18 01:26 . 2009-03-18 11:26 <DIR> d-------- c:\program files\Enigma Software Group
2009-03-18 00:52 . 2009-03-18 00:52 26,624 --a------ c:\windows\System32\drivers\fsbts.sys
2009-03-17 22:19 . 2009-03-18 00:15 81,984 --a------ c:\windows\System32\bdod.bin
2009-03-17 22:09 . 2009-03-17 22:09 850 --a------ c:\windows\System32\ProductTweaks.xml
2009-03-17 22:09 . 2009-03-17 22:09 385 --a------ c:\windows\System32\user_gensett.xml
2009-03-17 22:05 . 2009-03-17 22:05 <DIR> d-------- c:\users\Ariff\AppData\Roaming\BitDefender
2009-03-17 22:04 . 2009-03-17 22:07 <DIR> d-------- c:\users\All Users\BitDefender
2009-03-17 22:04 . 2009-03-17 22:07 <DIR> d-------- c:\programdata\BitDefender
2009-03-17 22:04 . 2009-03-17 22:04 <DIR> d-------- c:\program files\BitDefender
2009-03-17 22:02 . 2009-03-18 00:17 <DIR> d-------- c:\program files\Common Files\BitDefender
2009-03-16 16:10 . 2009-03-16 16:10 <DIR> d-------- c:\program files\Alwil Software
2009-03-16 16:10 . 2009-02-05 16:06 51,792 --a------ c:\windows\System32\drivers\aswMonFlt.sys
2009-03-15 23:25 . 2009-03-16 15:02 <DIR> d-------- c:\users\All Users\Lavasoft
2009-03-15 23:25 . 2009-03-16 15:02 <DIR> d-------- c:\programdata\Lavasoft
2009-03-15 11:01 . 2009-03-15 11:01 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-15 10:01 . 2009-03-16 15:14 <DIR> d-------- c:\users\All Users\avg8
2009-03-15 10:01 . 2009-03-16 15:14 <DIR> d-------- c:\programdata\avg8
2009-03-15 08:46 . 2009-03-15 08:48 <DIR> d-------- c:\users\Ariff\AppData\Roaming\vlc
2009-03-10 20:24 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-10 20:24 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-10 20:24 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-10 20:24 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-10 20:24 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-10 20:24 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 01:20 1,732 ----a-w C:\tvtpktfilter.dat
2009-03-16 15:06 --------- d-----w c:\users\Ariff\AppData\Roaming\Lenovo
2009-03-12 12:52 --------- d-----w c:\program files\Windows Mail
2009-02-18 23:00 --------- d-----w c:\users\Ariff\AppData\Roaming\j2 Global
2009-02-18 22:59 --------- d-----w c:\users\Ariff\AppData\Roaming\eFax Messenger
2009-02-18 22:59 --------- d-----w c:\programdata\eFax Messenger 4.4 Setup
2009-02-18 22:59 --------- d-----w c:\programdata\eFax Messenger 4.4 Output
2009-02-18 22:59 --------- d-----w c:\program files\eFax Messenger 4.4
2008-10-23 22:14 174 --sha-w c:\program files\desktop.ini
2008-10-02 20:55 98,240 ----a-w c:\users\Ariff\AppData\Roaming\GDIPFONTCACHEV1.DAT
2008-07-18 18:57 32 ----a-r c:\users\All Users\hash.dat
2008-07-18 18:57 32 ----a-r c:\programdata\hash.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-19_16.25.48.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-19 20:18:13 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-03-21 03:28:30 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-03-19 20:18:13 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-03-21 03:28:29 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2009-03-19 19:50:49 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-21 03:28:24 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-19 19:50:49 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-21 03:28:24 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-19 19:50:49 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-21 03:28:24 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-07-27 18:49:02 196,683 ----a-w c:\windows\System32\lnod32apiA.dll
+ 2007-07-27 18:49:02 225,355 ----a-w c:\windows\System32\lnod32apiW.dll
+ 2005-12-05 23:25:22 139,264 ----a-w c:\windows\System32\lnod32umc.dll
+ 2005-12-05 16:37:10 106,496 ----a-w c:\windows\System32\lnod32upd.dll
+ 2008-02-11 13:39:26 253,952 ----a-w c:\windows\System32\OnlineScannerDLLA.dll
+ 2008-02-11 13:39:18 237,568 ----a-w c:\windows\System32\OnlineScannerDLLW.dll
+ 2008-02-08 17:53:46 110,592 ----a-w c:\windows\System32\OnlineScannerLang.dll
+ 2008-02-05 12:48:04 77,824 ----a-w c:\windows\System32\OnlineScannerUninstaller.exe
- 2009-03-19 20:10:48 118,872 ----a-w c:\windows\System32\perfc009.dat
+ 2009-03-21 03:21:38 118,872 ----a-w c:\windows\System32\perfc009.dat
- 2009-03-19 20:10:48 642,392 ----a-w c:\windows\System32\perfh009.dat
+ 2009-03-21 03:21:38 642,392 ----a-w c:\windows\System32\perfh009.dat
+ 2004-12-07 14:11:34 258,352 ----a-w c:\windows\System32\unicows.dll
- 2009-03-19 20:04:34 13,416 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3379704915-2511611895-1017500158-1003_UserData.bin
+ 2009-03-21 03:15:57 13,512 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3379704915-2511611895-1017500158-1003_UserData.bin
- 2009-03-19 20:04:34 64,032 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-21 03:15:57 64,278 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-03-19 20:04:28 52,754 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-03-21 03:15:55 52,988 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-03-19 12:52:23 221,826 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-03-20 12:35:38 222,716 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2007-06-17 321072]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2007-06-17 214576]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-01-08 536576]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-22 120368]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 136600]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-06-29 419112]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-06-29 124200]
"LenovoOobeOffers"="c:\swtools\LenovoWelcome\LenovoOobeOffers.exe" [2006-12-29 28672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-28 1167360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"TrackPointSrv"="tp4serv.exe" [2006-11-20 c:\windows\System32\tp4serv.exe]
"TpShocks"="TpShocks.exe" [2007-03-29 c:\windows\System32\TpShocks.exe]

c:\users\Ariff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2007-06-07 1392640]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{44B5F46D-57F1-4EE4-B2BF-C4AB7C32AB05}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{6FCE7109-8E6B-42FF-B0F8-FD79242A7731}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{1C6A5920-AD58-4BE2-820C-2859C64D0249}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{5A9D48FE-706F-45F3-8E3B-F340D3B5F2F3}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{21108B40-A96E-4B77-818E-F35B1A050A0A}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{7B48665B-054E-4CB0-B553-DE7802547895}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{57D2E341-FABE-46EC-B9F3-3414C04DD313}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{607E4C0E-3630-4A37-A9FF-ECE68491A945}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{2649E947-0572-4ECB-8113-A27CE0B7C04E}"= UDP:c:\users\Ariff\AppData\Local\Temp\WZSE0.TMP\SymNRT.exe:Norton Removal Tool
"{B4403ACF-A270-4B9B-9DA2-AA2B9E1701EC}"= TCP:c:\users\Ariff\AppData\Local\Temp\WZSE0.TMP\SymNRT.exe:Norton Removal Tool
"TCP Query User{271166E4-E381-4361-9FC4-565A8BCC3A01}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{609A578D-9C0F-442D-A846-C44B6827632A}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{80CCC2FB-82C1-427D-A5C9-437771CAAD87}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B5E30F59-3CB6-4917-BCF6-F26D71701306}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{D4266620-862C-4FB4-BFB0-A62B1E44F7ED}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{632B3EB6-F629-497A-893B-F8554740FB30}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"{A4332871-1A36-4EE6-B60D-254B33F30962}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{A6BC63FF-EA91-43DE-B4E5-79CF1595F0A3}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 fsbts;fsbts;c:\windows\System32\drivers\fsbts.sys [2009-03-18 26624]
R0 Shockprf;Shockprf;c:\windows\System32\drivers\ApsX86.sys [2007-03-02 100656]
R0 TPDIGIMN;TPDIGIMN;c:\windows\System32\drivers\ApsHM86.sys [2007-03-02 19760]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2009-03-16 114768]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\System32\drivers\smiif32.sys [2007-02-19 13744]
R1 TPPWRIF;TPPWRIF;c:\windows\System32\drivers\TPPWR32V.SYS [2007-10-09 12080]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2009-03-16 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2009-03-16 51792]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\System32\drivers\tp4track.sys [2007-01-22 22832]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\System32\drivers\tvti2c.sys [2006-09-13 35264]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2006-11-02 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-21 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 15:54]
.
.
------- Supplementary Scan -------
.
uStart Page =
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-big-island-blends/gamehouseplayer.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://aolsvc.aol.com/onlinegames/free-trial-burger-shop/GoBitGamesPlayer_v4.cab
FF - ProfilePath - c:\users\Ariff\AppData\Roaming\Mozilla\Firefox\Profiles\doiozk5o.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\Ariff\AppData\Roaming\Mozilla\Firefox\Profiles\doiozk5o.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 23:28:35
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\ibmpmsvc.exe
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\System32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\HOTKEY\TPHKSVC.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\windows\System32\rundll32.exe
c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE
c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-03-20 23:35:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-21 03:35:22
ComboFix2.txt 2009-03-19 22:52:29
ComboFix3.txt 2009-03-19 20:28:40

Pre-Run: 24,179,548,160 bytes free
Post-Run: 24,579,633,152 bytes free

251 --- E O F --- 2009-03-20 00:56:53


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:19 AM, on 3/23/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\tp4serv.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [LenovoOobeOffers] c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: HotSync Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://aolsvc.aol.co...houseplayer.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://aolsvc.aol.co...esPlayer_v4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9415 bytes

#19 dan12

dan12

    Advanced Member

  • Experts
  • PipPipPip
  • 119 posts

Posted 23 March 2009 - 01:28 PM

Good program to keep when done.
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit


The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

You can delete scanners we used, plus the logs they created.
Root Repeal
GooredFix
dds
GMER

Let me know when carried out.

#20 jason8

jason8

    New Member

  • Members
  • Pip
  • 11 posts

Posted 23 March 2009 - 03:11 PM

I ran ATF Cleaner, HijackThis (and fixed R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =), ComboFix /u, and then deleted rootrepeal, gooredfix, dds and gmer.

Thanks again for your help with the virus.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users