Jump to content

need help removing backdoor.bot


Recommended Posts

I have Malwarebytes Pro and it finds and removes infected files every week. It is apparent to me that some backdoor.ot malware remains on my computer and keeps reinfecting it. Here are the copy-pastes and attached files to help you help me fix this problem. Let me know if you require any more information. Thanks! John

================================================================================

===============

Here is the content of the Malwarebytes Anti-Malware log file.............

================================================================================

===============

on March 22 2010.......

==================

01:00:21 Karwoski MESSAGE IP Protection stopped

01:00:25 Karwoski MESSAGE Database updated successfully

01:00:26 Karwoski MESSAGE IP Protection started successfully

14:13:45 Karwoski DETECTION C:\WINDOWS\system32\winIogon.exe Backdoor.Bot QUARANTINE

14:13:45 Karwoski DETECTION C:\WINDOWS\system32\winIogon.exe Backdoor.Bot DENY

14:13:45 Karwoski DETECTION C:\WINDOWS\system32\winIogon.exe Backdoor.Bot DENY

14:16:55 Karwoski MESSAGE IP Protection stopped

14:17:03 Karwoski MESSAGE Database updated successfully

14:17:05 Karwoski MESSAGE IP Protection started successfully

15:21:43 Karwoski MESSAGE Protection started successfully

15:21:49 Karwoski MESSAGE IP Protection started successfully

16:15:12 Karwoski DETECTION C:\WINDOWS\system32\iexplore.exe Backdoor.Bot QUARANTINE

16:15:12 Karwoski DETECTION C:\WINDOWS\system32\iexplore.exe Backdoor.Bot DENY

16:15:12 Karwoski DETECTION C:\WINDOWS\system32\iexplore.exe Backdoor.Bot DENY

16:15:12 Karwoski DETECTION C:\WINDOWS\system32\iexplore.exe Backdoor.Bot DENY

16:15:12 Karwoski DETECTION C:\WINDOWS\system32\iexplore.exe Backdoor.Bot DENY

on March 24 2010......

===============

10:18:09 Karwoski DETECTION C:\WINDOWS\services.exe Trojan.Agent QUARANTINE

10:18:09 Karwoski DETECTION C:\WINDOWS\services.exe Trojan.Agent DENY

10:18:09 Karwoski DETECTION C:\WINDOWS\services.exe Trojan.Agent DENY

11:13:53 Karwoski MESSAGE Protection started successfully

11:14:01 Karwoski MESSAGE IP Protection started successfully

11:16:49 Karwoski DETECTION C:\WINDOWS\services.exe Trojan.Agent QUARANTINE

11:16:49 Karwoski DETECTION C:\WINDOWS\services.exe Trojan.Agent DENY

11:16:50 Karwoski DETECTION C:\WINDOWS\services.exe Trojan.Agent DENY

11:20:42 Karwoski MESSAGE IP Protection stopped

11:20:51 Karwoski MESSAGE Database updated successfully

11:20:56 Karwoski MESSAGE IP Protection started successfully

17:18:28 Karwoski MESSAGE Protection started successfully

17:18:34 Karwoski MESSAGE IP Protection started successfully

17:27:58 (null) MESSAGE Protection started successfully

17:28:43 Karwoski MESSAGE IP Protection started successfully

17:35:38 (null) MESSAGE Protection started successfully

17:36:30 Karwoski MESSAGE IP Protection started successfully

19:40:45 (null) MESSAGE Protection started successfully

19:41:38 Karwoski MESSAGE IP Protection started successfully

22:03:34 (null) MESSAGE Protection started successfully

22:04:22 Karwoski MESSAGE IP Protection started successfully

22:36:18 Karwoski MESSAGE Protection started successfully

22:36:24 Karwoski MESSAGE IP Protection started successfully

================================================================================

===============

Here is the content of DDS.txt.....

================================================================================

===============

DDS (Ver_10-03-17.01) - NTFSx86

Run by Karwoski at 18:17:57.68 on Wed 03/24/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1843 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

C:\WINDOWS\system32\Drivers\trcboot.exe

C:\WINDOWS\system32\IPSSVC.EXE

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Adeona\cygrunsrv.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Adeona\adeona-client.exe

C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

svchost.exe

C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe

C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe

C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\c4ebreg\c4ebreg.exe

c:\sdwork\issimsvc.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\notes\ntmulti.exe

C:\Program Files\AT&T Network Client\NetCfgSv.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe

C:\Program Files\IBM\Personal Communications\tpam.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe

c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\WINDOWS\system32\TpShocks.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\c4ebreg\isamtray.exe

C:\Program Files\Synology Data Replicator 3\SynoDrService.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

C:\WINDOWS\System32\TPHDEXLG.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\WINDOWS\system32\ICO.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\FSRremoS.EXE

C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe

c:\program files\lenovo\system update\suservice.exe

C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\Drivers\ldlcserv.exe

C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Folder View\folderview.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\soffice.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\TechSmith\Snagit 10\Snagit32.exe

C:\Program Files\hott notes 4\hottnotes.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\TechSmith\Snagit 10\TSCHelp.exe

C:\Program Files\TechSmith\Snagit 10\SnagPriv.exe

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\Program Files\TechSmith\Snagit 10\snagiteditor.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\IBM\My Help\MyHelp.exe

C:\Program Files\IBM\My Help\jre\bin\myhelpw.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://w3.ibm.com/

uLocal Page = c:\windows\pchealth\helpctr\system\panels\blank.htm

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Page_URL = hxxp://w3.ibm.com

mDefault_Search_URL = hxxp://www.google.com/ie

mLocal Page = c:\windows\pchealth\helpctr\system\panels\blank.htm

uInternet Connection Wizard,ShellNext = hxxp://w3.ibm.com/

uInternet Settings,ProxyOverride = w3-501.ibm.com;*.local;<local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: : {9470e8e6-e19f-4675-9832-5de295f77e89} - c:\progra~1\folder~1\fvhelper.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Folder View: {daf2c8c2-1cd1-48f8-a5c6-3b438127a8fd} - c:\progra~1\folder~1\fvband.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

uRun: [NetSP - restore settings on power failure] "c:\program files\at&t network client\NetSP.exe" -show

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Folder View] "c:\program files\folder view\folderview.exe"

uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [LDTray] c:\program files\livescribe\livescribe desktop\LDTray.exe

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [sODCPreLoad] c:\program files\ibm\lotus\symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe c:\docume~1\admini~1\ibm\lotus\symphony\.sodc\

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [stgclean] c:\sdwork\w32main2.exe /cleanup

mRun: [Tpam.exe] "c:\program files\ibm\personal communications\tpam.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~2\symant~2\VPTray.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe

mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe

mRun: [TpShocks] TpShocks.exe

mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

mRun: [bLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r

mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe

mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [C4EBReg] "c:\program files\c4ebreg\c4ebreg.exe" /q

mRun: [iSAMTray] "c:\program files\c4ebreg\isamtray.exe"

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe

mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe

mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE

mRun: [ussshreg] c:\progra~1\uleadw~1.0\Ussshreg.exe /r

mRun: [sKDaemon.exe] c:\program files\lenovo\productivity keyboard\SKDaemon.exe

mRun: [Mouse Suite 98 Daemon] ICO.EXE

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [soundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"

mRun: [iJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE

mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [iSSI Service] "c:\sdwork\issimsvc.exe"

mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start

mRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [MyHelpService] c:\program files\ibm\my help\workspace\service\delayStart.exe

mRun: [pmonmh] c:\program files\ibm\my help\plugins\\com.ibm.myhelp.common_1.4.19/pmonmh.exe

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\hottno~1.lnk - c:\program files\hott notes 4\hottnotes.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 10\Snagit32.exe

uPolicies-explorer: NoDevMgrUpdate = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\2007\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB

DPF: Microsoft XML Parser for Java

DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB

DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab

DPF: {5C0E257E-9DFE-4955-AA93-0A9B166BAB50} - hxxp://192.168.1.199:5000/surveillance/object/SSObject.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265470140871

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265470127840

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8C28EFD7-767B-11D1-844B-0060972DC2AC} - hxxps://w3-03.ibm.com/Hyperion/zeroadmin/component/Brio.Insight.en.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9519B2A2-6592-4E41-8290-D0298459270C} - hxxp://w3.ibm.com/bluepages/scripts/lnwebassist.cab

DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} - hxxp://w3.ibm.com/tools/print/plugin/gpwsx.cab

DPF: {BA7A56EB-D1B9-443B-96E9-086532A378F1} - hxxp://karmor.endoftheinternet.org:9876/activex/decoder/aac_dec.cab

DPF: {C32FE9F1-A857-48B0-B7BF-065B5792F28D} - hxxp://karmor.endoftheinternet.org:9875/activex/decoder/intel_mpeg4_dec.cab

DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://karmor.endoftheinternet.org:9876/activex/AMC.cab

DPF: {E734BF43-7194-4E3A-832F-307606DDF665} - hxxps://cs.conferenceservers.com/components/WDPLUGIN.CAB

DPF: {E765747B-A0E4-4BD4-93E4-EA0E3500D57C} - hxxps://w3-03.ibm.com/software/executiveutilities/pdm/plugin/PDMPlugin.cab

TCP: interfaces = 9.0.8.1,9.0.9.1

TCP: {DA5F9F7B-E4FB-4210-BD0F-655065DDD669} = 9.0.8.1,9.0.9.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: ACNotify - ACNotify.dll

Notify: atmgrtok - atmgrtok.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

Notify: pcsinst - pcsinst.dll

Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\k0a2h1sk.default\

FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava11.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava12.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava13.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava14.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava32.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJPI150.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPOJI610.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\npwebscl.dll

FF - plugin: c:\program files\mozilla firefox\extensions\ibm-cck@firefox-extensions.ibm.com\platform\winnt_x86-msvc\plugins\npaddtonab.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [2010-1-7 911680]

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]

R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2006-9-6 337592]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2006-9-6 54968]

R2 AdeonaClientService;AdeonaClientService;c:\program files\adeona\cygrunsrv.exe [2008-7-13 68096]

R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2010-1-7 2480048]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]

R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2006-7-19 202400]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-24 236368]

R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-12-16 265728]

R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2008-8-19 53248]

R2 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2006-9-27 116464]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]

R2 SynoDrService;SynoDrService;c:\program files\synology data replicator 3\SynoDrService.exe [2010-3-14 245760]

R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-4-24 62320]

R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-1-7 160288]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-27 102448]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-24 19160]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100324.002\naveng.sys [2010-3-24 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100324.002\navex15.sys [2010-3-24 1324720]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664]

S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2009-5-21 45424]

S3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [2009-10-7 6400]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-10-16 20096]

S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [2009-8-3 129535]

S3 SmartpenBus;Smartpen Enumerator;c:\windows\system32\drivers\smartpenbus.sys --> c:\windows\system32\drivers\SmartpenBus.sys [?]

S3 SmartpenCom;Smartpen Communications;c:\windows\system32\drivers\smartpencom.sys --> c:\windows\system32\drivers\SmartpenCom.sys [?]

S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

S3 ZSMC0303;VIMICRO USB PC Camera (VC0303);c:\windows\system32\drivers\usbVM303.sys [2006-9-27 391949]

=============== Created Last 30 ================

2010-03-24 23:15:16 0 ----a-w- c:\documents and settings\administrator\defogger_reenable

2010-03-24 16:16:43 86016 ----a-w- c:\windows\system32\xvjq.exe

2010-03-24 16:16:43 48128 ----a-w- c:\windows\system32\hvqxmtap.exe

2010-03-24 15:17:44 86016 ----a-w- c:\windows\system32\vviafoo.exe

2010-03-24 15:17:44 48128 ----a-w- c:\windows\system32\nlmlfg.exe

2010-03-24 00:42:30 376 ----a-w- c:\documents and settings\administrator\Application Dataprivacy.xml

2010-03-23 22:29:31 0 d-----w- c:\program files\BitDefender

2010-03-23 22:29:31 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender

2010-03-23 22:17:31 0 d-----w- c:\program files\common files\BitDefender

2010-03-22 00:54:23 0 d-----w- c:\windows\system32\Plugins3

2010-03-16 01:55:43 0 d-----w- c:\program files\Trend Micro

2010-03-14 23:00:12 0 d-----w- c:\program files\Synology Data Replicator 3

2010-03-05 10:39:55 353792 -c----w- c:\windows\system32\dllcache\srv.sys

2010-03-05 10:39:27 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll

2010-03-05 10:39:26 1291776 -c----w- c:\windows\system32\dllcache\quartz.dll

2010-03-05 10:38:55 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll

2010-03-05 10:38:55 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll

2010-03-05 10:38:55 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll

2010-03-05 10:38:03 474112 -c----w- c:\windows\system32\dllcache\shlwapi.dll

2010-03-05 10:37:19 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-02-27 19:07:52 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-02-27 19:07:51 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-02-25 16:19:26 0 d-----w- c:\docume~1\admini~1\applic~1\WDPlugin

2010-02-24 18:50:05 0 d-----r- c:\program files\Skype

2010-02-24 07:46:07 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2010-02-24 07:46:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-24 07:46:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-24 07:46:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-24 07:46:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-03-23 22:39:03 28124 ----a-w- c:\windows\system32\nvModes.dat

2010-02-25 18:11:13 64792 ----a-w- c:\windows\isamunin.exe

2010-02-15 16:53:43 6400 ----a-w- c:\windows\system32\drivers\isamfilter.sys

2010-02-08 16:17:45 65592 ---ha-w- c:\windows\system32\mlfcache.dat

2010-01-09 01:08:28 2469728 ----a-w- c:\windows\system32\AutoPartNt.exe

2009-12-26 18:20:04 249856 ------w- c:\windows\Setup1.exe

2009-12-26 18:20:02 73216 ----a-w- c:\windows\ST6UNST.EXE

1998-07-03 20:27:14 7488 ----a-w- c:\windows\inf\unregpn.exe

============= FINISH: 18:18:30.68 ===============

Attach.zip

ark.zip

Link to post
Share on other sites

Hey karmor,

Welcome to Malwarebytes! I'm Ltangelic and I'll be helping you fix your computer problem.

Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me. ;)

  • To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread.
  • If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them.
  • Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.
  • Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here. :rolleyes:
  • Please do not start multiple topics (especially when you are already being assisted by an authorised staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at Malwarebytes, and this can further hinder our ability to assist other users. Please be considerate and stick to one thread.

I'm looking at your log now and will be back with a fix soon. Thanks for your patience and understanding. :)

Link to post
Share on other sites

Hey karmor,

It seems that you are running Registry First Aid, which in effect is a registry scanner/cleaner. Please be aware that the Registry is a very important segment of a computer system and that registry edit can be a dangerous process. Any mistakes in editing can corrupt the entire registry, rendering your system unbootable or unrepairable. Unless you have advanced knowledge about the inner workings of the Registry, you should never run any registry scanners/cleaners without the guidance of an expert. Doing so may not always deliver the results you want to see, in addition,fixing/cleaning a wrong section of the registry can ultimately corrupt your entire computer system. Thus, I highly recommend that you remove Registry First Aid from your computer and refrain from downloading registry scanners/cleaners in the future.

Let's run some scanners first. :)

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Symantec Security) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/topic114351.html

1) Run ComboFix

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2) Run AVP by Kaspersky

Please click here to download AVP Tool by Kaspersky.

  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the
    F8
    key until a menu appears.

    Use your up arrow key to highlight SafeMode then hit
    enter
    .


  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • It will then open a box There will be a tab that says AutoScan.
  • Under AutoScan make sure these are checked.


  • System Memory

  • Hidden Startup Objects

  • Disk Boot Sectors.

  • My Computer.

  • Also any other drives (Removable that you may have)

After that click on Security level then choose Settings then click on the tab that says Additional then choose Deep Scan under Rootkit Scan then choose ok.

Then choose OK again then you are back to the main screen.

  • Then click on Start Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the Report button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.

3) Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)

    [*]Under custom scans copy and paste the following

    • netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\*.*
      %ProgramFiles%\Movie Maker\*.dll
      %ALLUSERSAPPDATA%\*.dll
      %SYSTEMROOT%\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dll
      %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
      %systemroot%\system32\*.dll /lockedfiles
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT

    [*]Now click the Run Scan button on the toolbar.

    [*]Let it run unhindered until it finishes.

    [*]When the scan is complete Notepad will open with the report file loaded in it.

    [*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

Next reply (please include in your post):

OTS.txt (attached)

AVP scan log

ComboFix.txt

Link to post
Share on other sites

Ltangelic, thank you for your assistance. Here are the results of running the three programs:

=====================

OTS.txt file is attached.

=====================

=====================

Here is the AVP scan log data:

=====================

Autoscan: completed 10 minutes ago (events: 28, objects: 1167257, time: 11:46:38)

4/4/2010 8:07:39 PM Task started

4/4/2010 8:55:40 PM Detected Adware not-a-virus:AdWare.Win32.CommonName.af Medium Exact File C:\Documents and Settings\Administrator\My Documents\DVD\ DVD region killer v2.7.0.2.exe

4/4/2010 9:03:35 PM Deleted Adware not-a-virus:AdWare.Win32.CommonName.af Medium Exact File C:\Documents and Settings\Administrator\My Documents\DVD\ DVD region killer v2.7.0.2.exe

4/4/2010 9:22:49 PM Detected Trojans Backdoor.Win32.EggDrop.ale High Exact File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\10880000\5B9B0BD0.VBN/ CryptZ

4/4/2010 9:22:49 PM Detected Trojans Backdoor.Win32.EggDrop.amu High Exact File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14F00000\5FF666E2.VBN/ CryptZ

4/4/2010 9:22:59 PM Detected Trojans Backdoor.Win32.Agent.arba High Exact File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16540000\5FFDAEAE.VBN/ CryptZ

4/4/2010 10:30:34 PM Deleted Trojans Backdoor.Win32.Agent.arba High Exact File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16540000\ 5FFDAEAE.VBN

4/4/2010 10:30:34 PM Detected Trojans Backdoor.Win32.Agent.arba High Exact File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16540001\5FFDAEEA.VBN/ CryptZ

4/4/2010 10:30:34 PM Deleted Trojans Backdoor.Win32.EggDrop.ale High Exact File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\10880000\ 5B9B0BD0.VBN

4/4/2010 10:30:35 PM Deleted Trojans Backdoor.Win32.EggDrop.amu High Exact File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14F00000\ 5FF666E2.VBN

4/4/2010 10:30:43 PM Deleted Trojans Backdoor.Win32.Agent.arba High Exact File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16540001\ 5FFDAEEA.VBN

4/4/2010 10:30:45 PM Detected Trojans Trojan.Win32.Agent.dlee High Exact File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17540001\5FDCA999.VBN/ CryptZ

4/4/2010 10:30:50 PM Detected Trojans Trojan.Win32.Agent.dlee High Exact File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17540002\5FDCA9B7.VBN/ CryptZ

4/4/2010 10:30:50 PM Detected Trojans Trojan.Win32.Agent.dlee High Exact File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17540003\5FDCA9DD.VBN/ CryptZ

4/4/2010 10:31:21 PM Deleted Trojans Trojan.Win32.Agent.dlee High Exact File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17540001\ 5FDCA999.VBN

4/4/2010 10:31:24 PM Deleted Trojans Trojan.Win32.Agent.dlee High Exact File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17540002\ 5FDCA9B7.VBN

4/4/2010 10:31:26 PM Deleted Trojans Trojan.Win32.Agent.dlee High Exact File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17540003\ 5FDCA9DD.VBN

4/4/2010 10:31:29 PM Detected Trojans Backdoor.Win32.EggDrop.amd High Exact File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17EC0000\5FEF0E31.VBN/ CryptZ

4/4/2010 10:34:57 PM Deleted Trojans Backdoor.Win32.EggDrop.amd High Exact File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17EC0000\ 5FEF0E31.VBN

4/5/2010 1:53:05 AM Detected Trojans Backdoor.Win32.VB.lmp High Exact File C:\WINDOWS\system32\ vviafoo.exe

4/5/2010 1:53:29 AM Detected Trojans Backdoor.Win32.VB.lmp High Exact File C:\WINDOWS\system32\ xvjq.exe

4/5/2010 1:56:46 AM Deleted Trojans Backdoor.Win32.VB.lmp High Exact File C:\WINDOWS\system32\ vviafoo.exe

4/5/2010 1:56:47 AM Deleted Trojans Backdoor.Win32.VB.lmp High Exact File C:\WINDOWS\system32\ xvjq.exe

4/5/2010 6:46:04 AM Detected Trojans Backdoor.Win32.VB.lmp High Exact File C:\System Volume Information\_restore{01E266C2-86F5-40B2-9145-B4252FFF29C3}\RP1\ A0000109.exe

4/5/2010 6:46:04 AM Detected Trojans Backdoor.Win32.VB.lmp High Exact File C:\System Volume Information\_restore{01E266C2-86F5-40B2-9145-B4252FFF29C3}\RP1\ A0000110.exe

4/5/2010 7:36:43 AM Deleted Trojans Backdoor.Win32.VB.lmp High Exact File C:\System Volume Information\_restore{01E266C2-86F5-40B2-9145-B4252FFF29C3}\RP1\ A0000109.exe

4/5/2010 7:36:46 AM Deleted Trojans Backdoor.Win32.VB.lmp High Exact File C:\System Volume Information\_restore{01E266C2-86F5-40B2-9145-B4252FFF29C3}\RP1\ A0000110.exe

4/5/2010 7:54:18 AM Task completed

=====================

Here is the ComboFix.txt data

=====================

ComboFix 10-04-03.02 - Karwoski 04/04/2010 19:28:54.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1723 [GMT 2:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk

c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

c:\windows\AppPatch\AcAdProc.dll

.

((((((((((((((((((((((((( Files Created from 2010-03-04 to 2010-04-04 )))))))))))))))))))))))))))))))

.

2010-04-01 10:44 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

2010-03-31 15:22 . 2010-03-31 15:22 -------- d-----w- c:\program files\Common Files\Skype

2010-03-31 02:14 . 2010-03-31 02:14 -------- d-----w- c:\program files\Common Files\Java

2010-03-24 16:16 . 2010-03-24 16:16 86016 ----a-w- c:\windows\system32\xvjq.exe

2010-03-24 15:17 . 2010-03-24 15:17 86016 ----a-w- c:\windows\system32\vviafoo.exe

2010-03-23 22:29 . 2010-03-24 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender

2010-03-23 22:29 . 2010-03-23 22:29 -------- d-----w- c:\program files\BitDefender

2010-03-23 22:17 . 2010-03-24 01:13 -------- d-----w- c:\program files\Common Files\BitDefender

2010-03-22 00:54 . 2010-03-22 00:54 -------- d-----w- c:\windows\system32\Plugins3

2010-03-16 01:55 . 2010-03-16 01:55 -------- d-----w- c:\program files\Trend Micro

2010-03-14 23:00 . 2010-03-14 23:00 -------- d-----w- c:\program files\Synology Data Replicator 3

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-04 17:46 . 2010-02-24 18:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2010-04-04 17:42 . 2005-04-05 17:21 -------- d-----w- c:\program files\C4ebreg

2010-04-04 17:40 . 2007-03-05 22:09 40 ----a-w- c:\windows\system32\profile.dat

2010-04-04 17:40 . 2009-12-28 00:19 1165968 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-04 16:49 . 2008-06-18 00:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2010-04-03 11:18 . 2009-12-03 21:18 -------- d-----w- c:\program files\AT&T Network Client

2010-04-02 15:36 . 2006-01-24 00:45 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-04-02 12:18 . 2006-03-27 21:50 -------- d-----w- c:\program files\WST

2010-04-01 15:36 . 2008-06-17 20:58 28124 ----a-w- c:\windows\system32\nvModes.dat

2010-04-01 10:45 . 2008-06-18 20:08 -------- d-----w- c:\program files\InfoSelect

2010-03-31 18:28 . 2010-02-24 07:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-31 02:13 . 2008-11-20 10:47 -------- d-----w- c:\program files\Java

2010-03-29 22:46 . 2010-02-24 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 22:45 . 2010-02-24 07:46 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-09 02:28 . 2008-11-20 10:48 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-02 02:17 . 2008-12-12 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith

2010-03-02 02:17 . 2008-06-20 22:26 -------- d-----w- c:\program files\TechSmith

2010-02-28 17:54 . 2008-09-07 17:01 -------- d-----w- c:\program files\Flickr Uploadr

2010-02-28 12:10 . 2009-12-20 16:31 -------- d-----w- c:\program files\Defraggler

2010-02-28 12:02 . 2008-06-20 23:36 -------- d-----w- c:\program files\CCleaner

2010-02-28 11:46 . 2008-06-29 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\RFA_Backups

2010-02-28 11:46 . 2010-02-28 11:46 331776 ----a-w- c:\windows\system32\config\systemprofile\ntuser.tmp

2010-02-28 11:45 . 2010-02-28 11:45 237568 ----a-w- c:\documents and settings\NetworkService\NTUSER.tmp

2010-02-28 11:45 . 2010-02-28 11:45 237568 ----a-w- c:\documents and settings\LocalService\ntuser.tmp

2010-02-25 18:11 . 2005-07-29 18:05 64792 ----a-w- c:\windows\isamunin.exe

2010-02-25 16:46 . 2010-02-25 16:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\WDPlugin

2010-02-24 18:50 . 2010-02-24 18:50 -------- d-----r- c:\program files\Skype

2010-02-24 18:50 . 2008-06-18 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-02-24 07:46 . 2010-02-24 07:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-02-24 07:46 . 2010-02-24 07:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-15 18:11 . 2008-06-18 19:55 -------- d-----w- c:\program files\Uedit

2010-02-15 16:53 . 2009-10-07 09:31 6400 ----a-w- c:\windows\system32\drivers\isamfilter.sys

2010-02-13 20:35 . 2005-04-04 17:43 86695 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-02-11 02:25 . 2010-02-10 02:10 -------- d-----w- c:\program files\Calibre2

2010-02-10 02:11 . 2009-08-10 23:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\calibre

2010-02-08 16:17 . 2008-06-24 14:03 65592 ---ha-w- c:\windows\system32\mlfcache.dat

2010-02-08 07:40 . 2008-06-18 00:17 -------- d-----w- c:\program files\Google

2010-02-04 17:57 . 2008-07-19 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\IBMERS

2010-02-03 23:06 . 2010-02-03 23:06 -------- d-----w- c:\program files\iTunes

2010-02-03 23:06 . 2010-02-03 23:06 -------- d-----w- c:\program files\iPod

2010-02-03 23:06 . 2008-06-20 13:43 -------- d-----w- c:\program files\Common Files\Apple

2010-01-26 12:03 . 2009-02-22 23:28 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-01-17 08:52 . 2005-04-04 18:17 85208 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-09 01:08 . 2010-01-09 01:08 2469728 ----a-w- c:\windows\system32\AutoPartNt.exe

2010-01-07 18:03 . 2010-01-07 18:03 160288 ----a-w- c:\windows\system32\drivers\afcdp.sys

2010-01-07 18:03 . 2010-01-07 18:03 911680 ----a-w- c:\windows\system32\drivers\tdrpm258.sys

2010-01-07 18:03 . 2010-01-07 18:03 581984 ----a-w- c:\windows\system32\drivers\timntr.sys

2010-01-07 18:03 . 2010-01-07 18:03 158272 ----a-w- c:\windows\system32\drivers\snapman.sys

2009-10-19 23:59 . 2010-03-23 22:42 47104 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NetSP - restore settings on power failure"="c:\program files\AT&T Network Client\NetSP.exe" [2007-01-13 24576]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-23 68856]

"Folder View"="c:\program files\Folder View\folderview.exe" [2005-01-17 856576]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-01 133104]

"LDTray"="c:\program files\Livescribe\Livescribe Desktop\LDTray.exe" [2009-12-16 647168]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe" [2009-08-28 40960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"pmonmh"="c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19" [X]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"stgclean"="c:\sdwork\w32main2.exe" [2010-03-25 298496]

"Tpam.exe"="c:\program files\IBM\Personal Communications\tpam.exe" [2005-09-06 28672]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]

"vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-27 125168]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-05 13549568]

"nwiz"="nwiz.exe" [2008-12-05 1630208]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-04-17 425984]

"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2009-04-17 172032]

"TpShocks"="TpShocks.exe" [2007-11-22 181536]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-04-16 417792]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-03-17 208896]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-07-03 118784]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-03 1323008]

"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-04-16 61728]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]

"C4EBReg"="c:\program files\c4ebreg\c4ebreg.exe" [2010-02-25 482584]

"ISAMTray"="c:\program files\c4ebreg\isamtray.exe" [2010-02-25 285976]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]

"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-01-29 185688]

"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-01-29 124248]

"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-08 91688]

"ussshreg"="c:\progra~1\ULEADW~1.0\Ussshreg.exe" [1999-07-13 32768]

"SKDaemon.exe"="c:\program files\Lenovo\Productivity Keyboard\SKDaemon.exe" [2007-02-09 262144]

"Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 57344]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-24 1036288]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-06-13 73728]

"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-05 86016]

"ISSI Service"="c:\sdwork\issimsvc.exe" [2010-02-11 241392]

"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]

"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-04-14 15136]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"MyHelpService"="c:\program files\IBM\My Help\workspace\service\delayStart.exe" [2009-03-13 94208]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-11-12 5106904]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-11-12 361632]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-29 437584]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

hott notes 4.lnk - c:\program files\hott notes 4\hottnotes.exe [2007-5-16 1249280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-11-26 813584]

Snagit 10.lnk - c:\program files\TechSmith\Snagit 10\Snagit32.exe [2010-2-18 7042376]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDevMgrUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]

2005-09-06 18:43 49152 ----a-w- c:\windows\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2006-09-06 20:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"IBMconfig"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\InfoSelect\\is.exe"=

"c:\\Program Files\\IBM\\My Help\\jre\\bin\\myhelpw.exe"=

"c:\\Program Files\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.20090505-1200\\win32\\x86\\symphony.exe"=

"c:\\Program Files\\IBM\\Lotus\\Sametime Connect\\rcp\\eclipse\\plugins\\com.ibm.rcp.jcl.desktop.win32.x86_6.2.0.200810071032\\jre\\bin\\sametime80w.exe"=

"c:\\Program Files\\AT&T Network Client\\NetClient.exe"=

"c:\\Program Files\\Synology\\Assistant\\DSAssistant.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [1/7/2010 8:03 PM 911680]

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 8:32 PM 19504]

R2 AdeonaClientService;AdeonaClientService;c:\program files\Adeona\cygrunsrv.exe [7/13/2008 9:30 PM 68096]

R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [1/7/2010 8:03 PM 2480048]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 7:32 AM 189736]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/24/2010 9:46 AM 303952]

R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [12/16/2009 1:08 PM 265728]

R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/19/2008 1:33 PM 53248]

R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [9/27/2006 10:33 PM 116464]

R2 SynoDrService;SynoDrService;c:\program files\Synology Data Replicator 3\SynoDrService.exe [3/15/2010 12:58 AM 245760]

R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [4/25/2008 3:29 AM 62320]

R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [1/7/2010 8:03 PM 160288]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 7:26 PM 102448]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/24/2010 9:46 AM 20824]

S0 wkpnom;wkpnom;c:\windows\system32\drivers\modx.sys --> c:\windows\system32\drivers\modx.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 9:40 AM 135664]

S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [5/22/2009 2:48 AM 45424]

S3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [10/7/2009 11:31 AM 6400]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [10/16/2009 1:55 PM 20096]

S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [8/3/2009 11:26 PM 129535]

S3 SmartpenBus;Smartpen Enumerator;c:\windows\system32\DRIVERS\SmartpenBus.sys --> c:\windows\system32\DRIVERS\SmartpenBus.sys [?]

S3 SmartpenCom;Smartpen Communications;c:\windows\system32\DRIVERS\SmartpenCom.sys --> c:\windows\system32\DRIVERS\SmartpenCom.sys [?]

S3 ZSMC0303;VIMICRO USB PC Camera (VC0303);c:\windows\system32\drivers\usbVM303.sys [9/27/2006 8:48 PM 391949]

.

Contents of the 'Scheduled Tasks' folder

2010-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 07:40]

2010-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 07:40]

2010-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2653012379-1038974990-1957949151-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-01 19:01]

2010-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2653012379-1038974990-1957949151-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-01 19:01]

2010-04-04 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-04-25 18:41]

2010-04-04 c:\windows\Tasks\Synology Data Replicator 3-IBM-5F4A0AF30B8-Karwoski.job

- c:\program files\Synology Data Replicator 3\Backup.exe [2010-03-14 22:58]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://w3.ibm.com/

uLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm

uInternet Connection Wizard,ShellNext = hxxp://w3.ibm.com/

uInternet Settings,ProxyOverride = w3-501.ibm.com;*.local;<local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\2007\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm

TCP: interfaces = 9.0.8.1,9.0.9.1

DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB

DPF: Microsoft XML Parser for Java

DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB

DPF: {5C0E257E-9DFE-4955-AA93-0A9B166BAB50} - hxxp://192.168.1.199:5000/surveillance/object/SSObject.cab

DPF: {8C28EFD7-767B-11D1-844B-0060972DC2AC} - hxxps://w3-03.ibm.com/Hyperion/zeroadmin/component/Brio.Insight.en.cab

DPF: {9519B2A2-6592-4E41-8290-D0298459270C} - hxxp://w3.ibm.com/bluepages/scripts/lnwebassist.cab

DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} - hxxp://w3.ibm.com/tools/print/plugin/gpwsx.cab

DPF: {BA7A56EB-D1B9-443B-96E9-086532A378F1} - hxxp://karmor.endoftheinternet.org:9876/activex/decoder/aac_dec.cab

DPF: {C32FE9F1-A857-48B0-B7BF-065B5792F28D} - hxxp://karmor.endoftheinternet.org:9875/activex/decoder/intel_mpeg4_dec.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://karmor.endoftheinternet.org:9876/activex/AMC.cab

DPF: {E734BF43-7194-4E3A-832F-307606DDF665} - hxxps://cs.conferenceservers.com/components/WDPLUGIN.CAB

DPF: {E765747B-A0E4-4BD4-93E4-EA0E3500D57C} - hxxps://w3-03.ibm.com/software/executiveutilities/pdm/plugin/PDMPlugin.cab

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\k0a2h1sk.default\

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava11.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava12.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava13.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava14.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava32.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJPI150.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPOJI610.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\npwebscl.dll

FF - plugin: c:\program files\Mozilla Firefox\extensions\IBM-cck@firefox-extensions.ibm.com\platform\WINNT_x86-msvc\plugins\npaddtonab.dll

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

Notify-ACNotify - ACNotify.dll

Notify-atmgrtok - atmgrtok.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-04 19:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

LDTray = c:\program files\Livescribe\Livescribe Desktop\LDTray.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)

c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll

c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll

c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

c:\program files\IBM\Personal Communications\atmgrtok.dll

c:\program files\IBM\Personal Communications\MILLUTIL.DLL

c:\windows\system32\pcsinst.dll

- - - - - - - > 'explorer.exe'(7968)

c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll

c:\program files\Folder View\dialhk.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\program files\Intel\WiFi\bin\S24EvMon.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\IBM\Personal Communications\PCS_AGNT.EXE

c:\program files\Common Files\Symantec Shared\ccProxy.exe

c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe

c:\program files\Common Files\Symantec Shared\SNDSrvc.exe

c:\windows\system32\LEXBCES.EXE

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\windows\system32\LEXPPS.EXE

c:\windows\system32\Drivers\trcboot.exe

c:\windows\system32\IPSSVC.EXE

c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\program files\Adeona\adeona-client.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\IBM\SQLLIB\BIN\db2jds.exe

c:\program files\IBM\SQLLIB\BIN\db2sec.exe

c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe

c:\program files\Intel\WiFi\bin\EvtEng.exe

c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\notes\ntmulti.exe

c:\program files\AT&T Network Client\NetCfgSv.EXE

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe

c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe

c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

c:\windows\System32\TPHDEXLG.exe

c:\windows\system32\TpKmpSVC.exe

c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe

c:\program files\lenovo\system update\suservice.exe

c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe

c:\windows\system32\Drivers\ldlcserv.exe

c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe

c:\windows\system32\wscntfy.exe

c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\TpShocks.exe

c:\windows\system32\rundll32.exe

c:\program files\Lenovo\HOTKEY\TPONSCR.exe

c:\program files\Lenovo\Zoom\TpScrex.exe

c:\windows\system32\ICO.EXE

c:\windows\system32\FSRremoS.EXE

c:\windows\system32\RUNDLL32.EXE

c:\program files\IBM\My Help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exe

c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\soffice.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

c:\program files\TechSmith\Snagit 10\TSCHelp.exe

c:\program files\TechSmith\Snagit 10\SnagPriv.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

c:\program files\TechSmith\Snagit 10\snagiteditor.exe

c:\program files\IBM\My Help\MyHelp.exe

c:\program files\IBM\My Help\jre\bin\myhelpw.exe

.

**************************************************************************

.

Completion time: 2010-04-04 19:55:10 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-04 17:54

Pre-Run: 340,550,602,752 bytes free

Post-Run: 341,038,194,688 bytes free

- - End Of File - - 968DC38474CDCE57A8D0B4563EC84905

OTS.Txt

Link to post
Share on other sites

Hi,

Sincere apologies for the late reply. I will be unavailable from today and a fellow colleague will take over and help you instead. Please be patient in waiting for a reply, thank you. :)

Link to post
Share on other sites

  • Staff

karmor,

I will be helping you while Ltangelic is away.

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Link to post
Share on other sites

Chris, thank you for this advice, though it makes me quake in my boots. I will immediately change financial pws I may have used the last few months. I'll also restrict all my future transactions. One question: do you think this backdoor trojan is 'contagious' to other computers via data file transfers via USB stick of email attachments?

Until I transition to a new computer or reinstall the OS on this one, I appreciate any help/advise you can provide to try containing/eradicating the backdoor trojan problem, especially over these next few days when I am in the environment and have the time to let deep examinations of my hard drive run unimpeded.

Thanks a lot for your help,

John

Link to post
Share on other sites

  • Staff

Hi John,

I do not believe your particular infection is one that spreads via flash drives. Then again, I cannot be 100% sure either way.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=44547
Collect::
c:\windows\system32\xvjq.exe
c:\windows\system32\vviafoo.exe
Driver::
wkpnom

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Link to post
Share on other sites

Thanks Chris

I followed your instructions. Here are my observations:

(1) When CF started running it asked me to disable Symantec antivirus. I did.

(2) Soon after this, I was twice asked to provide permission to allow CF access to the internet through the Symantec firewall. I granted permission.

(3) Soon afterwards, I noticed my Firewall program icon was missing from the task bar. Since CF was busy scanning, I physically turned off internet connectivity for the rest of the session. CF didn't complain.

(4) When CF was finished and showed the log file, it did not ask to be connected to the internet as your instructions led me to believe it would.

Here is the log file. Thank you again for your kind assistance.

John

====================

ComboFix .txt log

====================

ComboFix 10-04-07.04 - Karwoski 04/08/2010 3:36.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1863 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_wkpnom

((((((((((((((((((((((((( Files Created from 2010-03-08 to 2010-04-08 )))))))))))))))))))))))))))))))

.

2010-04-01 10:44 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

2010-03-31 15:22 . 2010-03-31 15:22 -------- d-----w- c:\program files\Common Files\Skype

2010-03-31 02:14 . 2010-03-31 02:14 -------- d-----w- c:\program files\Common Files\Java

2010-03-23 22:29 . 2010-03-24 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender

2010-03-23 22:29 . 2010-03-23 22:29 -------- d-----w- c:\program files\BitDefender

2010-03-23 22:17 . 2010-03-24 01:13 -------- d-----w- c:\program files\Common Files\BitDefender

2010-03-22 00:54 . 2010-03-22 00:54 -------- d-----w- c:\windows\system32\Plugins3

2010-03-16 01:55 . 2010-03-16 01:55 -------- d-----w- c:\program files\Trend Micro

2010-03-14 23:00 . 2010-03-14 23:00 -------- d-----w- c:\program files\Synology Data Replicator 3

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-08 08:56 . 2010-02-24 18:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2010-04-08 08:53 . 2005-04-05 17:21 -------- d-----w- c:\program files\C4ebreg

2010-04-08 08:51 . 2007-03-05 22:09 40 ----a-w- c:\windows\system32\profile.dat

2010-04-08 08:51 . 2009-12-28 00:19 1165968 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-08 08:24 . 2009-12-03 21:18 -------- d-----w- c:\program files\AT&T Network Client

2010-04-08 08:22 . 2008-06-17 20:58 53196 ----a-w- c:\windows\system32\nvModes.dat

2010-04-08 06:21 . 2008-06-18 00:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2010-04-07 22:17 . 2008-06-18 20:08 -------- d-----w- c:\program files\InfoSelect

2010-04-07 19:10 . 2006-03-27 21:50 -------- d-----w- c:\program files\WST

2010-04-07 14:55 . 2006-01-24 00:45 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-03-31 18:28 . 2010-02-24 07:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-31 18:26 . 2010-03-31 18:26 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-31 02:14 . 2010-03-31 02:14 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-11dd4151-n\msvcp71.dll

2010-03-31 02:14 . 2010-03-31 02:14 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-11dd4151-n\jmc.dll

2010-03-31 02:14 . 2010-03-31 02:14 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-11dd4151-n\msvcr71.dll

2010-03-31 02:14 . 2010-03-31 02:14 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-55799c75-n\decora-sse.dll

2010-03-31 02:14 . 2010-03-31 02:14 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-55799c75-n\decora-d3d.dll

2010-03-31 02:13 . 2008-11-20 10:47 -------- d-----w- c:\program files\Java

2010-03-29 22:46 . 2010-02-24 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 22:45 . 2010-02-24 07:46 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-27 09:32 . 2010-03-27 09:32 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30f413.vdb\NAVEX32A.DLL

2010-03-27 09:32 . 2010-03-27 09:32 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30f413.vdb\NAVEX15.SYS

2010-03-27 09:32 . 2010-03-27 09:32 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30f413.vdb\NAVENG.SYS

2010-03-27 09:32 . 2010-03-27 09:32 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30f413.vdb\NAVENG32.DLL

2010-03-27 09:32 . 2010-03-27 09:32 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30f413.vdb\ERASER.SYS

2010-03-27 09:32 . 2010-03-27 09:32 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30f413.vdb\EECTRL.SYS

2010-03-27 09:32 . 2010-03-27 09:32 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30f413.vdb\CCERASER.DLL

2010-03-27 09:32 . 2010-03-27 09:32 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30f413.vdb\ECMSVR32.DLL

2010-03-09 02:28 . 2008-11-20 10:48 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-02 02:17 . 2008-12-12 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith

2010-03-02 02:17 . 2008-06-20 22:26 -------- d-----w- c:\program files\TechSmith

2010-02-28 17:54 . 2008-09-07 17:01 -------- d-----w- c:\program files\Flickr Uploadr

2010-02-28 12:10 . 2009-12-20 16:31 -------- d-----w- c:\program files\Defraggler

2010-02-28 12:02 . 2008-06-20 23:36 -------- d-----w- c:\program files\CCleaner

2010-02-28 11:46 . 2008-06-29 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\RFA_Backups

2010-02-28 11:46 . 2010-02-28 11:46 331776 ----a-w- c:\windows\system32\config\systemprofile\ntuser.tmp

2010-02-28 11:45 . 2010-02-28 11:45 237568 ----a-w- c:\documents and settings\NetworkService\NTUSER.tmp

2010-02-28 11:45 . 2010-02-28 11:45 237568 ----a-w- c:\documents and settings\LocalService\ntuser.tmp

2010-02-25 18:11 . 2005-07-29 18:05 64792 ----a-w- c:\windows\isamunin.exe

2010-02-25 16:46 . 2010-02-25 16:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\WDPlugin

2010-02-24 18:50 . 2010-02-24 18:50 -------- d-----r- c:\program files\Skype

2010-02-24 18:50 . 2008-06-18 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-02-24 07:46 . 2010-02-24 07:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-02-24 07:46 . 2010-02-24 07:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-15 18:11 . 2008-06-18 19:55 -------- d-----w- c:\program files\Uedit

2010-02-15 16:53 . 2009-10-07 09:31 6400 ----a-w- c:\windows\system32\drivers\isamfilter.sys

2010-02-13 20:35 . 2005-04-04 17:43 86695 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-02-11 02:25 . 2010-02-10 02:10 -------- d-----w- c:\program files\Calibre2

2010-02-10 02:11 . 2009-08-10 23:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\calibre

2010-02-08 16:17 . 2008-06-24 14:03 65592 ---ha-w- c:\windows\system32\mlfcache.dat

2010-02-08 07:40 . 2008-06-18 00:17 -------- d-----w- c:\program files\Google

2010-02-03 22:59 . 2010-02-03 22:59 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

2010-02-01 17:52 . 2010-02-05 14:48 15424 ----a-w- c:\documents and settings\All Users\Application Data\Lenovo\MessageCenterPlus\LocalRepository\Messages\MCPToLTT2\LTTCheck.exe

2010-01-26 12:03 . 2009-02-22 23:28 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-01-17 08:52 . 2005-04-04 18:17 85208 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-09 01:08 . 2010-01-09 01:08 2469728 ----a-w- c:\windows\system32\AutoPartNt.exe

2009-10-19 23:59 . 2010-03-23 22:42 47104 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NetSP - restore settings on power failure"="c:\program files\AT&T Network Client\NetSP.exe" [2007-01-13 24576]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-23 68856]

"Folder View"="c:\program files\Folder View\folderview.exe" [2005-01-17 856576]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-01 133104]

"LDTray"="c:\program files\Livescribe\Livescribe Desktop\LDTray.exe" [2009-12-16 647168]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe" [2009-08-28 40960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"pmonmh"="c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19" [X]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"stgclean"="c:\sdwork\w32main2.exe" [2010-04-07 299008]

"Tpam.exe"="c:\program files\IBM\Personal Communications\tpam.exe" [2005-09-06 28672]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]

"vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-27 125168]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-05 13549568]

"nwiz"="nwiz.exe" [2008-12-05 1630208]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-04-17 425984]

"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2009-04-17 172032]

"TpShocks"="TpShocks.exe" [2007-11-22 181536]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-04-16 417792]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-03-17 208896]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-07-03 118784]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-03 1323008]

"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-04-16 61728]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]

"C4EBReg"="c:\program files\c4ebreg\c4ebreg.exe" [2010-02-25 482584]

"ISAMTray"="c:\program files\c4ebreg\isamtray.exe" [2010-02-25 285976]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]

"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-01-29 185688]

"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-01-29 124248]

"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-08 91688]

"ussshreg"="c:\progra~1\ULEADW~1.0\Ussshreg.exe" [1999-07-13 32768]

"SKDaemon.exe"="c:\program files\Lenovo\Productivity Keyboard\SKDaemon.exe" [2007-02-09 262144]

"Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 57344]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-24 1036288]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-06-13 73728]

"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-05 86016]

"ISSI Service"="c:\sdwork\issimsvc.exe" [2010-02-11 241392]

"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]

"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-04-14 15136]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"MyHelpService"="c:\program files\IBM\My Help\workspace\service\delayStart.exe" [2009-03-13 94208]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-11-12 5106904]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-11-12 361632]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-29 437584]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

hott notes 4.lnk - c:\program files\hott notes 4\hottnotes.exe [2007-5-15 1249280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-11-25 813584]

Snagit 10.lnk - c:\program files\TechSmith\Snagit 10\Snagit32.exe [2010-2-17 7042376]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDevMgrUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]

2005-09-06 18:43 49152 ----a-w- c:\windows\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2006-09-06 20:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"IBMconfig"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\InfoSelect\\is.exe"=

"c:\\Program Files\\IBM\\My Help\\jre\\bin\\myhelpw.exe"=

"c:\\Program Files\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.20090505-1200\\win32\\x86\\symphony.exe"=

"c:\\Program Files\\IBM\\Lotus\\Sametime Connect\\rcp\\eclipse\\plugins\\com.ibm.rcp.jcl.desktop.win32.x86_6.2.0.200810071032\\jre\\bin\\sametime80w.exe"=

"c:\\Program Files\\AT&T Network Client\\NetClient.exe"=

"c:\\Program Files\\Synology\\Assistant\\DSAssistant.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [1/7/2010 1:03 PM 911680]

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 1:32 PM 19504]

R2 AdeonaClientService;AdeonaClientService;c:\program files\Adeona\cygrunsrv.exe [7/13/2008 2:30 PM 68096]

R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [1/7/2010 1:03 PM 2480048]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/24/2010 2:46 AM 303952]

R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [12/16/2009 6:08 AM 265728]

R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/19/2008 6:33 AM 53248]

R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [9/27/2006 3:33 PM 116464]

R2 SynoDrService;SynoDrService;c:\program files\Synology Data Replicator 3\SynoDrService.exe [3/14/2010 5:58 PM 245760]

R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [4/24/2008 8:29 PM 62320]

R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [1/7/2010 1:03 PM 160288]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 12:26 PM 102448]

R3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [10/7/2009 4:31 AM 6400]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/24/2010 2:46 AM 20824]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 2:40 AM 135664]

S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [5/21/2009 7:48 PM 45424]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [10/16/2009 6:55 AM 20096]

S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [8/3/2009 4:26 PM 129535]

S3 SmartpenBus;Smartpen Enumerator;c:\windows\system32\DRIVERS\SmartpenBus.sys --> c:\windows\system32\DRIVERS\SmartpenBus.sys [?]

S3 SmartpenCom;Smartpen Communications;c:\windows\system32\DRIVERS\SmartpenCom.sys --> c:\windows\system32\DRIVERS\SmartpenCom.sys [?]

S3 ZSMC0303;VIMICRO USB PC Camera (VC0303);c:\windows\system32\drivers\usbVM303.sys [9/27/2006 1:48 PM 391949]

.

Contents of the 'Scheduled Tasks' folder

2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 07:40]

2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 07:40]

2010-04-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2653012379-1038974990-1957949151-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-01 19:01]

2010-04-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2653012379-1038974990-1957949151-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-01 19:01]

2010-04-08 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-04-25 18:41]

2010-04-08 c:\windows\Tasks\Synology Data Replicator 3-IBM-5F4A0AF30B8-Karwoski.job

- c:\program files\Synology Data Replicator 3\Backup.exe [2010-03-14 22:58]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://w3.ibm.com/

uLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm

uInternet Connection Wizard,ShellNext = hxxp://w3.ibm.com/

uInternet Settings,ProxyOverride = w3-501.ibm.com;*.local;<local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\2007\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm

TCP: interfaces = 9.0.8.1,9.0.9.1

DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB

DPF: Microsoft XML Parser for Java

DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB

DPF: {5C0E257E-9DFE-4955-AA93-0A9B166BAB50} - hxxp://192.168.1.199:5000/surveillance/object/SSObject.cab

DPF: {8C28EFD7-767B-11D1-844B-0060972DC2AC} - hxxps://w3-03.ibm.com/Hyperion/zeroadmin/component/Brio.Insight.en.cab

DPF: {9519B2A2-6592-4E41-8290-D0298459270C} - hxxp://w3.ibm.com/bluepages/scripts/lnwebassist.cab

DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} - hxxp://w3.ibm.com/tools/print/plugin/gpwsx.cab

DPF: {BA7A56EB-D1B9-443B-96E9-086532A378F1} - hxxp://karmor.endoftheinternet.org:9876/activex/decoder/aac_dec.cab

DPF: {C32FE9F1-A857-48B0-B7BF-065B5792F28D} - hxxp://karmor.endoftheinternet.org:9875/activex/decoder/intel_mpeg4_dec.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://karmor.endoftheinternet.org:9876/activex/AMC.cab

DPF: {E734BF43-7194-4E3A-832F-307606DDF665} - hxxps://cs.conferenceservers.com/components/WDPLUGIN.CAB

DPF: {E765747B-A0E4-4BD4-93E4-EA0E3500D57C} - hxxps://w3-03.ibm.com/software/executiveutilities/pdm/plugin/PDMPlugin.cab

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\k0a2h1sk.default\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-08 03:54

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

LDTray = c:\program files\Livescribe\Livescribe Desktop\LDTray.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

c:\windows\system32\pcsinst.dll

- - - - - - - > 'explorer.exe'(11884)

c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll

c:\program files\Folder View\dialhk.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\program files\Intel\WiFi\bin\S24EvMon.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\ccProxy.exe

c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe

c:\program files\Common Files\Symantec Shared\SNDSrvc.exe

c:\windows\system32\LEXBCES.EXE

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\windows\system32\Drivers\trcboot.exe

c:\windows\system32\LEXPPS.EXE

c:\program files\IBM\Personal Communications\PCS_AGNT.EXE

c:\windows\system32\IPSSVC.EXE

c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\program files\Adeona\adeona-client.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\IBM\SQLLIB\BIN\db2jds.exe

c:\program files\IBM\SQLLIB\BIN\db2sec.exe

c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe

c:\program files\Intel\WiFi\bin\EvtEng.exe

c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\notes\ntmulti.exe

c:\program files\AT&T Network Client\NetCfgSv.EXE

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe

c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe

c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

c:\windows\System32\TPHDEXLG.exe

c:\windows\system32\TpKmpSVC.exe

c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe

c:\program files\lenovo\system update\suservice.exe

c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe

c:\windows\system32\Drivers\ldlcserv.exe

c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\TpShocks.exe

c:\windows\system32\rundll32.exe

c:\program files\Lenovo\HOTKEY\TPONSCR.exe

c:\program files\Lenovo\Zoom\TpScrex.exe

c:\windows\system32\ICO.EXE

c:\windows\system32\FSRremoS.EXE

c:\windows\system32\RUNDLL32.EXE

c:\program files\IBM\My Help\plugins\com.ibm.myhelp.common_1.4.19\pmonmh.exe

c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe

c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\soffice.exe

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

c:\program files\Skype\Plugin Manager\skypePM.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\TechSmith\Snagit 10\TSCHelp.exe

c:\program files\TechSmith\Snagit 10\SnagPriv.exe

c:\program files\TechSmith\Snagit 10\snagiteditor.exe

c:\program files\IBM\My Help\MyHelp.exe

c:\program files\IBM\My Help\jre\bin\myhelpw.exe

.

**************************************************************************

.

Completion time: 2010-04-08 04:07:09 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-08 09:06

ComboFix2.txt 2010-04-04 17:55

Pre-Run: 340,576,980,992 bytes free

Post-Run: 340,560,584,704 bytes free

- - End Of File - - C38840BDABA8C3E85CE92AB3C252841D

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

it did not ask to be connected to the internet as your instructions led me to believe it would.
It should have reconnected you automatically.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

-screen317

I have followed your latest instructions and pasted the results below.

Note that I recognize the files flagged as "Suspicious:W32/Malware!Gemini (virus)" as self-extracting compressed files that I created years ago using an Aladdin Systems compression program called StuffIt. I wonder if these are false positives. I have no problem deleting these old files if your advise is for me to do so.

To answer your question about how things are running now, they seem to be much better. My malware detection programs do not appear to be discovering re-occurring malware like they did before.

I do have a few new issues (non-malware related?) that may have been produced by the programs I have run per the advise of this forum.

(1) Embedded links to URLs in IE are not passed onto IE when I double-click on them anymore. IE will open up, but the URL area stays blank. This used to work fine.

(2) CDs/Magic Jack do not seem to auto-start anymore. Is this caused by the program called 'defogger' I was asked to run as one of my initial tasks to help rid this computer of malware?

(3) The only malware the Malwarebytes program seems to consistently find and quarantine anymore is this: "Disabled.SecurityCenter {date} Registry Data HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisavbleNotify (Data: 1). Is this significant since I actually rely on the Symantec Firewall program, not Windows Firewall?

Thanks for your help. As ever it is extremely appreciated.

John

====================================

Here is the report from F-Secure run on April 11:

====================================

Scanning Report

Sunday, April 11, 2010 18:38:58 - 21:35:44

Computer name: IBM-5F4A0AF30B8

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

134 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.Adinterax (spyware)

System (Disinfected)

TrackingCookie.Research-int (spyware)

System (Disinfected)

TrackingCookie.2o7 (spyware)

System (Disinfected)

TrackingCookie.Advertising (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

Suspicious:W32/Malware!Gemini (spyware)

System (Disinfected)

TrackingCookie.Adtech (spyware)

System (Disinfected)

TrackingCookie.Adform (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.Specificclick (spyware)

System (Disinfected)

TrackingCookie.Zanox (spyware)

System (Disinfected)

TrackingCookie.Adrevolver (spyware)

System (Disinfected)

TrackingCookie.Adbrite (spyware)

System (Disinfected)

TrackingCookie.Xiti (spyware)

System (Disinfected)

TrackingCookie.Webtrends (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

TrackingCookie.Tradedoubler (spyware)

System (Disinfected)

TrackingCookie.Statcounter (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

TrackingCookie.Imrworldwide (spyware)

System (Disinfected)

Trojan.Generic.IS.556984 (virus)

C:\PROGRAM FILES\SYMANTEC CLIENT SECURITY\EMEA_PKI_GRC.EXE (Renamed & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\PROGRAM FILES\RFA\SYSREP.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\S390FORECASTROLLUP\DISNEY 10 08.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\OPPSTOROADMAPS\TEMPLATE OPPS TO PRODUCT ROADMAPS 2003 V3.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\NEWFCTOOL\ASFT_UAT_V5_CANADA_GT25K.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\AUGMEETING\ATTENTION FACE-TO-FACE.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\AUGMEETING\FINDING INFORMATION 71003.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\AUGMEETING\SETTING UP CRM SIEBEL.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\AUGMEETING\OPPORTUNITY MIGRATION.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\AUGMEETING\OPPORTUNITY MANAGEMENT.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_WEB2TEMPLATES\4Q_AUTOFLM_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_WEB2TEMPLATES\4Q_BUE_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_WEB2TEMPLATES\4Q_FLM_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_WEB2TEMPLATES\4Q_SELLER_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\ASFTDATA\ASFTCURRENT.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_WEB1TEMPLATES\4Q_FLM_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_WEB1TEMPLATES\4Q_AUTOFLM_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_WEB2TEMPLATES\4Q_REGION_1200_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_WEB1TEMPLATES\4Q_BUE_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_WEB1TEMPLATES\4Q_GEO_2400_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_WEB1TEMPLATES\4Q_SELLER_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_WEB1TEMPLATES\4Q_GEO_1200_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_WEB1TEMPLATES\4Q_REGION_1200_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_SAMTEMPLATES\4Q_BUE_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_WEB1TEMPLATES\4Q_REGION_2400_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_SAMTEMPLATES\4Q_AUTOFLM_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_SAMTEMPLATES\4Q_FLM_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_SAMTEMPLATES\4Q_REGION_2400_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_SAMTEMPLATES\4Q_SELLER_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_S390TEMPLATES\4Q_BUE_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_S390TEMPLATES\4Q_AUTOFLM_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_SAMTEMPLATES\4Q_REGION_1200_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_S390TEMPLATES\4Q_FLM_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_S390TEMPLATES\4Q_EBUSFLM_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_S390TEMPLATES\4Q_SELLER_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_S390TEMPLATES\4Q_REGION_1200_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_NEWCORETEMPLATES\3Q_TRANSLATE TO FEDERAL_V25_062903.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_MISCTEMPLATES\4Q_EBUSAUTOFLM_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_S390TEMPLATES\4Q_REGION_2400_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_MISCTEMPLATES\4Q_EBUSBUE_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_MISCTEMPLATES\4Q_EBUSFLM_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_MISCTEMPLATES\4Q_FLM_LOTUS TO FEDERAL_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_MISCTEMPLATES\4Q_EBUSSELLER_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_MISCTEMPLATES\4Q_FLM_EBUS TO DISNEY_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_MISCTEMPLATES\4Q_FLM_S390 TO FEDERAL_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_MISCTEMPLATES\4Q_FLM_WEB1 TO FEDERAL_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_LOTUSTEMPLATES\4Q_AUTOFLM_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_LOTUSTEMPLATES\4Q_FLM_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_LOTUSTEMPLATES\4Q_GEO_1200_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_LOTUSTEMPLATES\4Q_BUE_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_MISCTEMPLATES\TEMPLATE OPPS TO PRODUCT ROADMAPS 2003 V5NEWROADMAP.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_NEWCORETEMPLATES\3Q_TEMPLATES_V25_062903.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_LOTUSTEMPLATES\4Q_GEO_2400_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_LOTUSTEMPLATES\4Q_SELLER_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_LOTUSTEMPLATES\4Q_REGION_1200_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_LOTUSTEMPLATES\4Q_REGION_2400_V25 FIXED.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_LOTUSTEMPLATES\4Q_REGION_2400_V25.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_CORETEMPLATES\3Q_FORECASTTEMPLATES_V24.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_XLATETEMPLATES\2Q_FLM_LOTUS TO FEDERAL.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_CORETEMPLATES\3Q_GEO_1200_V24 7 REGIONS D.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_XLATETEMPLATES\2Q_FLM_WEB1 TO FEDERAL.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_CORETEMPLATES\3Q_TRANSLATETEMPLATES TO FEDERAL.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\3Q_CORETEMPLATES\3Q_REGION_1200_V24 7 BUES.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEBTEMPLATES\2Q_AUTOFLM_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_XLATETEMPLATES\2Q_FLM_S390 TO FEDERAL.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEBTEMPLATES\2Q_BUE_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEBTEMPLATES\2Q_FLM_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEBTEMPLATES\2Q_GEO_2400_V23NEWROADMAP.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEBTEMPLATES\2Q_REGION_2400_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEBTEMPLATES\2Q_GEO_2400_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEBTEMPLATES\2Q_GEO_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEBTEMPLATES\2Q_GEO_V23NEWROADMAP.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEBTEMPLATES\2Q_REGION_2400_V23NEWROADMAP.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEB2TEMPLATES\2Q_AUTOFLM_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEBTEMPLATES\2Q_REGION_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEBTEMPLATES\2Q_SELLER_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEB2TEMPLATES\2Q_BUE_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEBTEMPLATES\2Q_REGION_V23NEWROADMAP.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEB2TEMPLATES\2Q_FLM_V23.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEB2TEMPLATES\2Q_SELLER_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_SAMTEMPLATES\2Q_AUTOFLM_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEB2TEMPLATES\2Q_REGION_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_SAMTEMPLATES\2Q_BUE_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_WEB2TEMPLATES\2Q_REGION_V23NEWROADMAP.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_SAMTEMPLATES\2Q_GEO_2400_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_SAMTEMPLATES\2Q_FLM_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_SAMTEMPLATES\2Q_GEO_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_SAMTEMPLATES\2Q_REGION_2400_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_SAMTEMPLATES\2Q_REGION_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_SAMTEMPLATES\2Q_SELLER_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_S390TEMPLATES\2Q_BUE_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_SAMTEMPLATES\2Q_REGION_2400_V23NEWROADMAP.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_S390TEMPLATES\2Q_AUTOFLM_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_S390TEMPLATES\2Q_FLM_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_SAMTEMPLATES\2Q_REGION_V23NEWROADMAP.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_S390TEMPLATES\2Q_SELLER_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_S390TEMPLATES\2Q_REGION_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_LOTTEMPLATES\2Q_AUTOFLM_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_S390TEMPLATES\2Q_SELLER_V23XTRA.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_LOTTEMPLATES\2Q_FLM_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_S390TEMPLATES\2Q_REGION_V23NEWROADMAP.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_LOTTEMPLATES\2Q_BUE_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_LOTTEMPLATES\2Q_GEO_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_LOTTEMPLATES\2Q_GEO_2400_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_LOTTEMPLATES\2Q_REGION_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_LOTTEMPLATES\2Q_REGION_2400_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_LOTTEMPLATES\2Q_SELLER_V23.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_LOTTEMPLATES\2Q_REGION_2400_V23NEWROADMAP.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_LOTTEMPLATES\2Q_REGION_V23NEWROADMAP.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2QTEMPLATES\2Q03_CORETEMPLATES\NEW\2Q_GEO_2400_V23NEW.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\2003\2003PLAN\WEBSPHERE MGR QUOTA SUMMARY 041603 - BY PILLAR.EXE (Not cleaned & Submitted)

Statistics

Scanned:

Files: 81813

System: 5356

Not scanned: 15

Actions:

Disinfected: 23

Renamed: 1

Deleted: 0

Not cleaned: 110

Submitted: 106

Files not scanned:

C:\PAGEFILE.SYS

C:\HIBERFIL.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\ETILQS_W2WBMJSNBKBRRW0ECYAL

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\ETILQS_WGDW0UXEME2ESKKJE33U

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\HSPERFDATA_KARWOSKI\2104

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\HSPERFDATA_KARWOSKI\8484

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CURRENT SESSION

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\CURRENT TABS

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\SKYPE\ETILQS_B62Z3O2AZTAATD3EFJAR

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\SKYPE\ETILQS_KGFWKJ15AWNSKCJHTEOX

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

======================================

Here are the results from running SecurityCheck.exe

======================================

Results of screen317's Security Check version 0.99.3

Windows XP Service Pack 3

Internet Explorer 6 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

CCleaner

IBM 32-bit Runtime Environment for Java 2, v5.0

Java 6 Update 19

IBM 32-bit Runtime Environment for Java 2, v5.0

Adobe Flash Player 10

Adobe Reader 8.2.1

Japanese Fonts Support For Adobe Reader 8

````````````````````````````````

Process Check:

objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe

Malwarebytes' Anti-Malware mbamgui.exe

Symantec Client Security Symantec AntiVirus DefWatch.exe

Symantec Client Security Symantec AntiVirus SavRoam.exe

Symantec Client Security Symantec AntiVirus Rtvscan.exe

Symantec Client Security Symantec Client Firewall ISSVC.exe

Symantec Client Security Symantec Client Firewall SymSPort.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

Link to post
Share on other sites

  • Staff

Hi.

(1) Embedded links to URLs in IE are not passed onto IE when I double-click on them anymore. IE will open up, but the URL area stays blank. This used to work fine.
We'll address this and any residual problems after all malware has been removed.
(2) CDs/Magic Jack do not seem to auto-start anymore. Is this caused by the program called 'defogger' I was asked to run as one of my initial tasks to help rid this computer of malware?
It may be from defogger and you will run it again when you are clean.
(3) The only malware the Malwarebytes program seems to consistently find and quarantine anymore is this: "Disabled.SecurityCenter {date} Registry Data HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisavbleNotify (Data: 1). Is this significant since I actually rely on the Symantec Firewall program, not Windows Firewall?
You can set that to ignore; it means the Windows Firewall is set to not notify that it is off, meaning that your firewall is working correctly.

Was the MBAM detection of the backdoor trojan from the protection module or from a scan? Update MBAM, run a Full Scan, and post its log.

Are you sure the file was c:\windows\system\iexplore.exe and not c:\windows\system32\iexplore.exe ??

Next, please delete your copy of ComboFix, download the latest version from the same location as before, and save it to your Desktop. Run it and post its log. We'll take it from there.

-screen317

Link to post
Share on other sites

-screen317, hi again!

To answer your question "Was the MBAM detection of the backdoor trojan from the protection module or from a scan?"

ANSWER: Backdoor.bot and a few minutes later, Heuristics.Reserved.Word.Exploit were both identified by the Malwarebytes protection module. The files associated with these detections are both in the Windows\system32 subdirectory. The first file is iexplore.exe and the second file is csrs.exe.

===========================================

Here is the Malwarebytes log showing when these were detected. I have left both files in quarantine.

===========================================

03:13:02 Karwoski MESSAGE Protection started successfully

03:13:06 Karwoski MESSAGE IP Protection started successfully

03:23:27 Karwoski MESSAGE IP Protection stopped

03:23:31 Karwoski MESSAGE Database updated successfully

03:23:32 Karwoski MESSAGE IP Protection started successfully

04:17:17 Karwoski IP-BLOCK 83.128.26.181

04:17:19 Karwoski IP-BLOCK 83.128.26.181

04:17:23 Karwoski IP-BLOCK 83.128.26.181

07:36:30 (null) MESSAGE Protection started successfully

07:37:07 (null) MESSAGE IP Protection started successfully

17:15:33 Karwoski DETECTION C:\WINDOWS\system32\iexplore.exe Backdoor.Bot QUARANTINE

17:15:33 Karwoski DETECTION C:\WINDOWS\system32\iexplore.exe Backdoor.Bot DENY

17:15:33 Karwoski DETECTION C:\WINDOWS\system32\iexplore.exe Backdoor.Bot DENY

17:15:34 Karwoski DETECTION C:\WINDOWS\system32\iexplore.exe Backdoor.Bot DENY

17:15:34 Karwoski DETECTION C:\WINDOWS\system32\iexplore.exe Backdoor.Bot DENY

17:22:46 Karwoski DETECTION C:\WINDOWS\system32\csrs.exe Heuristics.Reserved.Word.Exploit QUARANTINE

17:22:46 Karwoski DETECTION C:\WINDOWS\system32\csrs.exe Heuristics.Reserved.Word.Exploit DENY

17:22:46 Karwoski DETECTION C:\WINDOWS\system32\csrs.exe Heuristics.Reserved.Word.Exploit DENY

17:37:12 Karwoski MESSAGE IP Protection stopped

17:37:14 Karwoski MESSAGE IP Protection started successfully

To answer your question "Are you sure the file was c:\windows\system\iexplore.exe and not c:\windows\system32\iexplore.exe?"

ANSWER: my typo, sorry. The actual subdirectory was windows\system32

I updated Malwarebytes, then ran a full scan for you. No malware was detected.

===========================================================================

I exited the Malwarebytes full scan report before saving it. Here is what shows in the saved log file from the scan:

===========================================================================

11:40:05 Karwoski MESSAGE Protection started successfully

11:40:10 Karwoski MESSAGE IP Protection started successfully

18:25:42 Karwoski MESSAGE IP Protection stopped

18:25:49 Karwoski MESSAGE Database updated successfully

18:25:50 Karwoski MESSAGE IP Protection started successfully

18:30:51 Karwoski MESSAGE Protection started successfully

18:31:15 Karwoski MESSAGE IP Protection started successfully

I deleted combofix.exe from my computer and downloaded a fresh version per your instructions. I then removed internet access to my computer and disabled both Malwarebytes and Symantec antivirus before running Combofix.exe

======================

Here is the log file from ComboFix:

======================

ComboFix 10-04-13.02 - Karwoski 04/13/2010 21:49:55.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1891 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

.

((((((((((((((((((((((((( Files Created from 2010-03-14 to 2010-04-14 )))))))))))))))))))))))))))))))

.

2010-04-11 23:38 . 2010-04-11 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2010-04-10 23:33 . 2010-04-10 23:33 -------- d-----w- c:\program files\iPod

2010-04-10 23:33 . 2010-04-10 23:34 -------- d-----w- c:\program files\iTunes

2010-04-10 23:33 . 2010-04-10 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-04-10 23:25 . 2010-04-10 23:26 -------- d-----w- c:\program files\QuickTime

2010-04-10 23:19 . 2010-04-10 23:19 -------- d-----w- c:\program files\Bonjour

2010-04-10 23:09 . 2010-04-10 23:09 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe

2010-04-10 18:22 . 2010-04-10 18:22 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd311404.vdb\NAVENG.SYS

2010-04-10 18:22 . 2010-04-10 18:22 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd311404.vdb\EECTRL.SYS

2010-04-10 18:22 . 2010-04-10 18:22 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd311404.vdb\CCERASER.DLL

2010-04-10 18:22 . 2010-04-10 18:22 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd311404.vdb\ECMSVR32.DLL

2010-04-10 18:22 . 2010-04-10 18:22 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd311404.vdb\NAVENG32.DLL

2010-04-10 18:22 . 2010-04-10 18:22 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd311404.vdb\NAVEX32A.DLL

2010-04-10 18:22 . 2010-04-10 18:22 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd311404.vdb\NAVEX15.SYS

2010-04-10 18:22 . 2010-04-10 18:22 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd311404.vdb\ERASER.SYS

2010-04-10 08:13 . 2010-04-10 08:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\tjnet

2010-04-09 23:44 . 2010-02-26 23:51 6870864 ---ha-w- c:\documents and settings\Administrator\Application Data\mjusbsp\in00000\setup.exe

2010-04-09 23:43 . 2010-02-26 23:45 743872 ---ha-w- c:\documents and settings\Administrator\Application Data\mjusbsp\ar00000\install.exe

2010-04-09 21:55 . 2010-02-26 23:51 6870864 ---ha-w- c:\documents and settings\Administrator\Application Data\mjusbsp\Upgrade\setup1.exe

2010-04-09 21:55 . 2010-02-26 23:45 743872 ---ha-w- c:\documents and settings\Administrator\Application Data\mjusbsp\Upgrade\install1.exe

2010-04-09 21:54 . 2010-04-09 23:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\mjusbsp

2010-04-08 20:25 . 2001-08-18 03:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll

2010-04-08 20:25 . 2001-08-18 03:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll

2010-04-08 20:19 . 2010-04-08 20:19 -------- d-----w- c:\program files\Lexmark_ENA

2010-04-08 20:17 . 2003-09-23 08:32 69632 ----a-w- c:\windows\system32\lxbfscin.dll

2010-04-08 20:17 . 2010-04-08 20:25 -------- d-----w- c:\program files\Lexmark X6100 Series

2010-04-08 20:16 . 2010-04-08 20:16 -------- d-----w- C:\Lxk6100

2010-04-08 20:07 . 2006-12-23 08:10 188416 ----a-w- c:\windows\system32\ip9100pm.dll

2010-04-08 20:07 . 2010-04-08 20:07 -------- d-----w- c:\program files\Lexmark

2010-04-01 10:44 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

2010-03-31 18:26 . 2010-03-31 18:26 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-31 15:22 . 2010-03-31 15:22 -------- d-----w- c:\program files\Common Files\Skype

2010-03-31 02:14 . 2010-03-31 02:14 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-11dd4151-n\msvcp71.dll

2010-03-31 02:14 . 2010-03-31 02:14 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-11dd4151-n\jmc.dll

2010-03-31 02:14 . 2010-03-31 02:14 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-11dd4151-n\msvcr71.dll

2010-03-31 02:14 . 2010-03-31 02:14 -------- d-----w- c:\program files\Common Files\Java

2010-03-31 02:14 . 2010-03-31 02:14 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-55799c75-n\decora-sse.dll

2010-03-31 02:14 . 2010-03-31 02:14 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-55799c75-n\decora-d3d.dll

2010-03-23 22:29 . 2010-03-24 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender

2010-03-23 22:29 . 2010-03-23 22:29 -------- d-----w- c:\program files\BitDefender

2010-03-23 22:17 . 2010-03-24 01:13 -------- d-----w- c:\program files\Common Files\BitDefender

2010-03-22 00:54 . 2010-03-22 00:54 -------- d-----w- c:\windows\system32\Plugins3

2010-03-16 01:55 . 2010-03-16 01:55 -------- d-----w- c:\program files\Trend Micro

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-14 02:35 . 2010-02-24 18:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2010-04-13 23:32 . 2008-06-18 00:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2010-04-13 23:29 . 2008-06-17 20:58 28124 ----a-w- c:\windows\system32\nvModes.dat

2010-04-13 23:29 . 2005-04-05 17:21 -------- d-----w- c:\program files\C4ebreg

2010-04-13 23:27 . 2007-03-05 22:09 40 ----a-w- c:\windows\system32\profile.dat

2010-04-13 23:27 . 2009-12-28 00:19 1165968 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-13 19:41 . 2006-03-27 21:50 -------- d-----w- c:\program files\WST

2010-04-13 16:43 . 2009-12-03 21:18 -------- d-----w- c:\program files\AT&T Network Client

2010-04-13 14:25 . 2008-06-18 20:08 -------- d-----w- c:\program files\InfoSelect

2010-04-12 20:55 . 2006-01-24 00:45 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-04-12 01:18 . 2007-03-05 22:07 -------- d-----w- c:\program files\Symantec Client Security

2010-04-12 01:17 . 2008-06-29 16:14 -------- d-----w- c:\program files\RFA

2010-04-11 02:30 . 2008-09-07 17:01 -------- d-----w- c:\program files\Flickr Uploadr

2010-04-10 23:33 . 2008-06-20 13:43 -------- d-----w- c:\program files\Common Files\Apple

2010-04-08 21:01 . 2009-07-18 23:36 -------- d-----w- c:\program files\Microsoft Silverlight

2010-03-31 18:28 . 2010-02-24 07:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-31 02:13 . 2008-11-20 10:47 -------- d-----w- c:\program files\Java

2010-03-29 22:46 . 2010-02-24 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 22:45 . 2010-02-24 07:46 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-14 23:00 . 2010-03-14 23:00 -------- d-----w- c:\program files\Synology Data Replicator 3

2010-03-09 02:28 . 2008-11-20 10:48 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-02 02:17 . 2008-12-12 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith

2010-03-02 02:17 . 2008-06-20 22:26 -------- d-----w- c:\program files\TechSmith

2010-02-28 12:10 . 2009-12-20 16:31 -------- d-----w- c:\program files\Defraggler

2010-02-28 12:02 . 2008-06-20 23:36 -------- d-----w- c:\program files\CCleaner

2010-02-28 11:46 . 2008-06-29 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\RFA_Backups

2010-02-28 11:46 . 2010-02-28 11:46 331776 ----a-w- c:\windows\system32\config\systemprofile\ntuser.tmp

2010-02-28 11:45 . 2010-02-28 11:45 237568 ----a-w- c:\documents and settings\NetworkService\NTUSER.tmp

2010-02-28 11:45 . 2010-02-28 11:45 237568 ----a-w- c:\documents and settings\LocalService\ntuser.tmp

2010-02-26 23:51 . 2010-02-26 23:51 138584 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\ug00000\magicJack.dll

2010-02-26 23:51 . 2010-02-26 23:51 6870864 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\ug00000\setup.exe

2010-02-26 23:51 . 2010-02-26 23:51 705936 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\magicJackLoader.exe

2010-02-26 23:51 . 2010-02-26 23:51 480608 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\octvqe1_apiw.dll

2010-02-26 23:51 . 2010-02-26 23:51 214360 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\TjVista.dll

2010-02-26 23:50 . 2010-02-26 23:50 324952 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\TjIpSys.dll

2010-02-26 23:50 . 2010-02-26 23:50 615792 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\SJHandsetMagicJack.dll

2010-02-26 23:50 . 2010-02-26 23:50 87384 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\st00000\mjsetup.exe

2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\st00000\magicJack.dll

2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\magicJack.dll

2010-02-26 23:46 . 2010-02-26 23:46 12526424 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\magicJack.exe

2010-02-26 23:45 . 2010-02-26 23:45 743872 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\ug00000\install.exe

2010-02-26 23:45 . 2010-02-26 23:45 87384 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\in00000\mjsetup.exe

2010-02-26 23:45 . 2010-02-26 23:45 138584 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\in00000\magicJack.dll

2010-02-26 23:44 . 2010-02-26 23:44 138584 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\lr00000\magicJack.dll

2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\ug00000\magicJackSplash.exe

2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\st00000\magicJackSplash.exe

2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\magicJackSplash.exe

2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\in00000\magicJackSplash.exe

2010-02-26 23:43 . 2010-02-26 23:43 50520 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe

2010-02-25 18:11 . 2005-07-29 18:05 64792 ----a-w- c:\windows\isamunin.exe

2010-02-25 16:46 . 2010-02-25 16:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\WDPlugin

2010-02-24 18:50 . 2010-02-24 18:50 -------- d-----r- c:\program files\Skype

2010-02-24 18:50 . 2008-06-18 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-02-24 07:46 . 2010-02-24 07:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-02-24 07:46 . 2010-02-24 07:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-15 18:11 . 2008-06-18 19:55 -------- d-----w- c:\program files\Uedit

2010-02-15 16:53 . 2009-10-07 09:31 6400 ----a-w- c:\windows\system32\drivers\isamfilter.sys

2010-02-13 20:35 . 2005-04-04 17:43 86695 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-02-12 16:46 . 2010-02-12 16:46 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-02-12 16:46 . 2010-02-12 16:46 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-02-08 16:17 . 2008-06-24 14:03 65592 ---ha-w- c:\windows\system32\mlfcache.dat

2010-02-01 17:52 . 2010-02-05 14:48 15424 ----a-w- c:\documents and settings\All Users\Application Data\Lenovo\MessageCenterPlus\LocalRepository\Messages\MCPToLTT2\LTTCheck.exe

2010-01-26 12:03 . 2009-02-22 23:28 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-01-17 08:52 . 2005-04-04 18:17 85208 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-19 23:59 . 2010-03-23 22:42 47104 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NetSP - restore settings on power failure"="c:\program files\AT&T Network Client\NetSP.exe" [2007-01-13 24576]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-23 68856]

"Folder View"="c:\program files\Folder View\folderview.exe" [2005-01-17 856576]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-01 133104]

"LDTray"="c:\program files\Livescribe\Livescribe Desktop\LDTray.exe" [2009-12-16 647168]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

"cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]

"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe" [2009-08-28 40960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"pmonmh"="c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.4.19" [X]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"stgclean"="c:\sdwork\w32main2.exe" [2010-04-07 299008]

"Tpam.exe"="c:\program files\IBM\Personal Communications\tpam.exe" [2005-09-06 28672]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]

"vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-27 125168]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-05 13549568]

"nwiz"="nwiz.exe" [2008-12-05 1630208]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-04-17 425984]

"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2009-04-17 172032]

"TpShocks"="TpShocks.exe" [2007-11-22 181536]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-04-16 417792]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-03-17 208896]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-07-03 118784]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-03 1323008]

"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-04-16 61728]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]

"C4EBReg"="c:\program files\c4ebreg\c4ebreg.exe" [2010-02-25 482584]

"ISAMTray"="c:\program files\c4ebreg\isamtray.exe" [2010-02-25 285976]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]

"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-01-29 185688]

"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-01-29 124248]

"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-08 91688]

"ussshreg"="c:\progra~1\ULEADW~1.0\Ussshreg.exe" [1999-07-13 32768]

"SKDaemon.exe"="c:\program files\Lenovo\Productivity Keyboard\SKDaemon.exe" [2007-02-09 262144]

"Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 57344]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-24 1036288]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-06-13 73728]

"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-05 86016]

"ISSI Service"="c:\sdwork\issimsvc.exe" [2010-02-11 241392]

"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]

"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-04-14 15136]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"MyHelpService"="c:\program files\IBM\My Help\workspace\service\delayStart.exe" [2009-03-13 94208]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-11-12 5106904]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-11-12 361632]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-29 437584]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

hott notes 4.lnk - c:\program files\hott notes 4\hottnotes.exe [2007-5-15 1249280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-11-25 813584]

Snagit 10.lnk - c:\program files\TechSmith\Snagit 10\Snagit32.exe [2010-2-17 7042376]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDevMgrUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]

2005-09-06 18:43 49152 ----a-w- c:\windows\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2006-09-06 20:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"IBMconfig"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\InfoSelect\\is.exe"=

"c:\\Program Files\\IBM\\My Help\\jre\\bin\\myhelpw.exe"=

"c:\\Program Files\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.20090505-1200\\win32\\x86\\symphony.exe"=

"c:\\Program Files\\IBM\\Lotus\\Sametime Connect\\rcp\\eclipse\\plugins\\com.ibm.rcp.jcl.desktop.win32.x86_6.2.0.200810071032\\jre\\bin\\sametime80w.exe"=

"c:\\Program Files\\AT&T Network Client\\NetClient.exe"=

"c:\\Program Files\\Synology\\Assistant\\DSAssistant.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [1/7/2010 1:03 PM 911680]

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 1:32 PM 19504]

R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [1/7/2010 1:03 PM 2480048]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]

R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [1/7/2010 1:03 PM 160288]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 12:26 PM 102448]

R3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [10/7/2009 4:31 AM 6400]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/24/2010 2:46 AM 20824]

S2 AdeonaClientService;AdeonaClientService;c:\program files\Adeona\cygrunsrv.exe [7/13/2008 2:30 PM 68096]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 2:40 AM 135664]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [10/16/2009 6:55 AM 20096]

S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [8/3/2009 4:26 PM 129535]

S3 SmartpenBus;Smartpen Enumerator;c:\windows\system32\DRIVERS\SmartpenBus.sys --> c:\windows\system32\DRIVERS\SmartpenBus.sys [?]

S3 SmartpenCom;Smartpen Communications;c:\windows\system32\DRIVERS\SmartpenCom.sys --> c:\windows\system32\DRIVERS\SmartpenCom.sys [?]

S3 ZSMC0303;VIMICRO USB PC Camera (VC0303);c:\windows\system32\drivers\usbVM303.sys [9/27/2006 1:48 PM 391949]

.

Contents of the 'Scheduled Tasks' folder

2010-04-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 07:40]

2010-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 07:40]

2010-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2653012379-1038974990-1957949151-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-01 19:01]

2010-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2653012379-1038974990-1957949151-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-01 19:01]

2010-04-13 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-04-25 18:41]

2010-04-14 c:\windows\Tasks\Synology Data Replicator 3-IBM-5F4A0AF30B8-Karwoski.job

- c:\program files\Synology Data Replicator 3\Backup.exe [2010-03-14 22:58]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://w3.ibm.com/

uLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm

uInternet Connection Wizard,ShellNext = hxxp://w3.ibm.com/

uInternet Settings,ProxyOverride = w3-501.ibm.com;<local>;*.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\2007\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm

TCP: interfaces = 9.0.8.1,9.0.9.1

DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB

DPF: Microsoft XML Parser for Java

DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB

DPF: {5C0E257E-9DFE-4955-AA93-0A9B166BAB50} - hxxp://192.168.1.199:5000/surveillance/object/SSObject.cab

DPF: {8C28EFD7-767B-11D1-844B-0060972DC2AC} - hxxps://w3-03.ibm.com/Hyperion/zeroadmin/component/Brio.Insight.en.cab

DPF: {9519B2A2-6592-4E41-8290-D0298459270C} - hxxp://w3.ibm.com/bluepages/scripts/lnwebassist.cab

DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} - hxxp://w3.ibm.com/tools/print/plugin/gpwsx.cab

DPF: {BA7A56EB-D1B9-443B-96E9-086532A378F1} - hxxp://karmor.endoftheinternet.org:9876/activex/decoder/aac_dec.cab

DPF: {C32FE9F1-A857-48B0-B7BF-065B5792F28D} - hxxp://karmor.endoftheinternet.org:9875/activex/decoder/intel_mpeg4_dec.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://karmor.endoftheinternet.org:9876/activex/AMC.cab

DPF: {E734BF43-7194-4E3A-832F-307606DDF665} - hxxps://cs.conferenceservers.com/components/WDPLUGIN.CAB

DPF: {E765747B-A0E4-4BD4-93E4-EA0E3500D57C} - hxxps://w3-03.ibm.com/software/executiveutilities/pdm/plugin/PDMPlugin.cab

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\k0a2h1sk.default\

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Lexmark X6100 Series - c:\program files\Lexmark X6100 Series\lxbfbmgr.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-13 22:02

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

LDTray = c:\program files\Livescribe\Livescribe Desktop\LDTray.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

c:\windows\system32\pcsinst.dll

- - - - - - - > 'explorer.exe'(4796)

c:\program files\Folder View\dialhk.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-04-13 22:06:21

ComboFix-quarantined-files.txt 2010-04-14 03:06

ComboFix2.txt 2010-04-08 09:07

ComboFix3.txt 2010-04-04 17:55

Pre-Run: 339,185,455,104 bytes free

Post-Run: 339,452,968,960 bytes free

- - End Of File - - BB5ADA55BB7DE4BF7E1DA48C402CF6D6

Thanks for your help....................John

Link to post
Share on other sites

  • Staff

Hi John,

Let's check for hidden infections.

Please run a GMER Rootkit scan:

Download GMER's application from here:

http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

Link to post
Share on other sites

-screen317

OK, here is what I have done so far:

(1) Started computer normally. D/L'ed gmer.exe and ran it. Before it completed I received a BSOD mentioning the file awgyrkob.sys and the error message page_fault_in_nonpaged_area.

(2) Powered down computer. Re-started and let it do a full normal boot. Then did normal shut down.

(3) Started computer is safe mode no network. Started gmer.exe. Before it completed I received another BSOD with error message PFN_LIST_CORRUPT.

(4) Powered down computer. Re-started and let it do a full normal boot. Then did normal shut down.

(5) Started computer is safe mode no network again. Ran gmer.exe again. This time it ran through to completion without the BSOD appearing. Here is the copied gmer messages:

==============================================

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-18 15:37:08

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awgyrkob.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4cfd933f

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e4cfd933f (not active ControlSet)

---- EOF - GMER 1.0.15 ----

==========================================

The above looks innocuous to me, so I will try running gmer.exe again after a normal Windows startup.

John

Link to post
Share on other sites

  • Staff

Hi John,

Yes please disable all protection programs before trying again in Normal Mode.

If no joy, write the entire message of the blue screen, post it here, then download RootRepeal from one of the following locations and save it to your desktop:

Link 1 Link 2 Link 3

  • Double click rr_DesktopIcon.png to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the rr_Scan.png button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, click the rr_SaveReport.png button and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead. To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

-screen317

Link to post
Share on other sites

-screen317

I have successfully run GMER after booting into normal mode, disabling internet access, disabling my malware scanning programs, and closing some programs from the taskbar that were running in the background (Skype, Quickcam, etc).

The data copied from GMER into my editor is very wide, so I have attached this text file rather than pasting the data into the posting.

You appear to ask me to run RootRepeal only if I am unable to run GMER, so I have not run RootRepeal yet and await further instructions from you. As always, thanks for your help.

John

GMER_report_02.txt

Link to post
Share on other sites

Sure thing, -screen317

Ran GMER, Sections only, after normal boot-up. Disconnected internet and disabled malware scanners before I started the program. Here is its log:

=============================

MER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-27 07:31:22

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awgyrkob.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB63C2360, 0x388D2D, 0xE8000020]

---- EOF - GMER 1.0.15 ----

==============================

I rebooted, then ran Malwarebytes Quick Scan after getting the program's latest update. Here is its log:

=================================

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4041

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

4/27/2010 8:13:50 AM

mbam-log-2010-04-27 (08-13-50).txt

Scan type: Quick scan

Objects scanned: 115151

Time elapsed: 9 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

=================================

Malwarebyte's last detected and quarantined files on April 23. On that day it detected Trojan.Agent Issas.exe and Backdoor.bot iexplore.exe, both in windows\system32 subdirectory. I have left all found malicious files in the Malwarebytes Quarantine because you have not suggested that I delete them and you might ask about this activity (as you have done today :-) ).

No more malicious files detected since then, but at least a couple times a day I see a Malwarebyte's protection module pop-up window informing me that access to a malicious IP address has been blocked. I haven't written down the IP addresses provided, but here is a sample log from 2110-04-26 showing what I expect are that day's blocked IP addresses.

=================================

06:40:50 Karwoski MESSAGE Protection started successfully

06:40:56 Karwoski MESSAGE IP Protection started successfully

07:23:45 (null) MESSAGE Protection started successfully

07:24:27 (null) MESSAGE IP Protection started successfully

16:06:31 Karwoski MESSAGE Protection started successfully

16:06:38 Karwoski MESSAGE IP Protection started successfully

16:29:47 Karwoski MESSAGE IP Protection stopped

16:29:51 Karwoski MESSAGE Database updated successfully

16:29:53 Karwoski MESSAGE IP Protection started successfully

17:10:31 Karwoski IP-BLOCK 89.28.0.28

17:10:33 Karwoski IP-BLOCK 89.28.0.28

17:10:37 Karwoski IP-BLOCK 89.28.0.28

20:00:50 Karwoski IP-BLOCK 89.28.41.202

20:00:52 Karwoski IP-BLOCK 89.28.41.202

20:00:56 Karwoski IP-BLOCK 89.28.41.202

===========================================

Thanks for your time and your help!!!

John aka Karmor

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.