IE and registry problems

RLO2007 · 02-09-2008, 01:42 PM

When i search with google i sometimes get redirected to other sites also i sometimes get pop ups with IE7. I also have some registry problems. Here is my DSS log. Any help is appreciated.

Deckard's System Scanner v20071014.68
Run by sejpalk on 2008-02-09 15:32:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 2 Restore Point(s) --
2: 2008-02-09 20:32:23 UTC - RP25 - Deckard's System Scanner Restore Point
1: 2008-02-09 20:25:12 UTC - RP24 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-09 15:33:50
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\VirusScan\shstat.exe
C:\WINDOWS\system32\nycd34xzfb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\3M\PSNLite\PSNGive.exe
C:\Documents and Settings\sejpalk\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nsulaw.nova.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7F9A8820-0A8F-80B9-BE66-3A1437FA4593} - C:\WINDOWS\urkgsbyc.dll (file missing)
O2 - BHO: (no name) - {DA7EE7B5-3298-4278-9D37-6CA09F9F2B95} - C:\WINDOWS\system32\cardsa.dll
O3 - Toolbar: Search - {933A4C16-2070-7C84-4C09-121E8A304FF9} - C:\WINDOWS\urkgsbyc.dll (file missing)
O3 - Toolbar: (no name) - ID - (no file)
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE"
O4 - HKLM\..\Run: [BMMMONWND] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [UC_Start] "C:\Program Files\IBM\Updater\\ucstartup.exe"
O4 - HKLM\..\Run: [ibmmessages] "C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\Scansoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\Scansoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe"
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QCWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\bak\QCTray.exe
O4 - HKLM\..\Run: [nycd34xzfb] C:\WINDOWS\system32\nycd34xzfb.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [nycd34xzfb] C:\WINDOWS\system32\nycd34xzfb.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe -p
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options Group: [JAVA_IBM] Java (IBM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/a...tent/AcpIR.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.hotmail.msn.com/re...s/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} () - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174625079780
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-307.ibm.com/pc/support/a...t/IbmEgath.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://outlook.rothmanlawoffices.com/Remote/msrdp.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/emailimpor...mailimport.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.co...163.3722106482
O16 - DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} (acpRunner Class) - https://www-307.ibm.com/pc/support/a...AcpControl.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\Software\..\Telephony: DomainName = law.nova.edu
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = law.nova.edu
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = law.nova.edu
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = law.nova.edu
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: wtwmwhjj - C:\WINDOWS\system32\cardsa.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\system32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSvc.exe

--
End of file - 14288 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 qjdvrgzd - c:\windows\system32\drivers\kjcyerry.dat
R0 Shockprf - c:\windows\system32\drivers\shockprf.sys <Not Verified; IBM Corporation; IBM Hard Drive Active Protection System>
R1 ANC - c:\windows\system32\drivers\anc.sys <Not Verified; IBM Corp.; IBM Access Connections>
R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 ISODrive (ISO CD-ROM Device Driver) - c:\program files\ultraiso\drivers\isodrive.sys <Not Verified; EZB Systems, Inc.; ISODrive>
R1 Smapint - c:\windows\system32\drivers\smapint.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R1 TDSMAPI - c:\windows\system32\drivers\tdsmapi.sys
R1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
R1 TPPWR - c:\windows\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 ibmfilter - c:\windows\system32\drivers\ibmfilter.sys <Not Verified; IBM; FFE and RRU>
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 ShockMgr - c:\windows\system32\drivers\shockmgr.sys <Not Verified; IBM Corporation; IBM Hard Drive Active Protection System>

S3 PCAMPR5 (PCAMPR5 NDIS Protocol Driver) - c:\windows\system32\pcampr5.sys (file missing)
S3 PCANDIS5 (PCANDIS5 NDIS Protocol Driver) - c:\windows\system32\pcandis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 psadd (IBM PSA Access Driver) - c:\windows\system32\drivers\psadd.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
S3 QCNDISIF - c:\windows\system32\drivers\qcndisif.sys <Not Verified; IBM Corporation.; IBM ThinkPad Utility>
S3 w22n51 (Intel(R) PRO/Wireless 2200 Adapter Driver) - c:\windows\system32\drivers\w22n51.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 IBM Rapid Restore Ultra Service - c:\program files\ibm\ibm rapid restore ultra\rrpcsb.exe <Not Verified; ; rrpcsb Module>
R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
R2 QCONSVC - system32\qconsvc.exe <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 TpKmpSVC (IBM KCU Service) - c:\windows\system32\tpkmpsvc.exe

S3 PsaSrv (IBM PSA Access Driver Control) - c:\windows\system32\psasrv.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-02-09 14:27:06 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-01-25 20:13:02 432 --a------ C:\WINDOWS\Tasks\At1.job
2005-07-11 21:58:46 362 --a------ C:\WINDOWS\Tasks\BMMTask.job

-- Files created between 2008-01-09 and 2008-02-09 -----------------------------

2008-02-08 17:49:16 0 d--hs---- C:\FOUND.014
2008-02-05 18:19:48 0 d--hs---- C:\FOUND.013
2008-02-04 19:12:16 0 d--hs---- C:\FOUND.012
2008-02-04 18:32:06 0 d--hs---- C:\FOUND.011
2008-02-04 18:01:38 0 d--h----- C:\Documents and Settings\TEMP\Templates
2008-02-04 18:01:38 0 dr------- C:\Documents and Settings\TEMP\Start Menu
2008-02-04 18:01:38 0 dr-h----- C:\Documents and Settings\TEMP\SendTo
2008-02-04 18:01:38 0 dr-h----- C:\Documents and Settings\TEMP\Recent
2008-02-04 18:01:38 0 d--h----- C:\Documents and Settings\TEMP\PrintHood
2008-02-04 18:01:38 0 d--h----- C:\Documents and Settings\TEMP\NetHood
2008-02-04 18:01:38 0 dr------- C:\Documents and Settings\TEMP\My Documents
2008-02-04 18:01:38 0 d--h----- C:\Documents and Settings\TEMP\Local Settings
2008-02-04 18:01:38 0 dr------- C:\Documents and Settings\TEMP\Favorites
2008-02-04 18:01:38 0 d-------- C:\Documents and Settings\TEMP\Desktop
2008-02-04 18:01:38 0 d--hs---- C:\Documents and Settings\TEMP\Cookies
2008-02-04 18:01:38 0 dr-h----- C:\Documents and Settings\TEMP\Application Data
2008-02-04 18:01:38 0 d-------- C:\Documents and Settings\TEMP\Application Data\Symantec
2008-02-04 18:01:38 0 d-------- C:\Documents and Settings\TEMP\Application Data\Sonic
2008-02-04 18:01:38 0 d---s---- C:\Documents and Settings\TEMP\Application Data\Microsoft
2008-02-04 18:01:38 0 d-------- C:\Documents and Settings\TEMP\Application Data\Identities
2008-02-04 18:01:37 786432 --ah----- C:\Documents and Settings\TEMP\NTUSER.DAT
2008-02-03 14:40:00 0 d--hs---- C:\FOUND.010
2008-01-14 17:36:56 0 d--hs---- C:\FOUND.009

-- Find3M Report ---------------------------------------------------------------

2008-02-06 18:46:22 120576 --a------ C:\WINDOWS\system32\glpmuoap.dat
2008-02-04 18:39:44 42752 --a------ C:\WINDOWS\system32\ywmbypej.dat
2008-01-31 18:46:58 83968 --a------ C:\WINDOWS\system32\cardsa.dll
2008-01-21 21:22:50 36608 --a------ C:\WINDOWS\system32\lojhyhtq.dat
2007-12-11 17:48:16 35072 --a------ C:\WINDOWS\system32\zhqvhhco.dat
2007-12-11 17:48:16 1188375 --a------ C:\WINDOWS\system32\libeay32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2007-12-11 17:48:14 246545 --a------ C:\WINDOWS\system32\libssl32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2007-12-11 17:48:12 741632 --a------ C:\WINDOWS\system32\lcjpliyp.dat
2007-12-10 18:34:26 0 d-------- C:\Program Files\Windows Defender

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F9A8820-0A8F-80B9-BE66-3A1437FA4593}]
C:\WINDOWS\urkgsbyc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA7EE7B5-3298-4278-9D37-6CA09F9F2B95}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [10/12/2001 02:32 AM C:\WINDOWS\system32\S3Tray2.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" []
"ATIModeChange"="Ati2mdxx.exe" [09/04/2001 07:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent"="rundll32.exe" [08/04/2004 03:56 AM C:\WINDOWS\system32\rundll32.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" []
"TpShocks"="TpShocks.exe" [12/17/2003 02:12 PM C:\WINDOWS\system32\TpShocks.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" []
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" []
"BMMMONWND"="rundll32.exe" [08/04/2004 03:56 AM C:\WINDOWS\system32\rundll32.exe]
"TP4EX"="tp4ex.exe" [09/04/2002 04:05 AM C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" []
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" []
"@"="" []
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" []
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [12/25/2003 04:36 AM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/29/2003 07:10 AM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" []
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" []
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" []
"SetDefPrt"="C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" []
"2wSysTray"="C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe" []
"tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" []
"QCWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" []
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\bak\QCTray.exe" [05/19/2004 03:21 AM]
"nycd34xzfb"="C:\WINDOWS\system32\nycd34xzfb.exe" [05/29/2001 06:02 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Begone"="c:\freescan\freescan.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" []
"nycd34xzfb"="C:\WINDOWS\system32\nycd34xzfb.exe" [05/29/2001 06:02 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe -p

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [6/15/2004 1:21:48 PM]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [10/15/2004 2:26:54 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 05/19/2004 03:21 AM 94208 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wtwmwhjj]
cardsa.dll 01/31/2008 06:46 PM 83968 C:\WINDOWS\system32\cardsa.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli pwdmon

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
yyaswpuu

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{050b41a7-4e63-11db-90be-000e353b04dd}]
AutoRun\command- F:\autorun.exe

-- End of Deckard's System Scanner: finished at 2008-02-09 15:34:37 ------------

RLO2007 · 02-12-2008, 11:50 AM

Bump...

RLO2007 · 02-15-2008, 04:27 PM

Bumping again since it has been another 72 hours.
I have pasted a new main.txt file below from my dss scan since it has been 6 days from my original post. I have also attached my extra.txt file which i realized i had not attached previously. Thanks in advance, any help is appreciated.

Deckard's System Scanner v20071014.68
Run by sejpalk on 2008-02-15 18:16:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as sejpalk.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:20 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\nycd34xzfb.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\sejpalk\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\sejpalk.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nsulaw.nova.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7F9A8820-0A8F-80B9-BE66-3A1437FA4593} - C:\WINDOWS\urkgsbyc.dll (file missing)
O2 - BHO: (no name) - {DA7EE7B5-3298-4278-9D37-6CA09F9F2B95} - c:\windows\system32\cardsa.dll
O3 - Toolbar: Search - {933A4C16-2070-7C84-4C09-121E8A304FF9} - C:\WINDOWS\urkgsbyc.dll (file missing)
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE"
O4 - HKLM\..\Run: [BMMMONWND] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [UC_Start] "C:\Program Files\IBM\Updater\\ucstartup.exe"
O4 - HKLM\..\Run: [ibmmessages] "C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\Scansoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\Scansoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe"
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QCWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\bak\QCTray.exe
O4 - HKLM\..\Run: [nycd34xzfb] C:\WINDOWS\system32\nycd34xzfb.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [nycd34xzfb] C:\WINDOWS\system32\nycd34xzfb.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/a...tent/AcpIR.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.hotmail.msn.com/re...s/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174625079780
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-307.ibm.com/pc/support/a...t/IbmEgath.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://outlook.rothmanlawoffices.com/Remote/msrdp.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/emailimpor...mailimport.cab
O16 - DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} (acpRunner Class) - https://www-307.ibm.com/pc/support/a...AcpControl.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = law.nova.edu
O17 - HKLM\Software\..\Telephony: DomainName = law.nova.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = law.nova.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = law.nova.edu
O20 - Winlogon Notify: wtwmwhjj - C:\WINDOWS\SYSTEM32\cardsa.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 12870 bytes

-- Files created between 2008-01-15 and 2008-02-15 -----------------------------

2008-02-15 17:55:32 0 d-------- C:\Program Files\Trend Micro
2008-02-10 18:11:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 18:10:43 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 17:49:16 0 d--hs---- C:\FOUND.014
2008-02-05 18:19:48 0 d--hs---- C:\FOUND.013
2008-02-04 19:12:16 0 d--hs---- C:\FOUND.012
2008-02-04 18:32:06 0 d--hs---- C:\FOUND.011
2008-02-04 18:01:38 0 d--h----- C:\Documents and Settings\TEMP\Templates
2008-02-04 18:01:38 0 dr------- C:\Documents and Settings\TEMP\Start Menu
2008-02-04 18:01:38 0 dr-h----- C:\Documents and Settings\TEMP\SendTo
2008-02-04 18:01:38 0 dr-h----- C:\Documents and Settings\TEMP\Recent
2008-02-04 18:01:38 0 d--h----- C:\Documents and Settings\TEMP\PrintHood
2008-02-04 18:01:38 0 d--h----- C:\Documents and Settings\TEMP\NetHood
2008-02-04 18:01:38 0 dr------- C:\Documents and Settings\TEMP\My Documents
2008-02-04 18:01:38 0 d--h----- C:\Documents and Settings\TEMP\Local Settings
2008-02-04 18:01:38 0 dr------- C:\Documents and Settings\TEMP\Favorites
2008-02-04 18:01:38 0 d-------- C:\Documents and Settings\TEMP\Desktop
2008-02-04 18:01:38 0 d--hs---- C:\Documents and Settings\TEMP\Cookies
2008-02-04 18:01:38 0 dr-h----- C:\Documents and Settings\TEMP\Application Data
2008-02-04 18:01:38 0 d-------- C:\Documents and Settings\TEMP\Application Data\Symantec
2008-02-04 18:01:38 0 d-------- C:\Documents and Settings\TEMP\Application Data\Sonic
2008-02-04 18:01:38 0 d---s---- C:\Documents and Settings\TEMP\Application Data\Microsoft
2008-02-04 18:01:38 0 d-------- C:\Documents and Settings\TEMP\Application Data\Identities
2008-02-04 18:01:37 786432 --ah----- C:\Documents and Settings\TEMP\NTUSER.DAT
2008-02-03 14:40:00 0 d--hs---- C:\FOUND.010

-- Find3M Report ---------------------------------------------------------------

2008-02-14 18:19:16 36608 --a------ C:\WINDOWS\system32\lojhyhtq.dat
2008-02-14 18:19:16 86528 --a------ C:\WINDOWS\system32\cardsa.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-06 18:46:22 120576 --a------ C:\WINDOWS\system32\glpmuoap.dat
2008-02-04 18:39:44 42752 --a------ C:\WINDOWS\system32\ywmbypej.dat
2007-12-11 17:48:16 35072 --a------ C:\WINDOWS\system32\zhqvhhco.dat
2007-12-11 17:48:16 1188375 --a------ C:\WINDOWS\system32\libeay32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2007-12-11 17:48:14 246545 --a------ C:\WINDOWS\system32\libssl32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2007-12-11 17:48:12 741632 --a------ C:\WINDOWS\system32\lcjpliyp.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F9A8820-0A8F-80B9-BE66-3A1437FA4593}]
C:\WINDOWS\urkgsbyc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA7EE7B5-3298-4278-9D37-6CA09F9F2B95}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [10/12/2001 02:32 AM C:\WINDOWS\system32\S3Tray2.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" []
"ATIModeChange"="Ati2mdxx.exe" [09/04/2001 07:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent"="rundll32.exe" [08/04/2004 03:56 AM C:\WINDOWS\system32\rundll32.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" []
"TpShocks"="TpShocks.exe" [12/17/2003 02:12 PM C:\WINDOWS\system32\TpShocks.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" []
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" []
"BMMMONWND"="rundll32.exe" [08/04/2004 03:56 AM C:\WINDOWS\system32\rundll32.exe]
"TP4EX"="tp4ex.exe" [09/04/2002 04:05 AM C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" []
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" []
"@"="" []
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" []
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [12/25/2003 04:36 AM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/29/2003 07:10 AM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" []
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" []
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" []
"SetDefPrt"="C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" []
"2wSysTray"="C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe" []
"tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" []
"QCWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" []
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\bak\QCTray.exe" [05/19/2004 03:21 AM]
"nycd34xzfb"="C:\WINDOWS\system32\nycd34xzfb.exe" [05/29/2001 06:02 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Begone"="c:\freescan\freescan.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" []
"nycd34xzfb"="C:\WINDOWS\system32\nycd34xzfb.exe" [05/29/2001 06:02 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [6/15/2004 1:21:48 PM]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [10/15/2004 2:26:54 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 05/19/2004 03:21 AM 94208 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wtwmwhjj]
cardsa.dll 02/14/2008 06:19 PM 86528 C:\WINDOWS\system32\cardsa.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli pwdmon

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
yyaswpuu

-- End of Deckard's System Scanner: finished at 2008-02-15 18:16:51 ------------

RLO2007 · 02-18-2008, 03:35 PM

Bumping for the third time... Please let me know if you can help me.

RLO2007 · 02-21-2008, 03:54 PM

Bump.

RLO2007 · 02-25-2008, 08:29 AM

Bumping again. Please can you let me know if you can help me. It has been over 2 weeks since my initial post.

Ried · 02-25-2008, 10:22 AM

Hello RLO2007.

Our apologies for the oversight of your thread, and thank you for your kind patience.

We'll begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

RLO2007 · 02-25-2008, 07:27 PM

Thanks for getting back to me. Here are the logs.

ComboFix 08-02-25.3 - sejpalk 2008-02-25 21:08:43.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.195 [GMT -5:00]
Running from: C:\Documents and Settings\sejpalk\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinBudget
C:\WINDOWS\system32\cardsa.dll
C:\WINDOWS\system32\dbmsrpcnt.dll
C:\WINDOWS\system32\drivers\kjcyerry.dat
C:\WINDOWS\Tasks.\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_QJDVRGZD
-------\LEGACY_YYASWPUU
-------\qjdvrgzd
-------\yyaswpuu

((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-22 00:16 . 2008-02-22 00:14 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-22 00:16 . 2008-02-22 00:16 2,544 --a------ C:\WINDOWS\unins000.dat
2008-02-15 17:55 . 2008-02-15 17:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 18:11 . 2008-02-10 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 18:10 . 2008-02-10 18:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 17:55 . 2008-02-08 17:55 <DIR> d-------- C:\Deckard
2008-02-08 17:49 . 2008-02-08 17:49 <DIR> d--hs---- C:\FOUND.014
2008-02-05 18:19 . 2008-02-05 18:19 <DIR> d--hs---- C:\FOUND.013
2008-02-04 19:12 . 2008-02-04 19:12 <DIR> d--hs---- C:\FOUND.012
2008-02-04 18:32 . 2008-02-04 18:32 <DIR> d--hs---- C:\FOUND.011
2008-02-04 18:01 . 2004-06-15 13:27 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Symantec
2008-02-04 18:01 . 2004-06-15 13:31 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Sonic
2008-02-03 14:40 . 2008-02-03 14:40 <DIR> d--hs---- C:\FOUND.010

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-07-22 20:12 59,900 ----a-w C:\Program Files\setuplog.txt
2004-07-22 20:12 54,337 ----a-w C:\Program Files\uninstal.log
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 90,112 2004-03-19 17:12:10 C:\ibmtools\utils\bak\ibmprc.exe

----a-w 335,872 2004-02-11 05:10:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 110,592 2003-08-19 09:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 581,632 2004-01-20 22:28:06 C:\Program Files\IBM\Messages By IBM\bak\ibmmessages.exe

----a-w 36,864 2003-09-30 23:39:00 C:\Program Files\IBM\Updater\bak\ucstartup.exe

----a-w 1,277,952 2004-07-25 19:45:18 C:\Program Files\Support.com\BellSouth\bak\hcenter.exe

----a-w 110,592 2003-11-19 17:56:38 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe

----a-w 512,000 2003-11-19 17:56:14 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe

----a-w 688,128 2004-05-19 08:21:00 C:\Program Files\ThinkPad\ConnectUtilities\bak\QCTRAY.EXE

----a-w 53,248 2004-05-19 08:21:00 C:\Program Files\ThinkPad\ConnectUtilities\bak\QCWLICON.EXE

----a-w 94,208 2004-03-10 18:10:40 C:\Program Files\ThinkPad\PkgMgr\HOTKEY\bak\TPHKMGR.exe

----a-w 897,024 2004-02-04 23:39:12 C:\Program Files\ThinkPad\Utilities\bak\TpKmapAp.exe

----a-w 20,480 2003-12-25 09:36:00 C:\Program Files\ThinkPad\Utilities\bak\BMMLREF.EXE

----a-w 208,896 2003-12-25 10:04:00 C:\Program Files\ThinkPad\Utilities\bak\EzEjMnAp.Exe

----a-w 135,251 2003-09-10 08:11:00 C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe

----a-w 98,304 2004-06-28 19:27:44 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 45,108 2002-08-12 14:33:34 C:\Program Files\Scansoft\PaperPort\bak\pptd40nt.exe

----a-w 36,864 2002-08-12 15:07:26 C:\Program Files\Scansoft\PaperPort\bak\IndexSearch.exe

----a-w 45,056 2003-07-03 20:31:52 C:\Program Files\Brother\Brmfl03a\bak\BrStDvPt.exe

----a-w 32,881 2004-09-29 01:26:04 C:\Program Files\Java\j2re1.4.2_06\bin\bak\jusched.exe

----a-w 368,706 2002-09-11 02:26:26 C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe

----a-w 442,368 2003-10-13 12:19:30 C:\Program Files\2Wire HomePortal Monitor\bak\2portalmon.exe

----a-w 15,360 2004-08-04 08:56:48 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 08:56:48 C:\WINDOWS\system32\ctfmon.exe

----a-w 114,741 2003-10-22 09:04:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F9A8820-0A8F-80B9-BE66-3A1437FA4593}]
C:\WINDOWS\urkgsbyc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{933A4C16-2070-7C84-4C09-121E8A304FF9}

[HKEY_CLASSES_ROOT\clsid\{933a4c16-2070-7c84-4c09-121e8a304ff9}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Begone"="c:\freescan\freescan.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [ ]
"nycd34xzfb"="C:\WINDOWS\system32\nycd34xzfb.exe" [2001-05-29 18:02 17408]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 02:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 19:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-04 03:56 33280 C:\WINDOWS\system32\rundll32.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [ ]
"TpShocks"="TpShocks.exe" [2003-12-17 14:12 102400 C:\WINDOWS\system32\TpShocks.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [ ]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [ ]
"BMMMONWND"="rundll32.exe" [2004-08-04 03:56 33280 C:\WINDOWS\system32\rundll32.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 04:05 53248 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [ ]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [ ]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-12-25 04:36 106496]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10 81990]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [ ]
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [ ]
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [ ]
"SetDefPrt"="C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe" [ ]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [ ]
"2wSysTray"="C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe" [ ]
"tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [ ]
"QCWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [ ]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\bak\QCTray.exe" [2004-05-19 03:21 688128]
"nycd34xzfb"="C:\WINDOWS\system32\nycd34xzfb.exe" [2001-05-29 18:02 17408]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-06-15 13:21:48 24576]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 14:26:54 2080768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 2004-05-19 03:21 94208 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\system32\AppCert\wsil32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"C:\\WINDOWS\\system32"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:gnutella
"6346:UDP"= 6346:UDP:gnutella

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2003-12-17 16:50]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2004-05-19 03:21]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2004-05-19 03:21]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-12-25 04:36]
R2 ibmfilter;ibmfilter;C:\WINDOWS\System32\drivers\ibmfilter.sys [2004-03-19 12:05]
R2 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2003-12-15 20:29]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 13:12]
S3 BrSerWDM;Brother Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-14 00:04]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 13:12]
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 13:12]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2004-05-19 03:21]

.
Contents of the 'Scheduled Tasks' folder
"2005-07-12 02:58:46 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
"2008-02-26 02:18:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 21:16:22
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-02-25 21:19:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 02:19:24
.
2008-02-21 22:50:31 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:20, on 2008-02-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\nycd34xzfb.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nsulaw.nova.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7F9A8820-0A8F-80B9-BE66-3A1437FA4593} - C:\WINDOWS\urkgsbyc.dll (file missing)
O3 - Toolbar: Search - {933A4C16-2070-7C84-4C09-121E8A304FF9} - C:\WINDOWS\urkgsbyc.dll (file missing)
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE"
O4 - HKLM\..\Run: [BMMMONWND] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [UC_Start] "C:\Program Files\IBM\Updater\\ucstartup.exe"
O4 - HKLM\..\Run: [ibmmessages] "C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\Scansoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\Scansoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe"
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QCWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\bak\QCTray.exe
O4 - HKLM\..\Run: [nycd34xzfb] C:\WINDOWS\system32\nycd34xzfb.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [nycd34xzfb] C:\WINDOWS\system32\nycd34xzfb.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/a...tent/AcpIR.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.hotmail.msn.com/re...s/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174625079780
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-307.ibm.com/pc/support/a...t/IbmEgath.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://outlook.rothmanlawoffices.com/Remote/msrdp.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/emailimpor...mailimport.cab
O16 - DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} (acpRunner Class) - https://www-307.ibm.com/pc/support/a...AcpControl.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = law.nova.edu
O17 - HKLM\Software\..\Telephony: DomainName = law.nova.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = law.nova.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = law.nova.edu
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 12417 bytes

Ried · 02-26-2008, 10:13 AM

Hello RLO2007,

We have quite a bit to do here.

SpywareBeGone is a rogue program. I've included it's removal in the set of fixes below.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Download: ResetProtocolDefaults.reg and save it to your desktop.

**If you are using FireFox, right click the link and select 'Save File As'

--------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Double-click FindAWF.exe to start the tool.

Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
A text file will open up. Please copy/paste the following bolded text into the text file: ( be sure to include the quote marks around those file paths)

"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Program Files\ThinkPad\ConnectUtilities\bak\QCTRAY.EXE"
"C:\Program Files\ThinkPad\ConnectUtilities\bak\QCWLICON.EXE"
"C:\Program Files\ThinkPad\PkgMgr\HOTKEY\bak\TPHKMGR.exe"
"C:\Program Files\ThinkPad\Utilities\bak\TpKmapAp.exe"
"C:\Program Files\ThinkPad\Utilities\bak\BMMLREF.EXE"
"C:\Program Files\ThinkPad\Utilities\bak\EzEjMnAp.Exe"
"C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Scansoft\PaperPort\bak\pptd40nt.exe"
"C:\Program Files\Scansoft\PaperPort\bak\IndexSearch.exe"
"C:\Program Files\Brother\Brmfl03a\bak\BrStDvPt.exe"
"C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
"C:\Program Files\2Wire HomePortal Monitor\bak\2portalmon.exe"
"C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
Close the .txt file and click 'Yes' to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply.

--------------------------------------------------------------

Double-click FindAWF.exe to start the tool once again.

Select option #4 - Reset Domain Zones by typing 4 and press 'Enter'
You will be prompted to answer "Reset the domain zones?" Type 1 and press Enter.
After completion, then type E and press 'Enter'

Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

-------------------------------------------------------------------------------------

Locate "ResetProtocolDefaults.reg" on your desktop. Right-click and select Merge (Ok the prompt)

-------------------------------------------------------------------------------------

Reboot back into Normal Mode.

-------------------------------------------------------------------------------------

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:

Folder::
C:\FOUND.014
C:\FOUND.013
C:\FOUND.012
C:\FOUND.011
C:\FOUND.010

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F9A8820-0A8F-80B9-BE66-3A1437FA4593}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{933A4C16-2070-7C84-4C09-121E8A304FF9}=-
[-HKEY_CLASSES_ROOT\clsid\{933a4c16-2070-7c84-4c09-121e8a304ff9}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Begone"=-
"nycd34xzfb"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nycd34xzfb"=-
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

--------------------------------------------------------------------

Your Java is out of date.

Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u4.
Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
In the pull down menu next to Platform select Windows
Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
Click Continue
Click on the link to download Windows Offline Installation and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.

------------------------------------------------------------

fNow please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

awf.txt
C:\ComboFix.txt
Kaspersky results
New HijackThis log

RLO2007 · 02-26-2008, 11:05 AM

Do i have to download FindAWF.exe? If so where do i find it? I am currently at work so i will do this tonight.

Ried · 02-26-2008, 11:09 AM

Oh my goodness--sorry about that.

Please download FindAWF to your Desktop.

(Alternate link http://noahdfear.geekstogo.com/FindAWF.exe)

RLO2007 · 02-26-2008, 09:43 PM

Okay i believe i have followed your instructions correctly. I should also let you know that when i start up in normal mode i get this message: QCTray.exe - Unable To Locate Component
This application has failed to start because QCON.dll was not found. Re-installing the application may fix the problem.

I have pasted the logs you requested below.

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: 2008-02-26
The current time is: 21:18:17.63

bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

ComboFix 08-02-25.3 - sejpalk 2008-02-26 21:29:15.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.158 [GMT -5:00]
Running from: C:\Documents and Settings\sejpalk\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\sejpalk\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.010
C:\FOUND.010\FILE0000.CHK
C:\FOUND.010\FILE0001.CHK
C:\FOUND.011
C:\FOUND.011\FILE0000.CHK
C:\FOUND.011\FILE0001.CHK
C:\FOUND.011\FILE0002.CHK
C:\FOUND.011\FILE0003.CHK
C:\FOUND.011\FILE0004.CHK
C:\FOUND.011\FILE0005.CHK
C:\FOUND.011\FILE0006.CHK
C:\FOUND.012
C:\FOUND.012\FILE0000.CHK
C:\FOUND.013
C:\FOUND.013\FILE0000.CHK
C:\FOUND.014
C:\FOUND.014\FILE0000.CHK
C:\FOUND.014\FILE0001.CHK

.
((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))
.

2008-02-22 00:16 . 2008-02-22 00:14 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-22 00:16 . 2008-02-22 00:16 2,544 --a------ C:\WINDOWS\unins000.dat
2008-02-15 17:55 . 2008-02-15 17:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 18:11 . 2008-02-10 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 18:10 . 2008-02-10 18:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 17:55 . 2008-02-08 17:55 <DIR> d-------- C:\Deckard
2008-02-04 18:01 . 2004-06-15 13:27 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Symantec
2008-02-04 18:01 . 2004-06-15 13:31 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Sonic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-11 22:48 246,545 ----a-w C:\WINDOWS\system32\libssl32.dll
2007-12-11 22:48 1,188,375 ----a-w C:\WINDOWS\system32\libeay32.dll
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2004-07-22 20:12 59,900 ----a-w C:\Program Files\setuplog.txt
2004-07-22 20:12 54,337 ----a-w C:\Program Files\uninstal.log
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 90,112 2004-03-19 17:12:10 C:\ibmtools\utils\bak\ibmprc.exe

----a-w 335,872 2004-02-11 05:10:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 110,592 2003-08-19 09:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 581,632 2004-01-20 22:28:06 C:\Program Files\IBM\Messages By IBM\bak\ibmmessages.exe

----a-w 36,864 2003-09-30 23:39:00 C:\Program Files\IBM\Updater\bak\ucstartup.exe

----a-w 1,277,952 2004-07-25 19:45:18 C:\Program Files\Support.com\BellSouth\bak\hcenter.exe

----a-w 110,592 2003-11-19 17:56:38 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe
----a-w 110,592 2003-11-19 17:56:38 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

----a-w 512,000 2003-11-19 17:56:14 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
----a-w 512,000 2003-11-19 17:56:14 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

----a-w 688,128 2004-05-19 08:21:00 C:\Program Files\ThinkPad\ConnectUtilities\bak\QCTRAY.EXE
----a-w 688,128 2004-05-19 08:21:00 C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

----a-w 53,248 2004-05-19 08:21:00 C:\Program Files\ThinkPad\ConnectUtilities\bak\QCWLICON.EXE
----a-w 53,248 2004-05-19 08:21:00 C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

----a-w 94,208 2004-03-10 18:10:40 C:\Program Files\ThinkPad\PkgMgr\HOTKEY\bak\TPHKMGR.exe
----a-w 94,208 2004-03-10 18:10:40 C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

----a-w 897,024 2004-02-04 23:39:12 C:\Program Files\ThinkPad\Utilities\bak\TpKmapAp.exe
----a-w 897,024 2004-02-04 23:39:12 C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe

----a-w 20,480 2003-12-25 09:36:00 C:\Program Files\ThinkPad\Utilities\bak\BMMLREF.EXE
----a-w 20,480 2003-12-25 09:36:00 C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

----a-w 208,896 2003-12-25 10:04:00 C:\Program Files\ThinkPad\Utilities\bak\EzEjMnAp.Exe
----a-w 208,896 2003-12-25 10:04:00 C:\Program Files\ThinkPad\Utilities\EzEjMnAp.Exe

----a-w 135,251 2003-09-10 08:11:00 C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe
----a-w 135,251 2003-09-10 08:11:00 C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

----a-w 98,304 2004-06-28 19:27:44 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 98,304 2004-06-28 19:27:44 C:\Program Files\QuickTime\qttask.exe

----a-w 45,108 2002-08-12 14:33:34 C:\Program Files\Scansoft\PaperPort\bak\pptd40nt.exe
----a-w 45,108 2002-08-12 14:33:34 C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

----a-w 36,864 2002-08-12 15:07:26 C:\Program Files\Scansoft\PaperPort\bak\IndexSearch.exe
----a-w 36,864 2002-08-12 15:07:26 C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

----a-w 45,056 2003-07-03 20:31:52 C:\Program Files\Brother\Brmfl03a\bak\BrStDvPt.exe
----a-w 45,056 2003-07-03 20:31:52 C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe

----a-w 32,881 2004-09-29 01:26:04 C:\Program Files\Java\j2re1.4.2_06\bin\bak\jusched.exe

----a-w 368,706 2002-09-11 02:26:26 C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe
----a-w 368,706 2002-09-11 02:26:26 C:\Program Files\BroadJump\Client Foundation\CFD.exe

----a-w 442,368 2003-10-13 12:19:30 C:\Program Files\2Wire HomePortal Monitor\bak\2portalmon.exe
----a-w 442,368 2003-10-13 12:19:30 C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe

----a-w 15,360 2004-08-04 08:56:48 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 08:56:48 C:\WINDOWS\system32\ctfmon.exe

----a-w 114,741 2003-10-22 09:04:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe
----a-w 114,741 2003-10-22 09:04:00 C:\WINDOWS\system32\dla\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 02:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-19 12:56 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-19 12:56 512000]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 19:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-04 03:56 33280 C:\WINDOWS\system32\rundll32.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 18:39 897024]
"TpShocks"="TpShocks.exe" [2003-12-17 14:12 102400 C:\WINDOWS\system32\TpShocks.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-03-10 13:10 94208]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-12-25 04:36 20480]
"BMMMONWND"="rundll32.exe" [2004-08-04 03:56 33280 C:\WINDOWS\system32\rundll32.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 04:05 53248 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 05:04 208896]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [ ]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [ ]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-10-22 04:04 114741]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-12-25 04:36 106496]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10 81990]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 03:11 135251]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-06-28 14:27 98304]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [ ]
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 09:33 45108]
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 10:07 36864]
"SetDefPrt"="C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe" [2003-07-03 15:31 45056]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"2wSysTray"="C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe" [2003-10-13 07:19 442368]
"tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [ ]
"QCWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2004-05-19 03:21 53248]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\bak\QCTray.exe" [2004-05-19 03:21 688128]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-06-15 13:21:48 24576]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 14:26:54 2080768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 2004-05-19 03:21 94208 C:\WINDOWS\system32\QConGina.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"C:\\WINDOWS\\system32"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:gnutella
"6346:UDP"= 6346:UDP:gnutella

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2003-12-17 16:50]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2004-05-19 03:21]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2004-05-19 03:21]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-12-25 04:36]
R2 ibmfilter;ibmfilter;C:\WINDOWS\System32\drivers\ibmfilter.sys [2004-03-19 12:05]
R2 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2003-12-15 20:29]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 13:12]
S3 BrSerWDM;Brother Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-14 00:04]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 13:12]
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 13:12]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2004-05-19 03:21]

.
Contents of the 'Scheduled Tasks' folder
"2005-07-12 02:58:46 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
"2008-02-27 02:25:38 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 21:33:07
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-26 21:33:43
ComboFix-quarantined-files.txt 2008-02-27 02:33:42
ComboFix2.txt 2008-02-26 02:19:28
.
2008-02-27 01:22:26 --- E O F ---

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-02-26 23:34
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/02/2008
Kaspersky Anti-Virus database records: 582651
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 98896
Number of viruses found: 7
Number of infected objects: 38
Number of suspicious objects: 0
Duration of the scan process: 01:20:33

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12102007-183501.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_SEJPALK.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_SEJPALK.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\sejpalk\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\sejpalk\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\sejpalk\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\sejpalk\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sejpalk\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sejpalk\Local Settings\History\History.IE5\MSHist012008022620080227\index.dat Object is locked skipped
C:\Documents and Settings\sejpalk\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\sejpalk\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\sejpalk\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{11F2158F-EFA7-4E1F-AACF-69CCDF29626D} Object is locked skipped
C:\Documents and Settings\sejpalk\Local Settings\Temp\~DFE8CD.tmp Object is locked skipped
C:\Documents and Settings\sejpalk\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7a912fd2-4284c9f5.zip/Beyond.class Infected: Trojan.Java.StartPage.g skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7a912fd2-4284c9f5.zip/A.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7a912fd2-4284c9f5.zip ZIP: infected - 2 skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-2f825aa0.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-2f825aa0.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-2f825aa0.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-2f825aa0.zip ZIP: infected - 3 skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d691a6b-7bde3043.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d691a6b-7bde3043.zip ZIP: infected - 1 skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-79a959e8-223c5275.zip/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-79a959e8-223c5275.zip/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-79a959e8-223c5275.zip/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-79a959e8-223c5275.zip ZIP: infected - 3 skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5f2e21cd-6d47f4fe.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5f2e21cd-6d47f4fe.zip ZIP: infected - 1 skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3b070a2d-3f7e6805.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3b070a2d-3f7e6805.zip ZIP: infected - 1 skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-6ab9389-1967f825.zip/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-6ab9389-1967f825.zip/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-6ab9389-1967f825.zip/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-6ab9389-1967f825.zip ZIP: infected - 3 skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-2047627a.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-2047627a.zip ZIP: infected - 1 skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-357e5283-78a2b361.zip/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-357e5283-78a2b361.zip/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-357e5283-78a2b361.zip/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-357e5283-78a2b361.zip ZIP: infected - 3 skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-bb35ef1-1e3dfa08.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-bb35ef1-1e3dfa08.zip ZIP: infected - 1 skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-a1d8dd7-2b57aebe.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-a1d8dd7-2b57aebe.zip ZIP: infected - 1 skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-7b703317-20fee2df.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\sejpalk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-7b703317-20fee2df.zip ZIP: infected - 1 skipped
C:\Documents and Settings\sejpalk\Application Data\3M\PSNotes\PSNData Object is locked skipped
C:\Program Files\2Wire HomePortal Monitor\HomePortal Monitor_Debug.txt Object is locked skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP11\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\drivers\sptddrv1.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\AppCert\prx93f_.dll Infected: SpamTool.Win32.Agent.et skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\kjcyerry.dat.vir Infected: Rootkit.Win32.Agent.aap skipped
C:\QooBox\Quarantine\catchme2008-02-25_211559.70.zip/kjcyerry.dat Infected: Rootkit.Win32.Agent.aap skipped
C:\QooBox\Quarantine\catchme2008-02-25_211559.70.zip/kjcyerry.dat.1 Infected: Rootkit.Win32.Agent.aap skipped
C:\QooBox\Quarantine\catchme2008-02-25_211559.70.zip ZIP: infected - 2 skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:36, on 2008-02-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nsulaw.nova.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: (no name) - {933A4C16-2070-7C84-4C09-121E8A304FF9} - (no file)
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE"
O4 - HKLM\..\Run: [BMMMONWND] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [UC_Start] "C:\Program Files\IBM\Updater\\ucstartup.exe"
O4 - HKLM\..\Run: [ibmmessages] "C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\Scansoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\Scansoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe"
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [QCWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\bak\QCTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/a...tent/AcpIR.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.hotmail.msn.com/re...s/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174625079780
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-307.ibm.com/pc/support/a...t/IbmEgath.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://outlook.rothmanlawoffices.com/Remote/msrdp.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/emailimpor...mailimport.cab
O16 - DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} (acpRunner Class) - https://www-307.ibm.com/pc/support/a...AcpControl.cab
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in 1.4.2_06) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = law.nova.edu
O17 - HKLM\Software\..\Telephony: DomainName = law.nova.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = law.nova.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = law.nova.edu
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 12515 bytes

Ried · 02-27-2008, 07:23 AM

Quote:

I should also let you know that when i start up in normal mode i get this message: QCTray.exe - Unable To Locate Component
This application has failed to start because QCON.dll was not found

Simply put, AWF moves legit files running at startup and replaces them with it's own 'imposter' copy of that file. One of your onboard tools detected these imposters, and deleted them, but left the startup entry orphaned. QCTray.exe was replaced in the last round, but I see the startup is still running from the bak folder. Let's try this again, along with the rest that need to be moved back into place.

Double-click FindAWF.exe to start the tool.

Select option #2 - Restore files from bak folders bu typing 2 and press 'Enter'
A text file will open up. Please copy/paste the following bolded text into the text file:

"C:\Program Files\IBM\Messages By IBM\bak\ibmmessages.exe"
"C:\ibmtools\utils\bak\ibmprc.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
"C:\Program Files\IBM\Updater\bak\ucstartup.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
"C:\Program Files\Support.com\BellSouth\bak\hcenter.exe"
"C:\PROGRA~1\ThinkPad\CONNEC~1\bak\QCTray.exe"
Close the .txt file and click 'Yes' to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

-----------------------------------------

Run a new scan with dss.exe and post the main.txt along with the awf.txt

-----------------------------------------

While you're waiting for me to review the new reports, your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. (this will also take care of the Kaspersky findings)

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u4.
Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
In the pull down menu next to Platform select Windows
Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
Click Continue
Click on the link to download Windows Offline Installation and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.

RLO2007 · 02-27-2008, 04:58 PM

After i pasted what you told me to in FindAWF.exe and clicked yes i got this message:
16 bit MS-DOS Subsystem (this was the title of the box that popped up)
C:\Documents and Settings\sejpalkDesktop\FindAWF.exe
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate this program.

Anyway here is the AWF.txt log:

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: 2008-02-27
The current time is: 18:46:51.76

bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

Here is the DSS main.txt log:

Deckard's System Scanner v20071014.68
Run by sejpalk on 2008-02-27 18:50:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as sejpalk.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:50, on 2008-02-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Documents and Settings\sejpalk\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\sejpalk.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nsulaw.nova.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: (no name) - {933A4C16-2070-7C84-4C09-121E8A304FF9} - (no file)
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE"
O4 - HKLM\..\Run: [BMMMONWND] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [UC_Start] "C:\Program Files\IBM\Updater\\ucstartup.exe"
O4 - HKLM\..\Run: [ibmmessages] "C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\Scansoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\Scansoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe"
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [QCWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\bak\QCTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/a...tent/AcpIR.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.hotmail.msn.com/re...s/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174625079780
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-307.ibm.com/pc/support/a...t/IbmEgath.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://outlook.rothmanlawoffices.com/Remote/msrdp.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/emailimpor...mailimport.cab
O16 - DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} (acpRunner Class) - https://www-307.ibm.com/pc/support/a...AcpControl.cab
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in 1.4.2_06) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = law.nova.edu
O17 - HKLM\Software\..\Telephony: DomainName = law.nova.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = law.nova.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = law.nova.edu
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 12637 bytes

-- Files created between 2008-01-27 and 2008-02-27 -----------------------------

2008-02-26 21:58:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-26 21:58:39 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-26 21:54:28 0 d-------- C:\Program Files\Common Files\Java
2008-02-25 21

58 0 d-------- C:\cmdcons
2008-02-25 21:05:40 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-25 21:05:40 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-25 21:05:40 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-25 21:05:40 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-15 17:55:32 0 d-------- C:\Program Files\Trend Micro
2008-02-10 18:11:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 18:10:43 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-04 18:01:38 0 d--h----- C:\Documents and Settings\TEMP\Templates
2008-02-04 18:01:38 0 dr------- C:\Documents and Settings\TEMP\Start Menu
2008-02-04 18:01:38 0 dr-h----- C:\Documents and Settings\TEMP\SendTo
2008-02-04 18:01:38 0 dr-h----- C:\Documents and Settings\TEMP\Recent
2008-02-04 18:01:38 0 d--h----- C:\Documents and Settings\TEMP\PrintHood
2008-02-04 18:01:38 0 d--h----- C:\Documents and Settings\TEMP\NetHood
2008-02-04 18:01:38 0 dr------- C:\Documents and Settings\TEMP\My Documents
2008-02-04 18:01:38 0 d--h----- C:\Documents and Settings\TEMP\Local Settings
2008-02-04 18:01:38 0 dr------- C:\Documents and Settings\TEMP\Favorites
2008-02-04 18:01:38 0 d-------- C:\Documents and Settings\TEMP\Desktop
2008-02-04 18:01:38 0 d--hs---- C:\Documents and Settings\TEMP\Cookies
2008-02-04 18:01:38 0 dr-h----- C:\Documents and Settings\TEMP\Application Data
2008-02-04 18:01:38 0 d-------- C:\Documents and Settings\TEMP\Application Data\Symantec
2008-02-04 18:01:38 0 d-------- C:\Documents and Settings\TEMP\Application Data\Sonic
2008-02-04 18:01:38 0 d---s---- C:\Documents and Settings\TEMP\Application Data\Microsoft
2008-02-04 18:01:38 0 d-------- C:\Documents and Settings\TEMP\Application Data\Identities
2008-02-04 18:01:37 786432 --ah----- C:\Documents and Settings\TEMP\NTUSER.DAT

-- Find3M Report ---------------------------------------------------------------

2008-02-19 18:35:26 36608 --a------ C:\WINDOWS\system32\lojhyhtq.dat
2008-02-06 18:46:22 120576 --a------ C:\WINDOWS\system32\glpmuoap.dat
2008-02-04 18:39:44 42752 --a------ C:\WINDOWS\system32\ywmbypej.dat
2007-12-11 17:48:16 35072 --a------ C:\WINDOWS\system32\zhqvhhco.dat
2007-12-11 17:48:16 1188375 --a------ C:\WINDOWS\system32\libeay32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2007-12-11 17:48:14 246545 --a------ C:\WINDOWS\system32\libssl32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2007-12-11 17:48:12 741632 --a------ C:\WINDOWS\system32\lcjpliyp.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 02:32 C:\WINDOWS\system32\S3Tray2.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-19 12:56]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-19 12:56]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 19:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-04 03:56 C:\WINDOWS\system32\rundll32.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 18:39]
"TpShocks"="TpShocks.exe" [2003-12-17 14:12 C:\WINDOWS\system32\TpShocks.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-03-10 13:10]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-12-25 04:36]
"BMMMONWND"="rundll32.exe" [2004-08-04 03:56 C:\WINDOWS\system32\rundll32.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 04:05 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 05:04]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-02-11 00:10]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2003-09-30 18:39]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [2004-01-20 17:28]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 04:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-10-22 04:04]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-12-25 04:36]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 03:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-06-28 14:27]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2004-03-19 12:12]
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 09:33]
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 10:07]
"SetDefPrt"="C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe" [2003-07-03 15:31]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"2wSysTray"="C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe" [2003-10-13 07:19]
"tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" [2004-07-25 14:45]
"QCWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2004-05-19 03:21]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\bak\QCTray.exe" [2004-05-19 03:21]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-01-20 17:28]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-06-15 13:21:48]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 14:26:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 2004-05-19 03:21 94208 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2008-02-27 18:51:00 ------------

Also i did remove the old java and install the new java as you had instructed as part of the last things you told me to do.

Ried · 02-27-2008, 05:10 PM

Even though you received the error message with FindAWF, it apparently completed the moves as I do see the files now where they belong.

If you look at the Registry Dump portions of the main.txt or the ComboFix.txt, you'll see that all the ones we just moved previously had empty brackets after the file name--which meant they were missing. This lates main.txt shows the file, along with the date. Example:

Before:

Quote:

"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" []

After:

Quote:

"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [2004-01-20 17:28]

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following file path into that box:

C:\WINDOWS\system32\glpmuoap.dat
Then click the "Send File " button just below.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

RLO2007 · 02-27-2008, 05:21 PM

Is it supposed to pop up a log or do i copy directly of the webpage?

RLO2007 · 02-27-2008, 05:26 PM

I figured to just copy and paste from the webpage.

File glpmuoap.dat received on 02.28.2008 01:16:52 (CET)
Current status: finished

Result: 0/32 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.2.27.0 2008.02.27 -
AntiVir 7.6.0.67 2008.02.27 -
Authentium 4.93.8 2008.02.27 -
Avast 4.7.1098.0 2008.02.27 -
AVG 7.5.0.516 2008.02.27 -
BitDefender 7.2 2008.02.28 -
CAT-QuickHeal 9.50 2008.02.26 -
ClamAV 0.92.1 2008.02.27 -
DrWeb 4.44.0.09170 2008.02.27 -
eSafe 7.0.15.0 2008.02.26 -
eTrust-Vet 31.3.5569 2008.02.27 -
Ewido 4.0 2008.02.27 -
FileAdvisor 1 2008.02.28 -
Fortinet 3.14.0.0 2008.02.27 -
F-Prot 4.4.2.54 2008.02.27 -
F-Secure 6.70.13260.0 2008.02.27 -
Ikarus T3.1.1.20 2008.02.27 -
Kaspersky 7.0.0.125 2008.02.27 -
McAfee 5239 2008.02.27 -
Microsoft 1.3301 2008.02.27 -
NOD32v2 2906 2008.02.27 -
Norman 5.80.02 2008.02.27 -
Panda 9.0.0.4 2008.02.27 -
Prevx1 V2 2008.02.28 -
Rising 20.33.22.00 2008.02.27 -
Sophos 4.27.0 2008.02.27 -
Sunbelt 3.0.893.0 2008.02.23 -
Symantec 10 2008.02.28 -
TheHacker 6.2.9.229 2008.02.25 -
VBA32 3.12.6.2 2008.02.27 -
VirusBuster 4.3.26:9 2008.02.27 -
Webwasher-Gateway 6.6.2 2008.02.27 -
Additional information
File size: 120576 bytes
MD5: 6784bc76907b41582eb7c0c32c56ec68
SHA1: 92f9d79896b2f391d6feb13bf9bb5855b9fc82c3
PEiD: -

Ried · 02-27-2008, 08:13 PM

Thank you. Your logs are coming up clean. How is the system behaving?

Are you still getting that error message at start up "QCON.dll was not found "

RLO2007 · 02-28-2008, 03:56 PM

I am still recieving the error message at start up. I believe the system is better since i havent experienced any redirection when using google.

Ried · 02-28-2008, 08:32 PM

This entry is still running from the bak folder. Let's see if moving the file to the proper location fixes this error.

Open Notepad and copy/paste the contents in the code box below, into Notepad.

Quote:

@echo off
move "C:\Program Files\ThinkPad\ConnectUtilities\bak\QCTray.exe" "C:\Program Files\ThinkPad\ConnectUtilities"

Save this as move.bat Choose to "Save type as - All Files"
It should look like this:

Double click on move.bat & allow it to run. It will be very quick--this is normal.

------------------------

Reboot your system.

------------------------

Please run a new scan with HijackThis.exe so I can verify the move completed as planned. Also let me know if you are still receiving the error message at boot up.

02-12-2008, 11:50 AM	#2 (permalink)
RLO2007 Registered User Join Date: Feb 2008 Posts: 31 OS: XP pro	Re: IE and registry problems Bump...

02-18-2008, 03:35 PM	#4 (permalink)
RLO2007 Registered User Join Date: Feb 2008 Posts: 31 OS: XP pro	Re: IE and registry problems Bumping for the third time... Please let me know if you can help me.

02-21-2008, 03:54 PM	#5 (permalink)
RLO2007 Registered User Join Date: Feb 2008 Posts: 31 OS: XP pro	Re: IE and registry problems Bump.

02-25-2008, 08:29 AM	#6 (permalink)
RLO2007 Registered User Join Date: Feb 2008 Posts: 31 OS: XP pro	Re: IE and registry problems Bumping again. Please can you let me know if you can help me. It has been over 2 weeks since my initial post.

02-25-2008, 10:22 AM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,970 OS: WinXP and Vista	Re: IE and registry problems Hello RLO2007. Our apologies for the oversight of your thread, and thank you for your kind patience. We'll begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix When the tool is finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

02-26-2008, 10:13 AM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,970 OS: WinXP and Vista	Re: IE and registry problems Hello RLO2007, We have quite a bit to do here. SpywareBeGone is a rogue program. I've included it's removal in the set of fixes below. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. Also be sure to carry out the instructions in the sequence listed below. ************************************************* Download: ResetProtocolDefaults.reg and save it to your desktop. If you are using FireFox, right click the link and select 'Save File As' -------------------------------------------------------------------- Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Double-click FindAWF.exe to start the tool. Select option #2 - Restore files from bak folders by typing 2 and press 'Enter' A text file will open up. Please copy/paste the following bolded text into the text file: ( be sure to include the quote marks around those file paths) "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe" "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe" "C:\Program Files\ThinkPad\ConnectUtilities\bak\QCTRAY.EXE" "C:\Program Files\ThinkPad\ConnectUtilities\bak\QCWLICON.EXE" "C:\Program Files\ThinkPad\PkgMgr\HOTKEY\bak\TPHKMGR.exe" "C:\Program Files\ThinkPad\Utilities\bak\TpKmapAp.exe" "C:\Program Files\ThinkPad\Utilities\bak\BMMLREF.EXE" "C:\Program Files\ThinkPad\Utilities\bak\EzEjMnAp.Exe" "C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe" "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\Scansoft\PaperPort\bak\pptd40nt.exe" "C:\Program Files\Scansoft\PaperPort\bak\IndexSearch.exe" "C:\Program Files\Brother\Brmfl03a\bak\BrStDvPt.exe" "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe" "C:\Program Files\2Wire HomePortal Monitor\bak\2portalmon.exe" "C:\WINDOWS\system32\dla\bak\tfswctrl.exe" Close the .txt file and click 'Yes' to save the changes. When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply. -------------------------------------------------------------- Double-click FindAWF.exe to start the tool once again. Select option #4 - Reset Domain Zones by typing 4 and press 'Enter' You will be prompted to answer "Reset the domain zones?" Type 1 and press Enter. After completion, then type E and press 'Enter' Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ------------------------------------------------------------------------------------- Locate "ResetProtocolDefaults.reg" on your desktop. Right-click and select Merge (Ok the prompt) ------------------------------------------------------------------------------------- Reboot back into Normal Mode. ------------------------------------------------------------------------------------- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. --------------------------------------------------------------------- Open notepad and copy/paste the text in the code box below into it: Code: Folder:: C:\FOUND.014 C:\FOUND.013 C:\FOUND.012 C:\FOUND.011 C:\FOUND.010 Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F9A8820-0A8F-80B9-BE66-3A1437FA4593}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {933A4C16-2070-7C84-4C09-121E8A304FF9}=- [-HKEY_CLASSES_ROOT\clsid\{933a4c16-2070-7c84-4c09-121e8a304ff9}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Spyware Begone"=- "nycd34xzfb"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nycd34xzfb"=- [-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls] Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt -------------------------------------------------------------------- Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java: Download the latest version of Java Runtime Environment (JRE) 6u4. Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. In the pull down menu next to Platform select Windows Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement" Click Continue Click on the link to download Windows Offline Installation and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version. ------------------------------------------------------------ fNow please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan -------------------------------------------------------------------- Run a new scan with HijackThis and save the log. -------------------------------------------------------------------- Please include the following in your next reply: awf.txt C:\ComboFix.txt Kaspersky results New HijackThis log __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

02-26-2008, 11:05 AM	#10 (permalink)
RLO2007 Registered User Join Date: Feb 2008 Posts: 31 OS: XP pro	Re: IE and registry problems Do i have to download FindAWF.exe? If so where do i find it? I am currently at work so i will do this tonight.

02-26-2008, 11:09 AM	#11 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,970 OS: WinXP and Vista	Re: IE and registry problems Oh my goodness--sorry about that. Please download FindAWF to your Desktop. (Alternate link http://noahdfear.geekstogo.com/FindAWF.exe) __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

02-27-2008, 05:21 PM	#16 (permalink)
RLO2007 Registered User Join Date: Feb 2008 Posts: 31 OS: XP pro	Re: IE and registry problems Is it supposed to pop up a log or do i copy directly of the webpage?

02-27-2008, 05:26 PM	#17 (permalink)
RLO2007 Registered User Join Date: Feb 2008 Posts: 31 OS: XP pro	Re: IE and registry problems I figured to just copy and paste from the webpage. File glpmuoap.dat received on 02.28.2008 01:16:52 (CET) Current status: finished Result: 0/32 (0.00%) Compact Print results Antivirus Version Last Update Result AhnLab-V3 2008.2.27.0 2008.02.27 - AntiVir 7.6.0.67 2008.02.27 - Authentium 4.93.8 2008.02.27 - Avast 4.7.1098.0 2008.02.27 - AVG 7.5.0.516 2008.02.27 - BitDefender 7.2 2008.02.28 - CAT-QuickHeal 9.50 2008.02.26 - ClamAV 0.92.1 2008.02.27 - DrWeb 4.44.0.09170 2008.02.27 - eSafe 7.0.15.0 2008.02.26 - eTrust-Vet 31.3.5569 2008.02.27 - Ewido 4.0 2008.02.27 - FileAdvisor 1 2008.02.28 - Fortinet 3.14.0.0 2008.02.27 - F-Prot 4.4.2.54 2008.02.27 - F-Secure 6.70.13260.0 2008.02.27 - Ikarus T3.1.1.20 2008.02.27 - Kaspersky 7.0.0.125 2008.02.27 - McAfee 5239 2008.02.27 - Microsoft 1.3301 2008.02.27 - NOD32v2 2906 2008.02.27 - Norman 5.80.02 2008.02.27 - Panda 9.0.0.4 2008.02.27 - Prevx1 V2 2008.02.28 - Rising 20.33.22.00 2008.02.27 - Sophos 4.27.0 2008.02.27 - Sunbelt 3.0.893.0 2008.02.23 - Symantec 10 2008.02.28 - TheHacker 6.2.9.229 2008.02.25 - VBA32 3.12.6.2 2008.02.27 - VirusBuster 4.3.26:9 2008.02.27 - Webwasher-Gateway 6.6.2 2008.02.27 - Additional information File size: 120576 bytes MD5: 6784bc76907b41582eb7c0c32c56ec68 SHA1: 92f9d79896b2f391d6feb13bf9bb5855b9fc82c3 PEiD: -

02-27-2008, 08:13 PM	#18 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,970 OS: WinXP and Vista	Re: IE and registry problems Thank you. Your logs are coming up clean. How is the system behaving? Are you still getting that error message at start up "QCON.dll was not found " __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

02-28-2008, 03:56 PM	#19 (permalink)
RLO2007 Registered User Join Date: Feb 2008 Posts: 31 OS: XP pro	Re: IE and registry problems I am still recieving the error message at start up. I believe the system is better since i havent experienced any redirection when using google.