Another Infostealer.Gampass infection

sovapid · 19th July 2008

I've searched on the site and tried using previous threads to no avail.

System is Windows XP Service Pack 2.

As soon as I open Firefox, Symantec Auto-Protect pops up and begins listing Infostealer.Gampass files that it has deleted. This files are usually shown as .gif files, but I have seen .dlls listed.

Since most of the threads have shown running ComboFix to be one of the first steps, I downloaded it and ran it. After the system reboots, it comes up and says it is preparing log files. It never finishes though. I have let it sit for over an hour and nothing happens. I did (or at least I think I did) disable all of the applicaitons that would interfere with it.

I was not able to figure out how to get the Symantec icon out of the system tray, but I'm pretty sure it was not running any thing. I disabled all of the Symantec services in the control panel and shut off everything I could find in the start up config.

Anyways, here is the log from the dss/hijackThis tool:

Deckard's System Scanner v20071014.68
Run by steve.smith on 2008-07-18 18:47:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as steve.smith.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:47, on 2008-07-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\steve.smith\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SEANNE~1.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://myportal.perficient.com:10038/wps/portal
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: DebugBar BHO - {69FC0024-10EB-480A-BBF2-3BF4E78E17B1} - C:\Program Files\Core Services\DebugBar\DebugInfoBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: DebugBar - {3E1201F4-1707-409F-BB45-A5F192381DA0} - C:\Program Files\Core Services\DebugBar\DebugToolBar.dll
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O4 - Global Startup: VPN Client.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: IEWatch Professional - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Program Files\IEWatch\IEWatch.dll
O9 - Extra 'Tools' menuitem: IEWatch - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Program Files\IEWatch\IEWatch.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace.perficient.com/qp2.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://inotes.perficient.com/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1167765449254
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1167765444223
O16 - DPF: {8BF7B588-F4AC-4A6E-AF63-F664449EED2E} (PDM Plugin2) - http://135.100.200.124:10038/wps/PA_...s/DMPlugin.cab
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - http://inotes.perficient.com/dwa8W.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://inotes.perficient.com/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = perficient.com
O17 - HKLM\Software\..\Telephony: DomainName = perficient.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = perficient.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = perficient.com
O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/SEAN~1.NEW/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 12012 bytes

-- Files created between 2008-06-18 and 2008-07-18 -----------------------------

2008-07-18 15:33:58 18048 --a------ C:\WINDOWS\system32\drivers\eth8023.sys
2008-07-18 15:33:23 36 --a------ C:\WINDOWS\system32\qbhxaklo.sys
2008-07-18 15:14:09 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-07-18 15:10:12 68096 --a------ C:\WINDOWS\zip.exe
2008-07-18 15:10:12 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-18 15:10:12 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-18 15:10:12 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-18 15:10:12 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-18 15:10:12 98816 --a------ C:\WINDOWS\sed.exe
2008-07-18 15:10:12 80412 --a------ C:\WINDOWS\grep.exe
2008-07-18 15:10:12 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-18 14:30:26 0 d-------- C:\Program Files\Trend Micro
2008-07-18 14:08:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-18 12:44:19 0 d-------- C:\Program Files\Lavasoft
2008-07-18 12:04:58 0 d-------- C:\Program Files\Enigma Software Group
2008-07-17 18:46:04 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-07-17 18:45:57 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-12 16:07:43 0 d-------- C:\Program Files\iPod
2008-07-04 21:39:52 0 d-------- C:\TSO
2008-06-22 12:27:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-06-18 19:21:23 0 d-------- C:\Documents and Settings\steve.smith\Application Data\ICAClient

-- Find3M Report ---------------------------------------------------------------

2008-07-18 18:34:38 0 d-------- C:\Program Files\Symantec AntiVirus
2008-07-18 13:38:40 0 d-------- C:\Program Files\Common Files
2008-07-18 13:35:29 0 d-------- C:\Program Files\MySpace
2008-07-18 13:34:44 0 d-------- C:\Program Files\PokerStars
2008-07-18 12:43:39 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-17 18:57:10 0 d-------- C:\Documents and Settings\steve.smith\Application Data\skypePM
2008-07-12 16:08:10 0 d-------- C:\Program Files\iTunes
2008-07-12 15:57:39 0 d-------- C:\Program Files\Apple Software Update
2008-07-04 21:41:48 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-30 14:32:55 0 d-------- C:\Documents and Settings\steve.smith\Application Data\AdobeUM
2008-06-22 12:27:29 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-18 19:19:39 0 d-------- C:\Program Files\Citrix
2008-06-15 10:22:28 0 d-------- C:\Program Files\Bonjour
2008-06-15 10:22:07 0 d-------- C:\Program Files\QuickTime
2008-06-15 10:18:47 0 d-------- C:\Program Files\Common Files\Apple
2008-06-12 11:26:59 0 d-------- C:\Program Files\IEWatch
2008-05-28 17:22:56 0 d-------- C:\Program Files\JXplorer

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69FC0024-10EB-480A-BBF2-3BF4E78E17B1}]
2008-03-11 06:04 946176 --a------ C:\Program Files\Core Services\DebugBar\DebugInfoBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2006-03-15 21:04 C:\WINDOWS\system32\TpShocks.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 16:17]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 16:16]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 06:01]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 22:33]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-19 05:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-06-22 12:27:55]
HP Digital Imaging Monitor.lnk.disabled [2007-05-04 18:14:39]
HP Image Zone Fast Start.lnk.disabled [2007-05-04 18:16:20]
VPN Client.lnk.disabled [2008-07-18 15:50:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
"{7914E0AA-ECCB-4311-B584-C49538227824}"= C:\WINDOWS\system32\jhfrxz.dll [ ]
"{73AE86E6-7F03-4C3B-8980-FB1DA157D3C7}"= C:\WINDOWS\system32\fmcvxy.dll [ ]
"{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}"= C:\WINDOWS\system32\zsdgff.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad]
"DesktopWin"= {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll [2008-07-17 18:40 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2004-12-16 15:33 24672 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
C:\WINDOWS\system32\Novell\XtNotify.dll 2005-09-08 16:14 24576 C:\WINDOWS\system32\Novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\WINDOWS\system32\psqlpwd.dll 2006-12-08 20:44 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawser vice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXES VC]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
"RssReader"=C:\Program Files\RssReader\RssReader.exe
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"Perficient IT Collect"=c:\program files\Perficient IT\Collect\collect.exe
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{c9d2fd47-5567-11dc-9ec3-00197de7b1ad}]
AutoRun\command- F:\JDLightning\Windows\JDLightning.exe

-- End of Deckard's System Scanner: finished at 2008-07-18 18:48:12 ------------

sovapid · 19th July 2008

My hosts file was modified at the same time the notices first appeared:

202.165.102.205 972.aksjd11.com
202.165.102.205 w3og.cn
203.208.35.100 qazc.fourtw.cn
203.208.35.100 ¾¢ÎèÍÅÎè²½_¾¢ÎèÍÅË½·þ_¾¢ÎèÍÅ¸èÇú
203.208.35.101 www.hao601.cn
203.208.35.101 www.psp476.cn
72.14.235.99 222.1212l112.net
72.14.235.99 444.1212l112.netn
72.14.235.99 555.1212l112.net
72.14.235.99 111.1212l112.net
65.55.21.250 111.3243l24.com
65.55.21.250 222.3243l24.com
65.55.21.250 333.3243l24.com
125.64.8.112 kao2.gmwo03.com
125.64.8.112 kao.gmwo06.com
125.64.8.112 444.gmwo07.com
116.252.185.15 ru.update365.us
116.252.185.15 ad.update365.us
207.46.232.182 popmails.net
203.208.37.99 3.goodhh.com
220.181.37.55 down.rwixr.com
160.79.42.52 www.xdj2008.com
63.175.76.152 www.revtr.cn
219.133.40.91 qq.ljsll.com
203.208.35.102 www.aassccwe.cn
209.132.177.50 973.aksjd11.com
209.132.177.50 974.aksjd11.com
209.132.177.50 971.aksjd11.com
209.132.177.50 975.aksjd11.com
72.14.235.104 user1.12-39.net
72.14.235.147 www.infomt.net
192.150.18.101 ata1.sysions.net
192.150.18.101 ata2.sysions.net
192.150.18.101 ata3.sysions.net
192.150.18.101 ata4.sysions.net
193.120.42.226 8nnnnn99.cn
24.39.54.34 haoaoaoÍøÖ·µ¼º½£*ÖÐ¹ú×îºÃµÄÍøÖ·Õ¾
127.0.0.1 971.lkjdasa12.com
127.0.0.1 974.lkjdasa12.com
127.0.0.1 111.213l23.net
127.0.0.1 111.313l23.com
127.0.0.1 222.313l23.com
127.0.0.1 asd.dasd89712l.com
127.0.0.1 cao.caonima01.com
127.0.0.1 u1.cnnod32upserver
127.0.0.1 u2.cnnod32upserver
127.0.0.1 u3.cnnod32upserver
127.0.0.1 u4.cnnod32upserver
127.0.0.1 u5.cnnod32upserver
127.0.0.1 u6.cnnod32upserver
127.0.0.1 Adobe
127.0.0.1 download.macromedia.com
127.0.0.1 fpdownload.macromedia.com
127.0.0.1 0.11xp.com
127.0.0.1 0.sqwyt.com
127.0.0.1 0001.6658588.cn
127.0.0.1 007sf.cn
127.0.0.1 010.waokao.cn
127.0.0.1 023china.cn
127.0.0.1 0272.service-google.cn
127.0.0.1 0358.com.cn
127.0.0.1 0371cn.cn
127.0.0.1 0512edu.cn
127.0.0.1 08325.cn
127.0.0.1 086107.service-google.cn
127.0.0.1 086121.service-google.cn
127.0.0.1 086140.service-google.cn
127.0.0.1 086156.service-google.cn
127.0.0.1 086158.service-google.cn
127.0.0.1 086165.service-google.cn
127.0.0.1 086170.service-google.cn
127.0.0.1 086173.service-google.cn
127.0.0.1 086175.service-google.cn
127.0.0.1 086195.service-google.cn
127.0.0.1 086196.service-google.cn
127.0.0.1 086202.service-google.cn
127.0.0.1 086216.service-google.cn
127.0.0.1 08657.service-google.cn
127.0.0.1 08675.service-google.cn
127.0.0.1 0868.service-google.cn
127.0.0.1 08689.service-google.cn
127.0.0.1 08697.service-google.cn
127.0.0.1 098.seruijingandeshijinpos.com
127.0.0.1 0hu.net
127.0.0.1 1.100190.com
127.0.0.1 1.111281.com
127.0.0.1 1.11aaa.com
127.0.0.1 1.11mmm.com
127.0.0.1 1.11sss.com
127.0.0.1 1.22aaa.com
127.0.0.1 1.22ccc.com
127.0.0.1 1.44xp.com
127.0.0.1 1.517sese.com
127.0.0.1 1.51wyt.com
127.0.0.1 1.55sss.com
127.0.0.1 1.59ri.com
127.0.0.1 1.5se5se.org

rest omitted because not sure how helpful it is.

sovapid · 19th July 2008

Running a full Symantec scan did not turn up anything.

I ran KASPERSKY ONLINE SCANNER 7

and it discovered this:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, July 19, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, July 19, 2008 01:07:12
Records in database: 970595
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\sean.newby\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 71247
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:38:56

File name / Threat name / Threats count
C:\WINDOWS\AppPatch\AclLayer.dll Infected: Trojan-Downloader.Win32.Small.yhf 1
C:\WINDOWS\AppPatch\DesktopWin.dll Infected: Trojan-Downloader.Win32.Small.xwr 1
C:\WINDOWS\system32\nhmxejkl.dll Infected: Trojan-GameThief.Win32.OnLineGames.satg 1

The selected area was scanned.

**noahdfear** · 20th July 2008

Welcome to WindowsBBS sovapid

Please delete the ComboFix you currently have and download a fresh copy from here. Save it to your desktop then reboot to safe mode and run it.

The log should be created at C:\ComboFix.txt

If still no log, have a look in C:\Qoobox for any log with ComboFix in it's name (will not be in any subfolders of qoobox) and post any found.

sovapid · 20th July 2008

Ran it in safe mode, it took a long time to run. Left it running overnight.

Here is the log:

ComboFix 08-07-19.1 - steve.smith 2008-07-20 1:03:17.4 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\steve.smith\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\steve.smith\Application Data\macromedia\Flash Player\#SharedObjects\ZTRAC8FL\Broadcaster.com | Home | Viral Video Clips, Live Community, News, Software, Movies, Music, Games, Mobile Media & More
C:\Documents and Settings\steve.smith\Application Data\macromedia\Flash Player\#SharedObjects\ZTRAC8FL\www.broadcaster.com\played_list.sol
C:\Documents and Settings\steve.smith\Application Data\macromedia\Flash Player\#SharedObjects\ZTRAC8FL\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\steve.smith\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#Broadcaster.com | Home | Viral Video Clips, Live Community, News, Software, Movies, Music, Games, Mobile Media & More
C:\Documents and Settings\steve.smith\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\steve.smith\g2mdlhlpx.exe
C:\WINDOWS\system32\aitlasys.exe
C:\WINDOWS\system32\fstlbsys.sys
C:\WINDOWS\system32\jkhxaklo.dll
C:\WINDOWS\system32\lpmxajkl.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\rnmxajkl.sys
C:\WINDOWS\system32\wymxajkl.sys
C:\WINDOWS\system32\zptldsys.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
.

2008-07-19 15:19 . 2008-07-19 15:19 <DIR> d-------- C:\Program Files\COMODO
2008-07-19 15:19 . 2008-07-19 15:19 <DIR> d-------- C:\Documents and Settings\steve.smith\Application Data\Comodo
2008-07-19 15:19 . 2008-07-20 00:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-07-19 15:19 . 2008-07-19 15:19 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-07-19 15:19 . 2008-07-19 15:19 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-07-19 15:19 . 2008-07-19 15:19 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-07-18 18:19 . 2008-07-18 18:19 <DIR> d-------- C:\Deckard
2008-07-18 15:33 . 2008-07-18 15:33 18,048 --a------ C:\WINDOWS\system32\drivers\eth8023.sys
2008-07-18 15:33 . 2008-07-18 16:19 36 --a------ C:\WINDOWS\system32\qbhxaklo.sys
2008-07-18 14:30 . 2008-07-18 14:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-18 14:08 . 2008-07-18 14:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-18 14:08 . 2008-07-18 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-18 12:44 . 2008-07-18 12:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-18 12:04 . 2008-07-18 14:27 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-15 13:04 . 2008-07-15 13:04 268 --ah----- C:\sqmdata12.sqm
2008-07-15 13:04 . 2008-07-15 13:04 244 --ah----- C:\sqmnoopt12.sqm
2008-07-12 16:07 . 2008-07-12 16:07 <DIR> d-------- C:\Program Files\iPod
2008-07-04 21:41 . 1998-09-24 14:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
2008-07-04 21:41 . 1998-06-18 01:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2008-07-04 21:41 . 1998-09-24 14:03 7,348 --a------ C:\WINDOWS\system32\Odbcjet.cnt
2008-07-04 21:39 . 2008-07-04 21:42 <DIR> d-------- C:\TSO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-20 04:58 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-20 04:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-07-18 17:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-07-18 17:35 --------- d-----w C:\Program Files\MySpace
2008-07-18 17:34 --------- d-----w C:\Program Files\PokerStars
2008-07-18 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-18 16:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-17 22:57 --------- d-----w C:\Documents and Settings\steve.smith\Application Data\skypePM
2008-07-12 20:08 --------- d-----w C:\Program Files\iTunes
2008-07-12 19:57 --------- d-----w C:\Program Files\Apple Software Update
2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-05 01:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-30 18:32 --------- d-----w C:\Documents and Settings\steve.smith\Application Data\AdobeUM
2008-06-22 16:27 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-18 23:21 --------- d-----w C:\Documents and Settings\steve.smith\Application Data\ICAClient
2008-06-18 23:19 --------- d-----w C:\Program Files\Citrix
2008-06-15 14:22 --------- d-----w C:\Program Files\QuickTime
2008-06-15 14:22 --------- d-----w C:\Program Files\Bonjour
2008-06-15 14:18 --------- d-----w C:\Program Files\Common Files\Apple
2008-06-12 15:26 --------- d-----w C:\Program Files\IEWatch
2008-05-28 21:22 --------- d-----w C:\Program Files\JXplorer
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-27 20:44 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-19 14:19 80 --sh--r C:\WINDOWS\system32\BBB2CAA0A2.dll
2004-08-08 19:33 520 --sh--w C:\WINDOWS\system32\vlhxaklo.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 16:17 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 16:16 512000]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 06:01 503808]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 22:33 125168]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-19 05:33 127037]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-07-19 15:19 1655552]
"TpShocks"="TpShocks.exe" [2006-03-15 21:04 106496 C:\WINDOWS\system32\TpShocks.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-06-22 12:27:55 1757]
HP Digital Imaging Monitor.lnk.disabled [2007-05-04 18:14:39 1808]
HP Image Zone Fast Start.lnk.disabled [2007-05-04 18:16:20 798]
VPN Client.lnk.disabled [2008-07-18 15:50:28 2447]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2005-09-08 16:14 24576 C:\WINDOWS\system32\Novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-08 20:44 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-12-16 15:33 24672 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
"RssReader"=C:\Program Files\RssReader\RssReader.exe
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"acme IT Collect"=c:\program files\acme IT\Collect\collect.exe
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\RAD7\\runtimes\\base_v61\\java\\bin\\java.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WebSphere\\AppServer\\java\\bin\\java.exe"=
"C:\\RAD7\\jdk\\jre\\bin\\javaw.exe"=
"C:\\IBMOmniFindYahoo\\_jvm\\jre\\bin\\java.exe"=
"C:\\WebSphere\\Documentation\\WebSphere_Help_System\\eclipse\\jre\\bin\\ja vaw.exe"=
"C:\\Program Files\\Borland\\StarTeam Toolbar\\SBToolbar.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\IBM\\ISA and ESA\\IBM Support Assistant\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\lotus\\notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.j2se.win 32.x86_1.5.0.SR6-200802211037\\jre\\bin\\notes2w.exe"=
"C:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2006-03-15 19:08]
S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-07-19 15:19]
S1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-07-19 15:19]
S1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 14:18]
S2 cdralw;NVIDIA Compatible Windows Miniport Driver;C:\WINDOWS\system32\DRIVERS\nvmini.sys []
S2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys [2004-12-16 15:33]
S2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2006-12-08 20:37]
S2 vmserverdWin32;VMware Registration Service;C:\Program Files\VMware\VMware Server\vmserverdWin32.exe [2006-08-09 17:40]
S2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2004-12-16 15:33]
S2 XTAgent;Novell XTier Agent Services;C:\WINDOWS\System32\Novell\XTAgent.exe [2005-09-08 16:14]
S3 Apache2.2;Apache2.2;C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2007-09-05 08:59]
S3 eth8023;eth8023;C:\WINDOWS\system32\drivers\eth8023.sys [2008-07-18 15:33]
S3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2004-12-16 15:33]
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2004-12-16 15:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{c9d2fd47-5567-11dc-9ec3-00197de7b1ad}]
\Shell\AutoRun\command - F:\JDLightning\Windows\JDLightning.exe

*Newly Created Service* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder
"2008-07-17 02:32:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-20 05:04:12 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{7914E0AA-ECCB-4311-B584-C49538227824} - C:\WINDOWS\system32\jhfrxz.dll
ShellExecuteHooks-{73AE86E6-7F03-4C3B-8980-FB1DA157D3C7} - C:\WINDOWS\system32\fmcvxy.dll
ShellExecuteHooks-{53D44DB6-E22B-4B17-97D3-572C96CCA6E1} - C:\WINDOWS\system32\zsdgff.dll
SSODL-DesktopWin-{DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 01:08:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-20 3:04:26
ComboFix-quarantined-files.txt 2008-07-20 07:04:18

Pre-Run: 55,661,797,376 bytes free
Post-Run: 55,645,433,856 bytes free

189 --- E O F --- 2008-06-11 14:31:22

**noahdfear** · 20th July 2008

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

http://www.windowsbbs.com/removing-spyware-viruses/75252-another-infostealer-gampass-infection.html

KillAll::
Suspect::
C:\WINDOWS\system32\drivers\eth8023.sys
C:\WINDOWS\system32\qbhxaklo.sys
C:\WINDOWS\system32\BBB2CAA0A2.dll
C:\WINDOWS\system32\vlhxaklo.sys
File::
C:\WINDOWS\AppPatch\AclLayer.dll
C:\WINDOWS\AppPatch\DesktopWin.dll
C:\WINDOWS\system32\nhmxejkl.dll

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect some files for analysis. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. Thanks!

sovapid · 21st July 2008

ComboFix log:

ComboFix 08-07-19.1 - steve.smith 2008-07-21 0:28:36.7 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1707 [GMT -4:00]
Running from: C:\Documents and Settings\steve.smith\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\steve.smith\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\AppPatch\AclLayer.dll
C:\WINDOWS\AppPatch\DesktopWin.dll
C:\WINDOWS\system32\nhmxejkl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\AppPatch\AclLayer.dll
C:\WINDOWS\AppPatch\DesktopWin.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-19 15:19 . 2008-07-19 15:19 <DIR> d-------- C:\Program Files\COMODO
2008-07-19 15:19 . 2008-07-19 15:19 <DIR> d-------- C:\Documents and Settings\steve.smith\Application Data\Comodo
2008-07-19 15:19 . 2008-07-20 00:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-07-19 15:19 . 2008-07-19 15:19 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-07-19 15:19 . 2008-07-19 15:19 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-07-19 15:19 . 2008-07-19 15:19 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-07-18 18:19 . 2008-07-18 18:19 <DIR> d-------- C:\Deckard
2008-07-18 15:33 . 2008-07-18 15:33 18,048 --a------ C:\WINDOWS\system32\drivers\eth8023.sys
2008-07-18 15:33 . 2008-07-18 16:19 36 --a------ C:\WINDOWS\system32\qbhxaklo.sys
2008-07-18 14:30 . 2008-07-18 14:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-18 14:08 . 2008-07-18 14:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-18 14:08 . 2008-07-18 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-18 12:44 . 2008-07-18 12:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-18 12:04 . 2008-07-18 14:27 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-15 13:04 . 2008-07-15 13:04 268 --ah----- C:\sqmdata12.sqm
2008-07-15 13:04 . 2008-07-15 13:04 244 --ah----- C:\sqmnoopt12.sqm
2008-07-12 16:07 . 2008-07-12 16:07 <DIR> d-------- C:\Program Files\iPod
2008-07-04 21:41 . 1998-09-24 14:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
2008-07-04 21:41 . 1998-06-18 01:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2008-07-04 21:41 . 1998-09-24 14:03 7,348 --a------ C:\WINDOWS\system32\Odbcjet.cnt
2008-07-04 21:39 . 2008-07-04 21:42 <DIR> d-------- C:\TSO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 04:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-07-21 04:23 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-18 17:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-07-18 17:35 --------- d-----w C:\Program Files\MySpace
2008-07-18 17:34 --------- d-----w C:\Program Files\PokerStars
2008-07-18 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-18 16:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-17 22:57 --------- d-----w C:\Documents and Settings\steve.smith\Application Data\skypePM
2008-07-12 20:08 --------- d-----w C:\Program Files\iTunes
2008-07-12 19:57 --------- d-----w C:\Program Files\Apple Software Update
2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-05 01:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-30 18:32 --------- d-----w C:\Documents and Settings\steve.smith\Application Data\AdobeUM
2008-06-22 16:27 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-18 23:21 --------- d-----w C:\Documents and Settings\steve.smith\Application Data\ICAClient
2008-06-18 23:19 --------- d-----w C:\Program Files\Citrix
2008-06-15 14:22 --------- d-----w C:\Program Files\QuickTime
2008-06-15 14:22 --------- d-----w C:\Program Files\Bonjour
2008-06-15 14:18 --------- d-----w C:\Program Files\Common Files\Apple
2008-06-12 15:26 --------- d-----w C:\Program Files\IEWatch
2008-05-28 21:22 --------- d-----w C:\Program Files\JXplorer
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-27 20:44 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-19 14:19 80 --sh--r C:\WINDOWS\system32\BBB2CAA0A2.dll
2004-08-08 19:33 520 --sh--w C:\WINDOWS\system32\vlhxaklo.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-20_ 3.03.55.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-20 04:58:01 70,688 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-21 04:30:46 70,286 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-20 04:58:01 438,590 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-21 04:30:46 438,022 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-21 04:34:59 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_d4c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 16:17 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 16:16 512000]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 06:01 503808]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 22:33 125168]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-19 05:33 127037]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-07-19 15:19 1655552]
"TpShocks"="TpShocks.exe" [2006-03-15 21:04 106496 C:\WINDOWS\system32\TpShocks.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-06-22 12:27:55 1757]
HP Digital Imaging Monitor.lnk.disabled [2007-05-04 18:14:39 1808]
HP Image Zone Fast Start.lnk.disabled [2007-05-04 18:16:20 798]
VPN Client.lnk.disabled [2008-07-18 15:50:28 2447]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2005-09-08 16:14 24576 C:\WINDOWS\system32\Novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-08 20:44 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-12-16 15:33 24672 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
"RssReader"=C:\Program Files\RssReader\RssReader.exe
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"acme IT Collect"=c:\program files\acme IT\Collect\collect.exe
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\RAD7\\runtimes\\base_v61\\java\\bin\\java.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WebSphere\\AppServer\\java\\bin\\java.exe"=
"C:\\RAD7\\jdk\\jre\\bin\\javaw.exe"=
"C:\\IBMOmniFindYahoo\\_jvm\\jre\\bin\\java.exe"=
"C:\\WebSphere\\Documentation\\WebSphere_Help_System\\eclipse\\jre\\bin\\ja vaw.exe"=
"C:\\Program Files\\Borland\\StarTeam Toolbar\\SBToolbar.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\IBM\\ISA and ESA\\IBM Support Assistant\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\lotus\\notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.j2se.win 32.x86_1.5.0.SR6-200802211037\\jre\\bin\\notes2w.exe"=
"C:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2006-03-15 19:08]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-07-19 15:19]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-07-19 15:19]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 14:18]
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys [2004-12-16 15:33]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2006-12-08 20:37]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2004-12-16 15:33]
R2 XTAgent;Novell XTier Agent Services;C:\WINDOWS\System32\Novell\XTAgent.exe [2005-09-08 16:14]
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2004-12-16 15:33]
S2 cdralw;NVIDIA Compatible Windows Miniport Driver;C:\WINDOWS\system32\DRIVERS\nvmini.sys []
S2 vmserverdWin32;VMware Registration Service;C:\Program Files\VMware\VMware Server\vmserverdWin32.exe [2006-08-09 17:40]
S3 Apache2.2;Apache2.2;C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2007-09-05 08:59]
S3 eth8023;eth8023;C:\WINDOWS\system32\drivers\eth8023.sys [2008-07-18 15:33]
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2004-12-16 15:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{c9d2fd47-5567-11dc-9ec3-00197de7b1ad}]
\Shell\AutoRun\command - F:\JDLightning\Windows\JDLightning.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-17 02:32:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-21 04:36:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 00:34:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\DOCUME~1\SEAN~1.NEW\LOCALS~1\Temp\tzk7.tmp 836 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-07-21 2:10:49 - machine was rebooted [steve.smith]
ComboFix-quarantined-files.txt 2008-07-21 06:10:34
ComboFix2.txt 2008-07-20 15:21:25

Pre-Run: 55,642,689,536 bytes free
Post-Run: 55,684,849,664 bytes free

211 --- E O F --- 2008-06-11 14:31:22

sovapid · 21st July 2008

dss/hjt log after running combofix:

Deckard's System Scanner v20071014.68
Run by steve.smith on 2008-07-21 08:52:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as steve.smith.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:12 AM, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TextPad 5\TextPad.exe
C:\Documents and Settings\steve.smith\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SEANNE~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =