Tech Support Forum - View Single Post - Need help - TrojanDownloader.Win32.Zlob.ci and privacy protection pop ups

ijjit · 12-04-2007, 09:19 PM

This is the combofix.exe log

ComboFix 07-12-02.7 - Jason 2007-12-04 23:05:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.472 [GMT -5:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt

.
((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-04 22:48 . 2007-12-04 22:48 6,056 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-02 22:33 . 2007-12-02 22:33 <DIR> d-------- C:\Deckard
2007-11-25 22:34 . 2007-11-25 22:39 <DIR> d-------- C:\ie-spyad_zo
2007-11-25 22:27 . 2007-12-04 22:58 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-25 22:27 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-11-25 22:27 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-11-25 22:12 . 2007-11-25 22:12 <DIR> d-------- C:\Program Files\CCleaner
2007-11-25 21:30 . 2007-11-26 00:54 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-25 21:30 . 2007-11-25 21:30 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-25 21:30 . 2007-11-25 21:30 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-25 21:30 . 2007-11-25 21:30 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-25 21:06 . 2007-11-25 21:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 20:48 . 2007-11-25 20:48 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-25 20:47 . 2007-11-25 20:47 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\WholeSecurity
2007-11-25 09:33 . 2007-11-25 09:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-25 09:33 . 2007-12-02 10:54 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\AVG7
2007-11-25 09:32 . 2007-12-04 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-07 22:43 . 2007-11-07 22:46 511 --a------ C:\hpfr3320.xml
2007-11-07 22:39 . 2007-11-14 03:10 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-11-07 22:37 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-07 22:37 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 15:50 --------- d-----w C:\Program Files\Google
2007-11-26 03:53 --------- d-----w C:\Program Files\Windows Defender
2007-11-26 03:53 --------- d-----w C:\Program Files\ThinkVantage Fingerprint Software
2007-11-26 03:51 --------- d-----w C:\Program Files\Picasa2
2007-11-26 03:48 --------- d-----w C:\Program Files\Digital Line Detect
2007-11-26 03:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-26 03:47 --------- d-----w C:\Program Files\Common Files\Lenovo
2007-11-18 18:02 --------- d-----w C:\Documents and Settings\Jason\Application Data\BitTorrent
2007-10-14 22:56 --------- d-----w C:\Program Files\BitTorrent
.

((((((((((((((((((((((((((((( snapshot@2007-11-25_20.56.48.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 21:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-27 08:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2007-03-13 15:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-03-29 14:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 21:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 19:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 16:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 18:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2006-02-16 23:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-25 23:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2004-05-04 20:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 18:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 15:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 18:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-16 23:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 21:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2006-06-30 19:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 19:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2006-08-01 18:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2006-08-23 18

08 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2006-08-17 16:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 16:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 13:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 19:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 15:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 15:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 21:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 14:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 15:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 19:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 19:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 18:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 13:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 13:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-04-18 22:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 19:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 1997-09-18 11:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 22:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2006-08-02 17:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
- 2007-11-25 05:00:00 5,427 ----a-w C:\WINDOWS\system32\EGATHDRV.SYS
+ 2007-12-02 15:50:46 5,427 ----a-w C:\WINDOWS\system32\EGATHDRV.SYS
- 2007-03-15 22:19:28 1,476,992 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-10-11 19:12:48 1,468,968 ------w C:\WINDOWS\system32\LegitCheckControl.dll
- 2006-12-10 18:10:02 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-10-08 19:46:18 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2003-03-25 23:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
+ 2007-12-05 04:09:12 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_15c.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 11:13]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-25 11:13]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 00:17]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 00:16]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-23 12:22]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 01:00]
"TpShocks"="TpShocks.exe" [2006-03-15 22:04 C:\WINDOWS\system32\TpShocks.exe]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-24 20:19]
"TP4EX"="tp4ex.exe" [2005-10-17 04:11 C:\WINDOWS\system32\TP4EX.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 19:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 18:06]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-25 01:21]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-25 01:17]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-25 01:21]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-23 17:32]
"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-07-04 11:11]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-07-14 21:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43]
"AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 01:23]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-02-02 08:20]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 19:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 19:50]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-08-16 12:07]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 12:21]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-08-18 20:22]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 19:24]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-08-26 03:22]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-08-26 03:17]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-03-15 18:07]
"PDService.exe"="C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe" [2006-03-13 19:38]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-14 21:13]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 17:20]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-12-07 12:03:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
C:\Program Files\Lenovo\AwayTask\AwayNotify.dll 2006-08-16 12:07 49152 C:\Program Files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2006-04-25 22:20 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 2005-07-05 09:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-11-30 06:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS
R1 IBMTPCHK;IBMTPCHK;\??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys
R2 PrivateDisk;PrivateDisk;\??\C:\Program Files\Lenovo\SafeGuard PrivateDisk\PrivateDiskM.sys
R2 smi2;smi2;\??\C:\Program Files\SMI2\smi2.sys
R2 smihlp;SMI helper driver;\??\C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys
R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
R3 atmeltpm;atmeltpm;C:\WINDOWS\system32\DRIVERS\atmeltpm.sys
R3 EraserUtilDrvI2;EraserUtilDrvI2;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI2.sys
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 20:09:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-05 03:58:04 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-12-05 04:09:59 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
"2007-01-14 10:28:42 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 23:10:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 23:12:16 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-25 20:57
.
--- E O F ---

12-04-2007, 09:19 PM	#6 (permalink)
ijjit Registered User Join Date: Dec 2007 Posts: 10 OS: Windows XP Service Pack 2	Re: Need help - TrojanDownloader.Win32.Zlob.ci and privacy protection pop ups This is the combofix.exe log ComboFix 07-12-02.7 - Jason 2007-12-04 23:05:21.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.472 [GMT -5:00] Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\dat.txt C:\WINDOWS\rs.txt . ((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 ))))))))))))))))))))))))))))))) . 2007-12-04 22:48 . 2007-12-04 22:48 6,056 --a------ C:\WINDOWS\system32\tmp.reg 2007-12-02 22:33 . 2007-12-02 22:33 <DIR> d-------- C:\Deckard 2007-11-25 22:34 . 2007-11-25 22:39 <DIR> d-------- C:\ie-spyad_zo 2007-11-25 22:27 . 2007-12-04 22:58 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-11-25 22:27 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2007-11-25 22:27 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2007-11-25 22:12 . 2007-11-25 22:12 <DIR> d-------- C:\Program Files\CCleaner 2007-11-25 21:30 . 2007-11-26 00:54 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-11-25 21:30 . 2007-11-25 21:30 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2007-11-25 21:30 . 2007-11-25 21:30 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2007-11-25 21:30 . 2007-11-25 21:30 1,406 --a------ C:\WINDOWS\system32\Help.ico 2007-11-25 21:06 . 2007-11-25 21:06 <DIR> d-------- C:\Program Files\Trend Micro 2007-11-25 20:48 . 2007-11-25 20:48 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys 2007-11-25 20:47 . 2007-11-25 20:47 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\WholeSecurity 2007-11-25 09:33 . 2007-11-25 09:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-11-25 09:33 . 2007-12-02 10:54 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\AVG7 2007-11-25 09:32 . 2007-12-04 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-11-07 22:43 . 2007-11-07 22:46 511 --a------ C:\hpfr3320.xml 2007-11-07 22:39 . 2007-11-14 03:10 <DIR> d-------- C:\Program Files\Hewlett-Packard 2007-11-07 22:37 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2007-11-07 22:37 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-02 15:50 --------- d-----w C:\Program Files\Google 2007-11-26 03:53 --------- d-----w C:\Program Files\Windows Defender 2007-11-26 03:53 --------- d-----w C:\Program Files\ThinkVantage Fingerprint Software 2007-11-26 03:51 --------- d-----w C:\Program Files\Picasa2 2007-11-26 03:48 --------- d-----w C:\Program Files\Digital Line Detect 2007-11-26 03:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-11-26 03:47 --------- d-----w C:\Program Files\Common Files\Lenovo 2007-11-18 18:02 --------- d-----w C:\Documents and Settings\Jason\Application Data\BitTorrent 2007-10-14 22:56 --------- d-----w C:\Program Files\BitTorrent . ((((((((((((((((((((((((((((( snapshot@2007-11-25_20.56.48.29 ))))))))))))))))))))))))))))))))))))))))) . - 2007-11-08 21:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe + 2007-11-27 08:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe + 2007-03-13 15:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE + 2007-03-29 14:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll + 2006-10-05 21:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll + 2005-06-03 19:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll + 2003-08-01 16:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll + 2005-05-20 18:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll + 2006-02-16 23:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll + 2005-10-25 23:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll + 2004-05-04 20:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll + 2006-07-14 18:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe + 2006-04-10 15:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll + 2006-02-14 18:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll + 2006-02-16 23:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll + 2006-10-05 21:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll + 2006-06-30 19:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe + 2004-02-04 19:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll + 2006-08-01 18:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll + 2006-08-23 1808 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll + 2006-08-17 16:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll + 2006-09-04 16:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll + 2006-08-18 13:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll + 2007-03-26 19:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll + 2006-08-09 15:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll + 2006-07-19 15:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll + 2006-01-20 21:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll + 2006-05-17 14:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll + 2006-08-16 15:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll + 2006-06-30 19:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll + 2006-08-17 19:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll + 2006-08-08 18:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll + 2006-08-18 13:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll + 2006-08-18 13:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll + 2007-04-18 22:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll + 2007-01-22 19:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll + 1997-09-18 11:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll + 2006-02-28 22:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll + 2006-08-02 17:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe - 2007-11-25 05:00:00 5,427 ----a-w C:\WINDOWS\system32\EGATHDRV.SYS + 2007-12-02 15:50:46 5,427 ----a-w C:\WINDOWS\system32\EGATHDRV.SYS - 2007-03-15 22:19:28 1,476,992 ------w C:\WINDOWS\system32\LegitCheckControl.dll + 2007-10-11 19:12:48 1,468,968 ------w C:\WINDOWS\system32\LegitCheckControl.dll - 2006-12-10 18:10:02 14,640 ------w C:\WINDOWS\system32\spmsg.dll + 2007-10-08 19:46:18 14,640 ------w C:\WINDOWS\system32\spmsg.dll + 2003-03-25 23:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll + 2007-12-05 04:09:12 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_15c.dat . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 11:13] "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-25 11:13] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 00:17] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 00:16] "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-23 12:22] "TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 01:00] "TpShocks"="TpShocks.exe" [2006-03-15 22:04 C:\WINDOWS\system32\TpShocks.exe] "TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-24 20:19] "TP4EX"="tp4ex.exe" [2005-10-17 04:11 C:\WINDOWS\system32\TP4EX.exe] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 19:11] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 18:06] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-25 01:21] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-25 01:17] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-25 01:21] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-23 17:32] "LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-07-04 11:11] "TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-07-14 21:05] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43] "AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 01:23] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-02-02 08:20] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 19:50] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 19:50] "AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-08-16 12:07] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 12:21] "vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-08-18 20:22] "DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 19:24] "ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-08-26 03:22] "ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-08-26 03:17] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-03-15 18:07] "PDService.exe"="C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe" [2006-03-13 19:38] "cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-14 21:13] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 17:20] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-12-07 12:03:00] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify] ACNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify] C:\Program Files\Lenovo\AwayTask\AwayNotify.dll 2006-08-16 12:07 49152 C:\Program Files\Lenovo\AwayTask\AwayNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] psqlpwd.dll 2006-04-25 22:20 40448 C:\WINDOWS\system32\psqlpwd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] notifyf2.dll 2005-07-05 09:45 28672 C:\WINDOWS\system32\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] tphklock.dll 2005-11-30 06:16 24576 C:\WINDOWS\system32\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS R1 IBMTPCHK;IBMTPCHK;\??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys R2 PrivateDisk;PrivateDisk;\??\C:\Program Files\Lenovo\SafeGuard PrivateDisk\PrivateDiskM.sys R2 smi2;smi2;\??\C:\Program Files\SMI2\smi2.sys R2 smihlp;SMI helper driver;\??\C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys R3 atmeltpm;atmeltpm;C:\WINDOWS\system32\DRIVERS\atmeltpm.sys R3 EraserUtilDrvI2;EraserUtilDrvI2;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI2.sys R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys . Contents of the 'Scheduled Tasks' folder "2007-11-07 20:09:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-12-05 03:58:04 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe "2007-12-05 04:09:59 C:\WINDOWS\Tasks\PMTask.job" - C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE "2007-01-14 10:28:42 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************ catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-04 23:10:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-12-04 23:12:16 - machine was rebooted C:\ComboFix2.txt ... 2007-11-25 20:57 . --- E O F ---