Solved Hijacked search results

indyhamilton · 2008/10/18

[Resolved] Hijacked search results

Hi All,
While surfing the web i bumped into VirusRemover 2008 which almost crashed the system although i have been able to remove the infection by using different softwares like smitfix and ad-aware but there is one persistent problem of hijack/redirection of search engine results. This happens with all the major search engines i.e. Google, Yahoo, Ask etc. The result and reported urls are genuine but clicking on them redirects to some obscure site.
As mentioned I have run Smitfix and Ad-aware which picked up a few things but the problem remained. I have tried to find and download RSIT for creating log files for posting but couldn't get it anywhere, i get the same message of Failed to connect from all the sites that i tried which seems strange too as i can surf otherwise.
Would really appreciate the help.

noahdfear · 2008/10/19

Welcome to WindowsBBS indyhamilton

Click here and select Open (or Run) to run a tool that will check your computer for a specific rootkit infection.
When the tool completes a log will open.
Please post the contents of that log.

Note - if you do not have the option to open or run, you may save it and run it from your hard drive

indyhamilton · 2008/10/19

Hi There,
Thanks for getting back. Here is the log info.

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv
NextInstance REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv\0000
Service REG_SZ TDSSserv
Legacy REG_DWORD 1 (0x1)
ConfigFlags REG_DWORD 0 (0x0)
Class REG_SZ LegacyDriver
ClassGUID REG_SZ {8ECC055D-047F-11D1-A537-0000F8753ED1}
DeviceDesc REG_SZ TDSSserv
Capabilities REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv\0000\LogConf

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv\0000\Control
ActiveService REG_SZ TDSSserv

Another thing that happened today was that i ran Fixwareout followed by SmitFraud fix as per instructions that i got from a website. Although now after that i don't see the hijacking but the speed of search engines seems low and the log info that i got after running Smitfruadfix was something like:

HKLM\System\CCS\Services\Tcpip\..\{1F5A3FA3-74FB-41DD-AD5B-F8C6C8B3D0EC}: NameServer = 85.255.116.86,85.255.112.157

which indicates that infection is still there ( i guess) as according to the same very instructions the log otherwise should be something like:

KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
â€œnameserverâ€=â€85.255.116.86 85.255.112.157″ value cleared

which i didn't see.
would appreciate the advise.

noahdfear · 2008/10/19

Download ComboFix by sUBs from here, saving the file to your desktop.

Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click ComboFix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

If unable to download ComboFix, do you have access to another computer to download it on, and a flash drive to transfer it?

indyhamilton · 2008/10/19

Hi There,

I tried to download ComboFix from the links given by you but couldn't connect to the site i tried through google but again couldn't connect to the site

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

i don't have any other computer at home will try to download the file at another computer later on and will get back to you but thanks for the prompt reply. really appreciate that.

noahdfear · 2008/10/19

Please check your private messages.

indyhamilton · 2008/10/19

Hi,

Here is the log file after running ComboFix

ComboFix 08-10-19.01 - Inder 2008-10-19 15:34:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.153 [GMT -6:00]
Running from: C:\Documents and Settings\Inder\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\Inder\Application Data\ShoppingReport
C:\Documents and Settings\Inder\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Inder\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Inder\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Inder\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Inder\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Inder\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Inder\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\Wallpaper\swpstart.exe
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
C:\WINDOWS\BMf7c2f469.txt
C:\WINDOWS\BMf7c2f469.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\etln.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aedmmsqr.ini
C:\WINDOWS\system32\ahvcbuhx.ini
C:\WINDOWS\system32\ajknnlaf.ini
C:\WINDOWS\system32\aucrnley.ini
C:\WINDOWS\system32\bcpkpdkj.ini
C:\WINDOWS\system32\bfeqhmew.ini
C:\WINDOWS\system32\bfwspsvk.ini
C:\WINDOWS\system32\bgascjgh.ini
C:\WINDOWS\system32\bgnokhpj.ini
C:\WINDOWS\system32\bnqpehuu.ini
C:\WINDOWS\system32\bvjjjdsi.ini
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\Config.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\WINDOWS\system32\cygnubnu.ini
C:\WINDOWS\system32\cynmosia.ini
C:\WINDOWS\system32\doxynqgm.ini
C:\WINDOWS\system32\ejayalix.ini
C:\WINDOWS\system32\ejixejqs.ini
C:\WINDOWS\system32\eouusajb.ini
C:\WINDOWS\system32\eowwnddl.ini
C:\WINDOWS\system32\fautbjcs.dll
C:\WINDOWS\system32\fbvowrsl.ini
C:\WINDOWS\system32\ffmrwxqo.ini
C:\WINDOWS\system32\fovnjgqf.ini
C:\WINDOWS\system32\gfrxupaa.ini
C:\WINDOWS\system32\ghlwbnvu.ini
C:\WINDOWS\system32\govcoixi.ini
C:\WINDOWS\system32\gtoutbqk.ini
C:\WINDOWS\system32\gtvyahwf.ini
C:\WINDOWS\system32\gxiycvnu.ini
C:\WINDOWS\system32\gxmckrxd.ini
C:\WINDOWS\system32\haildryi.ini
C:\WINDOWS\system32\hduotusb.ini
C:\WINDOWS\system32\hhkhpcth.ini
C:\WINDOWS\system32\hmpedrpl.ini
C:\WINDOWS\system32\hnqaokuc.ini
C:\WINDOWS\system32\hrdfamcg.ini
C:\WINDOWS\system32\hretvwti.ini
C:\WINDOWS\system32\hurtahgo.ini
C:\WINDOWS\system32\idpfispe.ini
C:\WINDOWS\system32\ixmnayje.ini
C:\WINDOWS\system32\jfnawhej.ini
C:\WINDOWS\system32\jjiRuBeg.ini
C:\WINDOWS\system32\jjiRuBeg.ini2
C:\WINDOWS\system32\johrsouy.ini
C:\WINDOWS\system32\jtijhub_navfx.dat
C:\WINDOWS\system32\kblhcqrq.ini
C:\WINDOWS\system32\kerwgebg.ini
C:\WINDOWS\system32\kigjehka.ini
C:\WINDOWS\system32\kiqdiray.ini
C:\WINDOWS\system32\kiycijgx.ini
C:\WINDOWS\system32\kknpdjdi.ini
C:\WINDOWS\system32\knblimyp.ini
C:\WINDOWS\system32\kohcycrc.ini
C:\WINDOWS\system32\lbnavjas.ini
C:\WINDOWS\system32\lfldnhmy.ini
C:\WINDOWS\system32\lnykistq.ini
C:\WINDOWS\system32\losnksnf.ini
C:\WINDOWS\system32\lvwgdcsq.ini
C:\WINDOWS\system32\lymuvdip.ini
C:\WINDOWS\system32\mahfikik.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mryacrtl.ini
C:\WINDOWS\system32\nanaerex.ini
C:\WINDOWS\system32\nfvwwuvf.ini
C:\WINDOWS\system32\nkikwtdy.ini
C:\WINDOWS\system32\nlxinxkp.ini
C:\WINDOWS\system32\nrusivci.ini
C:\WINDOWS\system32\nysinxxm.ini
C:\WINDOWS\system32\ocoqeklm.ini
C:\WINDOWS\system32\pjwwblqh.ini
C:\WINDOWS\system32\ponpqkpp.ini
C:\WINDOWS\system32\poyhplhs.ini
C:\WINDOWS\system32\qdcefgfl.ini
C:\WINDOWS\system32\qgycbjgw.ini
C:\WINDOWS\system32\qqkwyvfa.ini
C:\WINDOWS\system32\qvlbclcq.ini
C:\WINDOWS\system32\rbklvyml.ini
C:\WINDOWS\system32\rdlxbmrm.ini
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\rqtwa.tmp
C:\WINDOWS\system32\scjbtuaf.ini
C:\WINDOWS\system32\TDSSadw.dll
C:\WINDOWS\system32\TDSSerrors.log
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\TDSSl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\tfemuwgu.ini
C:\WINDOWS\system32\tfkjwtlk.ini
C:\WINDOWS\system32\thellomw.ini
C:\WINDOWS\system32\tlrgvnwe.ini
C:\WINDOWS\system32\tnfaxjic.ini
C:\WINDOWS\system32\ucercvey.ini
C:\WINDOWS\system32\uhkabcan.ini
C:\WINDOWS\system32\uhucecck.ini
C:\WINDOWS\system32\uqigumlw.ini
C:\WINDOWS\system32\uqqbcxqv.ini
C:\WINDOWS\system32\uvyabjoc.ini
C:\WINDOWS\system32\uxhxqmde.ini
C:\WINDOWS\system32\vaedoxqv.ini
C:\WINDOWS\system32\vpxvvjmb.ini
C:\WINDOWS\system32\vwoxcvji.ini
C:\WINDOWS\system32\vwpavcsb.ini
C:\WINDOWS\system32\wtqdpkhy.ini
C:\WINDOWS\system32\wuwbkfpf.ini
C:\WINDOWS\system32\xcugrghc.ini
C:\WINDOWS\system32\xdgufyov.ini
C:\WINDOWS\system32\xilmpldl.ini
C:\WINDOWS\system32\xljxafsv.ini
C:\WINDOWS\system32\xunextch.ini
C:\WINDOWS\system32\yngwogcl.ini
C:\WINDOWS\system32\yvgikwsh.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_TDSSSERV
-------\Service_TDSSserv

((((((((((((((((((((((((( Files Created from 2008-09-19 to 2008-10-19 )))))))))))))))))))))))))))))))
.

2008-10-18 19:09 . 2008-10-19 10:54 <DIR> d-------- C:\Program Files\Exterminate It!
2008-10-18 16:03 . 2008-10-19 14:11 <DIR> d-------- C:\fixwareout
2008-10-18 13:49 . 2008-10-18 13:49 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-10-18 13:48 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-10-18 11:17 . 2008-10-18 11:17 <DIR> d-------- C:\Documents and Settings\Inder\Application Data\SoftInform
2008-10-18 11:16 . 2008-10-18 11:27 <DIR> d-------- C:\Program Files\iNetFormFiller Trial
2008-10-18 11:14 . 2008-10-18 11:14 <DIR> d-------- C:\Program Files\SoftInform
2008-10-18 11:14 . 2008-10-18 11:25 <DIR> d-------- C:\Documents and Settings\Inder\Application Data\AdsCleaner
2008-10-18 00:41 . 2008-10-19 14:13 716 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-18 00:27 . 2008-10-18 00:27 <DIR> d-------- C:\Documents and Settings\Inder\SmitfraudFix
2008-10-17 23:02 . 2008-10-17 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\xwxcfkfw
2008-10-16 12:39 . 2008-10-16 12:39 221 --a------ C:\WINDOWS\NCLogConfig.ini
2008-10-15 09:58 . 2006-04-10 14:03 38,400 --a------ C:\WINDOWS\system32\hpz3l054.dll
2008-10-12 20:07 . 2008-10-16 13:49 <DIR> d-------- C:\Program Files\WMR11
2008-10-12 19:51 . 2008-10-12 19:51 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-10-12 19:15 . 2008-10-12 19:53 <DIR> d-------- C:\Program Files\FlashGet
2008-10-10 19:48 . 2008-10-16 12:39 <DIR> d-------- C:\Documents and Settings\Inder\Application Data\HP
2008-10-10 18:50 . 2008-10-10 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-10-10 18:46 . 2008-10-10 18:46 <DIR> d-------- C:\bin
2008-10-10 18:44 . 2008-10-10 18:44 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-10-10 18:44 . 2008-10-10 18:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-10-10 18:40 . 2008-10-10 18:43 <DIR> d-------- C:\Program Files\Common Files\HP
2008-10-10 18:36 . 2008-10-10 18:37 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-10-10 18:35 . 2008-10-10 18:35 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-10-10 18:33 . 2006-03-03 21:03 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-10-10 18:33 . 2006-03-03 21:02 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-10-10 18:33 . 2006-03-03 21:02 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-10-10 18:33 . 2007-08-09 01:27 73,728 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-10-10 18:33 . 2006-03-03 21:03 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-10-10 18:33 . 2006-03-03 21:02 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-10-10 18:31 . 2008-10-19 13:00 <DIR> d-------- C:\Program Files\HP
2008-10-10 18:28 . 2008-10-15 10:01 117,425 --a------ C:\WINDOWS\hpoins11.dat
2008-10-05 19:04 . 2008-10-05 19:04 <DIR> d-------- C:\Documents and Settings\Inder\Application Data\Elluminate
2008-10-03 09:12 . 2008-10-03 09:12 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-10-02 13:43 . 2008-10-14 19:16 <DIR> d-------- C:\Program Files\Unlocker
2008-10-02 13:43 . 2008-10-02 13:43 <DIR> d-------- C:\Documents and Settings\Inder\Application Data\Desktopicon
2008-10-02 11:09 . 2008-10-02 11:09 <DIR> d-------- C:\col1832
2008-10-01 08:08 . 2008-10-01 08:08 <DIR> d-------- C:\Documents and Settings\Inder\Application Data\InstallShield
2008-10-01 08:01 . 2008-10-01 08:19 <DIR> d-------- C:\Program Files\SaskTel
2008-09-29 18:32 . 2008-09-29 18:46 1,480 --a------ C:\WINDOWS\AUTOLNCH.REG
2008-09-24 09:35 . 2008-10-02 11:02 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-19 16:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-19 16:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-19 16:21 90,112 ----a-w C:\WINDOWS\DUMP56ab.tmp
2008-10-16 01:00 30,216 ----a-w C:\Documents and Settings\Inder\Application Data\GDIPFONTCACHEV1.DAT
2008-10-13 01:53 --------- d-----w C:\Program Files\Google
2008-10-03 15:12 --------- d-----w C:\Program Files\Common Files\Real
2008-10-02 19:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-01 14:15 --------- d-----w C:\Program Files\InstallShield Installation Information
2008-10-01 14:12 --------- d-----w C:\Documents and Settings\Inder\Application Data\Bell
2008-10-01 14:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bell
2008-09-18 14:49 --------- d-----w C:\Program Files\AL-Software
2008-08-30 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-08-30 19:22 --------- d-----w C:\Program Files\NOS
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 17:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-26 17:39 --------- d-----w C:\Documents and Settings\Inder\Application Data\InterTrust
2008-08-26 01:34 --------- d-----w C:\Program Files\Ahead
2008-08-26 00:33 --------- d-----w C:\Documents and Settings\Inder\Application Data\skypePM
2008-08-22 12:44 --------- d-----w C:\Documents and Settings\Inder\Application Data\QcWizard
2004-03-11 18:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 442368]
"H/PC Connection Agent "= "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"Zinio DLM "= "C:\Program Files\Zinio\ZinioDeliveryManager.exe" [2005-11-01 1003590]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-14 68856]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QCWLIcon "= "C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe" [2005-06-13 86016]
"QCTray "= "C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe" [2005-06-13 745472]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Alias SketchBook Snapshot.lnk - C:\Program Files\Alias\Alias SketchBook Pro 1.1\AliasSketchSnap.exe [2005-01-17 225280]
BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2005-05-25 565309]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-04 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 06:00 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-11-04 11:51 108636 C:\Program Files\IBM fingerprint software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-06-13 05:07 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 05:41 11776 C:\WINDOWS\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2004-08-04 06:00 30208 C:\WINDOWS\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-12 22:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM "= mobilev.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli pwdmon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-03 09:11 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc "=3 (0x3)
"ccSetMgr "=2 (0x2)
"ccEvtMgr "=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE "=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE "=
"C:\\Program Files\\IBM\\Java142\\jre\\bin\\javaw.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe "= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\\jdk1.5.0_14\\bin\\java.exe "=
"C:\\Program Files\\Java\\jre1.6.0_06\\bin\\javaw.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 GENERICSMB;IBM - Generic SMB Device Controller;C:\WINDOWS\system32\DRIVERS\smbgen.sys [2005-12-04 10240]
R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-01-14 59776]
R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys [2004-12-02 14208]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-06-13 11520]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-06-13 2432]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2004-05-14 4608]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2005-04-13 4442]
R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2004-12-16 63616]
R2 pgsql-8.2;PostgreSQL Database Server 8.2;C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe runservice -w -N pgsql-8.2 -D C:\Program Files\PostgreSQL\8.2\data\ [ ]
R2 smi2;smi2;C:\WINDOWS\system32\drivers\smi2.sys [2005-12-04 3968]
R3 FVDSCSI;FVDSCSI;C:\WINDOWS\system32\DRIVERS\fvdscsi.sys [2005-04-25 57216]
R3 SMBusDH;IBM - SMB Hub Controller;C:\WINDOWS\system32\DRIVERS\smbusdh.sys [2005-12-04 11648]
R3 SMBusHC;SMBus Host Controller;C:\WINDOWS\system32\DRIVERS\smbushc.sys [2005-12-04 29696]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys [2005-02-18 13872]
R3 TPInput;TPInput;C:\WINDOWS\system32\DRIVERS\TPInput.sys [2004-12-02 6016]
R3 WacomPen;Wacom Serial Pen HID Driver;C:\WINDOWS\system32\DRIVERS\wacompen.sys [2004-08-04 13568]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 25216]
S3 hp4200c;%usbscan.SvcDesc%;C:\WINDOWS\system32\DRIVERS\hp4200c.sys [2001-02-19 9312]
S3 QCAbsee;Logitech QuickCam Web (0801);C:\WINDOWS\system32\DRIVERS\OVCA.sys [2001-08-17 25088]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-06-13 12288]
S3 Tomcat5;Apache Tomcat;c:\tomcat5\bin\tomcat5.exe [2007-08-24 57344]
.
Contents of the 'Scheduled Tasks' folder

2008-10-19 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{159229C1-C44F-42D8-AEC6-09FBFB6375FC} - C:\WINDOWS\SYSTEM32\tuvVPJda.dll
BHO-{3CC896A2-605A-44C1-A2FD-A074B03107C2} - (no file)
BHO-{767C0551-EAF0-43F9-9BDA-4D3E8E982D28} - C:\WINDOWS\system32\geBuRijj.dll
BHO-{88944F77-2355-4E0F-835E-4DE2CC9686B2} - C:\WINDOWS\grfxbanobms.dll
HKCU-Run-Uniblue RegistryBooster 2 - C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKLM-Run-HP Update 4200C - C:\sj655\hpupdate.exe
ShellExecuteHooks-{159229C1-C44F-42D8-AEC6-09FBFB6375FC} - C:\WINDOWS\SYSTEM32\tuvVPJda.dll
Notify-awtqr - (no file)
Notify-iifcbaa - iifcbaa.dll
Notify-tuvVPJda - tuvVPJda.dll
MSConfigStartUp-Uniblue RegistryBooster 2 - C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Inder\Application Data\Mozilla\Firefox\Profiles\45znewuf.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.tribuneindia.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-19 15:41:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\pwdmon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\IBM\Security\uvmserv.exe
C:\WINDOWS\system32\ibmsmbus.exe
C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
C:\Program Files\IBM\Security\TssCore.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\tabbtnu.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTStackServer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-10-19 15:50:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-19 21:50:28

Pre-Run: 29,129,322,496 bytes free
Post-Run: 29,419,724,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect

409 --- E O F --- 2008-10-02 18:35:07

by the way i noticed beofre running combofix that the problem is back.

noahdfear · 2008/10/19

Please download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select 'Perform full scan', then click Scan.

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Then;

Download RSIT by random/random and save it to your desktop.

Double click RSIT.exe to start the tool.

At the disclaimer, please use the drop down box to select 3 months for the file/folder search, then click Continue.

When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.

Please post the contents of log.txt and the MBAM log here in your next reply.

indyhamilton · 2008/10/19

Hi There,

Here is the Malwarebytes log file:

Malwarebytes' Anti-Malware 1.29
Database version: 1292
Windows 5.1.2600 Service Pack 2

10/19/2008 7:48:36 PM
mbam-log-2008-10-19 (19-48-36).txt

Scan type: Full Scan (C:\|)
Objects scanned: 112445
Time elapsed: 1 hour(s), 13 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Inder\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll.vir (Adware.Shopper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\etln.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fautbjcs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6DC2836-A7E6-4F3E-B4D1-C4CCB11A3920}\RP741\A0113412.dll (Adware.Shopper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6DC2836-A7E6-4F3E-B4D1-C4CCB11A3920}\RP741\A0113415.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B6DC2836-A7E6-4F3E-B4D1-C4CCB11A3920}\RP741\A0113434.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inder\Favorites\Malware Defender.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inder\Favorites\Protect Your Privacy.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inder\Favorites\System Error Fixer.url (Rogue.Link) -> Quarantined and deleted successfully.

Here is log.txt generated by RSIT:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Inder at 2008-10-19 19:49:26
Microsoft Windows XP Professional Service Pack 2
System drive C: has 28 GB (53%) free of 53 GB
Total RAM: 502 MB (23% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:29 PM, on 10/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\IBM\Security\uvmserv.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Zinio\ZinioDeliveryManager.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Alias\Alias SketchBook Pro 1.1\AliasSketchSnap.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Inder\My Documents\Fixing Trojans\RSIT.exe
C:\Program Files\trend micro\Inder.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\RunOnce: [Uninstall getPlus(R) for Adobe] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe "
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-3562811570-1294305256-3266001994-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'postgres')
O4 - HKUS\S-1-5-21-3562811570-1294305256-3266001994-1008\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Alias SketchBook Snapshot.lnk = C:\Program Files\Alias\Alias SketchBook Pro 1.1\AliasSketchSnap.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.aajtak.com/wfplayer/tdserver.cab
O16 - DPF: {6B78B13A-6E99-4588-8EAB-C2399B202022} (iVocalize Web Conference 4 Setup) - http://imgenius.mysynergyroom.com/iv4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM User Verification Manager - IBM - C:\Program Files\IBM\Security\uvmserv.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - c:\tomcat5\bin\tomcat5.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
O24 - Desktop Component 0: Ink Desktop - {80E95280-2D38-3CB8-A215-FB5F14C4343E}

--
End of file - 10359 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll [2008-03-25 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-10-14 737776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
{E0E899AB-F487-11D5-8D29-0050BA6940E3}
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"QCWLIcon "=C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe [2005-06-13 86016]
"QCTray "=C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe [2005-06-13 745472]
"HP Software Update "=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-05-08 54840]
"Adobe Reader Speed Launcher "=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Uninstall getPlus(R) for Adobe "=C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
"Malwarebytes' Anti-Malware "=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2008-10-16 398992]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages "=C:\Program Files\IBM\Messages By IBM\ibmmessages.exe [2004-08-06 442368]
"H/PC Connection Agent "=C:\Program Files\Microsoft ActiveSync\Wcescomm.exe [2006-11-13 1289000]
"Zinio DLM "=C:\Program Files\Zinio\ZinioDeliveryManager.exe [2005-11-01 1003590]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-10-14 68856]
"ctfmon.exe "=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-10-03 185632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc "=3
"ccSetMgr "=2
"ccEvtMgr "=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Alias SketchBook Snapshot.lnk - C:\Program Files\Alias\Alias SketchBook Pro 1.1\AliasSketchSnap.exe
BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-03-10 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\loginkey]
C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll [2004-08-04 47104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\psfus]
C:\Program Files\IBM fingerprint software\psfus.dll [2004-11-04 108636]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\QConGina]
C:\WINDOWS\system32\QConGina.dll [2005-06-13 262144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\TabBtnWL]
C:\WINDOWS\system32\TabBtnWL.dll [2002-08-29 11776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tpgwlnotify]
C:\WINDOWS\system32\tpgwlnot.dll [2004-08-04 30208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
C:\WINDOWS\system32\tphklock.dll [2004-08-12 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages "=scecli
pwdmon

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives "=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun "=
"NoDrives "=
"NoDriveAutoRun "=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE "= "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE:*:Enabled:ActiveSync Connection Manager "
"C:\Program Files\Microsoft ActiveSync\WCESMGR.EXE "= "C:\Program Files\Microsoft ActiveSync\WCESMGR.EXE:*:Enabled:ActiveSync Application "
"C:\Program Files\IBM\Java142\jre\bin\javaw.exe "= "C:\Program Files\IBM\Java142\jre\bin\javaw.exe:*:Enabled:ThinkVantage System Update "
"C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
"%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe "= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "
"C:\jdk1.5.0_14\bin\java.exe "= "C:\jdk1.5.0_14\bin\java.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary "
"C:\Program Files\Java\jre1.6.0_06\bin\javaw.exe "= "C:\Program Files\Java\jre1.6.0_06\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary "
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe "
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe "= "C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe "
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe "= "C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe "
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe "= "C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe "
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe "= "C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\IBM\Updater\jre\bin\java.exe "= "C:\Program Files\IBM\Updater\jre\bin\java.exe:*:Enabled:IBM Update Connector "
"C:\Program Files\IBM\Updater\jre\bin\javaw.exe "= "C:\Program Files\IBM\Updater\jre\bin\javaw.exe:*:Enabled:IBM Update Connector "
"C:\Program Files\IBM\Updater\ucsmb.exe "= "C:\Program Files\IBM\Updater\ucsmb.exe:*:Enabled:IBM Update Connector "
"C:\Program Files\IBM\Java142\jre\bin\javaw.exe "= "C:\Program Files\IBM\Java142\jre\bin\javaw.exe:*:Enabled:ThinkVantage System Update "
"%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe "= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe "= "C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe "= "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "

======List of files/folders created in the last 3 months======

2008-10-19 19:49:27 ----D---- C:\Program Files\trend micro
2008-10-19 19:49:26 ----D---- C:\rsit
2008-10-19 18:21:39 ----D---- C:\Documents and Settings\Inder\Application Data\Malwarebytes
2008-10-19 18:21:33 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-19 18:21:33 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-19 18:10:55 ----D---- C:\Program Files\Adobe
2008-10-19 16:44:03 ----SHD---- C:\RECYCLER
2008-10-19 15:50:36 ----A---- C:\ComboFix.txt
2008-10-19 15:33:42 ----A---- C:\Boot.bak
2008-10-19 15:33:36 ----RASHD---- C:\cmdcons
2008-10-19 15:29:51 ----A---- C:\WINDOWS\zip.exe
2008-10-19 15:29:51 ----A---- C:\WINDOWS\VFIND.exe
2008-10-19 15:29:51 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-10-19 15:29:51 ----A---- C:\WINDOWS\SWSC.exe
2008-10-19 15:29:51 ----A---- C:\WINDOWS\SWREG.exe
2008-10-19 15:29:51 ----A---- C:\WINDOWS\sed.exe
2008-10-19 15:29:51 ----A---- C:\WINDOWS\NIRCMD.exe
2008-10-19 15:29:51 ----A---- C:\WINDOWS\grep.exe
2008-10-19 15:29:51 ----A---- C:\WINDOWS\fdsv.exe
2008-10-19 15:29:46 ----D---- C:\WINDOWS\ERDNT
2008-10-19 15:29:46 ----D---- C:\Qoobox
2008-10-19 10:20:40 ----A---- C:\WINDOWS\ntbtlog.txt
2008-10-18 19:09:42 ----D---- C:\Program Files\Exterminate It!
2008-10-18 16:03:26 ----D---- C:\fixwareout
2008-10-18 13:49:36 ----D---- C:\Program Files\Reference Assemblies
2008-10-18 13:48:53 ----N---- C:\WINDOWS\system32\spmsg2.dll
2008-10-18 13:48:31 ----HDC---- C:\WINDOWS\$NtUninstallWIC$
2008-10-18 11:17:29 ----D---- C:\Documents and Settings\Inder\Application Data\SoftInform
2008-10-18 11:16:50 ----D---- C:\Program Files\iNetFormFiller Trial
2008-10-18 11:14:23 ----D---- C:\Documents and Settings\Inder\Application Data\AdsCleaner
2008-10-18 11:14:20 ----D---- C:\Program Files\SoftInform
2008-10-18 02:28:36 ----D---- C:\WINDOWS\pss
2008-10-18 00:41:22 ----A---- C:\WINDOWS\system32\tmp.txt
2008-10-18 00:40:24 ----A---- C:\rapport.txt
2008-10-17 23:17:08 ----A---- C:\WINDOWS\system32\ffd2038b-.txt
2008-10-17 23:02:14 ----D---- C:\Documents and Settings\All Users\Application Data\xwxcfkfw
2008-10-16 22:49:19 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-16 12:39:46 ----A---- C:\WINDOWS\NCLogConfig.ini
2008-10-15 21:47:12 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-15 21:47:04 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-15 21:46:55 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-15 21:46:37 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-15 21:44:25 ----HDC---- C:\WINDOWS\$NtUninstallKB956390$
2008-10-15 09:58:29 ----A---- C:\WINDOWS\system32\hpz3l054.dll
2008-10-12 20:07:35 ----D---- C:\Program Files\WMR11
2008-10-12 19:51:03 ----A---- C:\WINDOWS\_MSRSTRT.EXE
2008-10-12 19:15:57 ----D---- C:\Program Files\FlashGet
2008-10-10 19:48:11 ----D---- C:\Documents and Settings\Inder\Application Data\HP
2008-10-10 18:50:12 ----D---- C:\Documents and Settings\All Users\Application Data\HP
2008-10-10 18:46:47 ----D---- C:\bin
2008-10-10 18:44:37 ----D---- C:\Documents and Settings\All Users\Application Data\Sonic
2008-10-10 18:44:35 ----D---- C:\Program Files\Common Files\Sonic Shared
2008-10-10 18:40:47 ----D---- C:\Program Files\Common Files\HP
2008-10-10 18:36:35 ----D---- C:\Program Files\Hewlett-Packard
2008-10-10 18:35:40 ----D---- C:\Program Files\Common Files\Hewlett-Packard
2008-10-10 18:33:54 ----A---- C:\WINDOWS\system32\HPZisn12.dll
2008-10-10 18:33:54 ----A---- C:\WINDOWS\system32\HPZipt12.dll
2008-10-10 18:33:54 ----A---- C:\WINDOWS\system32\HPZipr12.dll
2008-10-10 18:33:54 ----A---- C:\WINDOWS\system32\HPZipm12.exe
2008-10-10 18:33:54 ----A---- C:\WINDOWS\system32\HPZinw12.exe
2008-10-10 18:33:54 ----A---- C:\WINDOWS\system32\HPZidr12.dll
2008-10-10 18:31:29 ----D---- C:\Program Files\HP
2008-10-05 19:04:22 ----D---- C:\Documents and Settings\Inder\Application Data\Elluminate
2008-10-03 09:12:15 ----D---- C:\Program Files\Common Files\xing shared
2008-10-03 09:12:03 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2008-10-03 09:11:50 ----A---- C:\WINDOWS\system32\pndx5032.dll
2008-10-03 09:11:50 ----A---- C:\WINDOWS\system32\pndx5016.dll
2008-10-03 09:11:48 ----A---- C:\WINDOWS\system32\pncrt.dll
2008-10-02 13:43:03 ----D---- C:\Documents and Settings\Inder\Application Data\Desktopicon
2008-10-02 13:43:00 ----D---- C:\Program Files\Unlocker
2008-10-02 11:09:56 ----D---- C:\col1832
2008-10-01 08:08:06 ----D---- C:\Documents and Settings\Inder\Application Data\InstallShield
2008-10-01 08:01:16 ----D---- C:\Program Files\SaskTel
2008-09-24 09:35:05 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-09-18 08:49:49 ----D---- C:\Program Files\AL-Software
2008-09-15 11:50:43 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-06 23:51:05 ----HDC---- C:\WINDOWS\$NtUninstallKB953838$
2008-08-30 13:22:11 ----D---- C:\Program Files\NOS
2008-08-30 13:22:11 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2008-08-26 11:39:12 ----D---- C:\WINDOWS\Profiles
2008-08-26 11:39:07 ----D---- C:\Documents and Settings\Inder\Application Data\InterTrust
2008-08-25 20:20:27 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-08-25 20:20:11 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-08-24 16:54:12 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-08-24 16:54:04 ----HDC---- C:\WINDOWS\$NtUninstallKB953839$
2008-08-24 16:52:11 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-08-24 16:51:57 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-08-23 20:08:39 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-08-22 06:44:40 ----D---- C:\Documents and Settings\Inder\Application Data\QcWizard
2008-08-20 20:21:23 ----A---- C:\WINDOWS\system32\qgeku.exe
2008-08-20 18:16:38 ----A---- C:\WINDOWS\ModemLog_IBM Integrated 56K Modem.txt
2008-08-09 22:27:56 ----D---- C:\Program Files\Arkon
2008-07-20 10:31:00 ----A---- C:\WINDOWS\system32\OVUI2RC.dll
2008-07-20 10:31:00 ----A---- C:\WINDOWS\system32\OVUI2.dll
2008-07-20 10:31:00 ----A---- C:\WINDOWS\system32\OVComS.exe
2008-07-20 10:31:00 ----A---- C:\WINDOWS\system32\OVComC.dll
2008-07-20 10:31:00 ----A---- C:\WINDOWS\system32\OVCodec2.dll
2008-07-20 10:30:31 ----A---- C:\WINDOWS\system32\vfwwdm32.dll
2008-07-20 03:08:36 ----D---- C:\Documents and Settings\Inder\Application Data\skypePM
2008-07-20 03:03:27 ----D---- C:\Documents and Settings\All Users\Application Data\Skype

======List of files/folders modified in the last 3 months======

2008-10-19 19:49:27 ----RD---- C:\Program Files
2008-10-19 19:05:07 ----D---- C:\WINDOWS\Temp
2008-10-19 18:59:29 ----D---- C:\Program Files\Mozilla Firefox
2008-10-19 18:54:00 ----D---- C:\WINDOWS\Help
2008-10-19 18:21:36 ----D---- C:\WINDOWS\system32\drivers
2008-10-19 18:14:10 ----SHD---- C:\WINDOWS\Installer
2008-10-19 18:13:25 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-10-19 18:12:41 ----D---- C:\Program Files\Common Files\Adobe
2008-10-19 18:10:30 ----AD---- C:\WINDOWS\system32
2008-10-19 17:27:56 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-19 17:27:54 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-19 17:22:04 ----SD---- C:\WINDOWS\Tasks
2008-10-19 17:19:18 ----AD---- C:\WINDOWS
2008-10-19 17:17:30 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-19 17:15:15 ----D---- C:\WINDOWS\WinSxS
2008-10-19 15:41:15 ----A---- C:\WINDOWS\system.ini
2008-10-19 15:38:17 ----D---- C:\WINDOWS\system32\config
2008-10-19 15:35:49 ----D---- C:\WINDOWS\AppPatch
2008-10-19 15:35:49 ----D---- C:\Program Files\Common Files
2008-10-19 15:33:42 ----RASH---- C:\BOOT.INI
2008-10-19 15:29:46 ----D---- C:\WINDOWS\Prefetch
2008-10-19 10:52:22 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-19 10:52:18 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-19 10:23:25 ----D---- C:\WINDOWS\Minidump
2008-10-19 10:21:34 ----A---- C:\WINDOWS\DUMP56ab.tmp
2008-10-18 19:29:05 ----D---- C:\WINDOWS\network diagnostic
2008-10-18 16:46:01 ----D---- C:\WINDOWS\Microsoft.Net
2008-10-18 14:47:16 ----RSD---- C:\WINDOWS\assembly
2008-10-18 14:46:59 ----RSD---- C:\WINDOWS\Fonts
2008-10-18 14:46:59 ----D---- C:\WINDOWS\system32\en-US
2008-10-18 13:56:18 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-18 13:49:19 ----HD---- C:\WINDOWS\inf
2008-10-18 13:49:07 ----D---- C:\WINDOWS\system32\spool
2008-10-18 13:48:55 ----RSHD---- C:\WINDOWS\system32\dllcache
2008-10-18 13:17:41 ----D---- C:\Documents and Settings\Inder\Application Data\Mozilla
2008-10-18 12:56:33 ----A---- C:\WINDOWS\win.ini
2008-10-18 03:21:17 ----SHD---- C:\WINDOWS\CSC
2008-10-17 23:46:03 ----D---- C:\IBMSHARE
2008-10-17 22:38:44 ----D---- C:\Program Files\Internet Explorer
2008-10-16 22:49:28 ----A---- C:\WINDOWS\imsins.BAK
2008-10-16 22:48:36 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-15 19:33:20 ----A---- C:\WINDOWS\NeroDigital.ini
2008-10-15 09:58:13 ----D---- C:\WINDOWS\twain_32
2008-10-12 19:53:28 ----D---- C:\Program Files\Google
2008-10-06 15:57:35 ----A---- C:\WINDOWS\cdplayer.ini
2008-10-03 09:13:54 ----D---- C:\Documents and Settings\Inder\Application Data\Real
2008-10-03 09:12:10 ----D---- C:\Program Files\Common Files\Real
2008-10-02 13:33:09 ----D---- C:\WINDOWS\system32\CatRoot
2008-10-02 13:25:59 ----D---- C:\Program Files\Common Files\Symantec Shared
2008-10-01 08:15:34 ----D---- C:\Program Files\InstallShield Installation Information
2008-10-01 08:12:49 ----D---- C:\Documents and Settings\Inder\Application Data\Bell
2008-10-01 08:12:49 ----D---- C:\Documents and Settings\All Users\Application Data\Bell
2008-09-29 18:32:33 ----A---- C:\WINDOWS\HPSETUP.INI
2008-09-24 09:35:05 ----D---- C:\WINDOWS\Debug
2008-08-25 20:20:30 ----D---- C:\Program Files\Messenger
2008-08-25 19:41:17 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-08-25 19:34:19 ----D---- C:\Program Files\Ahead
2008-08-25 19:33:17 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2008-08-25 19:28:00 ----D---- C:\Documents and Settings\Inder\Application Data\Adobe
2008-08-19 23:33:20 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-08-19 23:33:19 ----A---- C:\WINDOWS\system32\wininet.dll
2008-08-19 23:33:19 ----A---- C:\WINDOWS\system32\urlmon.dll
2008-08-19 23:33:19 ----A---- C:\WINDOWS\system32\shlwapi.dll
2008-08-19 23:33:19 ----A---- C:\WINDOWS\system32\shdocvw.dll
2008-08-19 23:33:19 ----A---- C:\WINDOWS\system32\mshtmled.dll
2008-08-19 23:33:19 ----A---- C:\WINDOWS\system32\jsproxy.dll
2008-08-19 23:33:19 ----A---- C:\WINDOWS\system32\browseui.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\pngfilt.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\mstime.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\msrating.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\inseng.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\iepeers.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\extmgr.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\dxtrans.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\danim.dll
2008-08-19 23:33:17 ----A---- C:\WINDOWS\system32\cdfview.dll
2008-08-19 03:20:32 ----A---- C:\WINDOWS\system32\xpsp3res.dll
2008-08-14 03:57:20 ----A---- C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 03:18:44 ----A---- C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-25 07:52:50 ----D---- C:\WINDOWS\Registration
2008-07-25 07:52:23 ----D---- C:\Program Files\ComPlus Applications

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ANC;ANC; C:\WINDOWS\System32\drivers\ANC.SYS [2005-06-13 11520]
R1 IBMTPCHK;IBMTPCHK; C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2005-06-13 2432]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R1 ShockMgr;ShockMgr; C:\WINDOWS\system32\drivers\ShockMgr.sys [2004-05-14 4608]
R1 Smapint;Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [2005-01-21 14848]
R1 TDSMAPI;TDSMAPI; C:\WINDOWS\System32\drivers\TDSMAPI.SYS [2005-01-21 9340]
R1 TPHKDRV;TPHKDRV; C:\WINDOWS\system32\drivers\TPHKDRV.sys [2004-09-06 16370]
R1 TPPWRIF;TPPWRIF; C:\WINDOWS\System32\drivers\Tppwrif.sys [2005-04-13 4442]
R1 TSMAPIP;TSMAPIP; C:\WINDOWS\System32\drivers\TSMAPIP.SYS [2005-04-01 7168]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2005-12-04 17801]
R2 EGATHDRV;IBM Access Support; \??\C:\WINDOWS\SYSTEM32\EGATHDRV.SYS []
R2 ibmfilter;ibmfilter; \??\C:\WINDOWS\system32\drivers\ibmfilter.sys []
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2004-08-04 87424]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 PMEM;PMEM; \??\C:\WINDOWS\SYSTEM32\Drivers\PMEMNT.SYS []
R2 smi2;smi2; \??\C:\WINDOWS\system32\drivers\smi2.sys []
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2004-05-17 133200]
R3 AR5211;Dual-band Wi-Fi Wireless Mini PCI Adapter; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2004-12-28 449856]
R3 AtmelTpm;AtmelTpm; C:\WINDOWS\system32\DRIVERS\AtmelTpm.sys [2005-01-26 15360]
R3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2005-05-25 17408]
R3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\system32\DRIVERS\btport.sys [2005-05-25 30299]
R3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2005-05-25 148040]
R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2005-05-25 55288]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 fcdabus;fcdabus; C:\WINDOWS\system32\DRIVERS\fcdabus.sys [2005-05-12 11136]
R3 FVDSCSI;FVDSCSI; C:\WINDOWS\system32\DRIVERS\fvdscsi.sys [2005-04-25 57216]
R3 HBtnKey;IBM Tablet PC Keyboard Buttons HID Driver; C:\WINDOWS\system32\DRIVERS\tkbtnpn.sys [2005-02-01 7475]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-11-10 1041664]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2004-11-10 200448]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-03-10 827100]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2004-11-05 12944]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2004-08-04 28672]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-12-05 10368]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-04 67584]
R3 SMBusDH;IBM - SMB Hub Controller; C:\WINDOWS\system32\DRIVERS\smbusdh.sys [2005-12-04 11648]
R3 SMBusHC;SMBus Host Controller; C:\WINDOWS\system32\DRIVERS\smbushc.sys [2005-12-04 29696]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-02-10 260224]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2004-11-04 24832]
R3 Tp4Track;IBM PS/2 TrackPoint Driver; C:\WINDOWS\system32\DRIVERS\tp4track.sys [2005-02-18 13872]
R3 TPInput;TPInput; C:\WINDOWS\System32\DRIVERS\TPInput.sys [2004-12-02 6016]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-09-16 57856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 WacomPen;Wacom Serial Pen HID Driver; C:\WINDOWS\system32\DRIVERS\wacompen.sys [2004-08-04 13568]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-11-10 685184]
S1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
S1 lusbaudio;Logitech USB Microphone; C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 25216]
S3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
S3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-12-06 126720]
S3 Bridge;MAC Bridge; C:\WINDOWS\system32\DRIVERS\bridge.sys [2004-08-04 71552]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\system32\DRIVERS\bridge.sys [2004-08-04 71552]
S3 BthEnum;Bluetooth Request Block Driver; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2004-08-03 17024]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2004-08-03 100992]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2004-08-03 18944]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 hp4200c;%usbscan.SvcDesc%; C:\WINDOWS\system32\DRIVERS\hp4200c.sys [2001-02-19 9312]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2006-04-12 49664]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2006-04-12 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2006-04-12 21568]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2004-08-04 40320]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
S3 PcdrNdisuio;PCDRNDISUIO Usermode I/O Protocol; C:\WINDOWS\system32\DRIVERS\pcdrndisuio.sys [2005-02-01 12416]
S3 psadd;IBM PSA Access Driver; \??\C:\WINDOWS\system32\Drivers\psadd.sys []
S3 QCAbsee;Logitech QuickCam Web (0801); C:\WINDOWS\system32\DRIVERS\OVCA.sys [2001-08-17 25088]
S3 QCNDISIF;QCNDISIF; C:\WINDOWS\System32\drivers\qcndisif.SYS [2005-06-13 12288]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2004-08-03 59648]
S3 sffdisk;SFF Storage Class Driver; C:\WINDOWS\system32\DRIVERS\sffdisk.sys [2004-08-04 11136]
S3 sffp_sd;SFF Storage Protocol Driver for SDBus; C:\WINDOWS\system32\DRIVERS\sffp_sd.sys [2004-08-04 10240]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2004-08-04 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2004-08-04 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2004-08-04 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2004-08-04 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2004-08-04 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2004-08-04 41088]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2004-08-04 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 btwdins;Bluetooth Service; C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe [2005-05-25 163840]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2007-01-22 192104]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2007-01-22 169576]
R2 IBM Rapid Restore Ultra Service;IBM Rapid Restore Ultra Service; C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe [2004-12-16 385024]
R2 IBM User Verification Manager;IBM User Verification Manager; C:\Program Files\IBM\Security\uvmserv.exe [2005-03-24 614400]
R2 IBMPMSVC;IBM PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2004-11-05 57344]
R2 ibmsmbus;SMBus Upgrade Service for Windows 2000 and above; C:\WINDOWS\System32\ibmsmbus.exe [2004-07-06 28160]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 pgsql-8.2;PostgreSQL Database Server 8.2; C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe [2007-09-17 79948]
R2 QCONSVC;QCONSVC; C:\WINDOWS\System32\QCONSVC.EXE [2005-06-13 77824]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2007-07-17 1174152]
R2 TPHDEXLGSVC;IBM HDD APS Logging Service; C:\WINDOWS\System32\TPHDEXLG.EXE [2004-05-24 77824]
R2 TpKmpSVC;IBM KCU Service; C:\WINDOWS\system32\TpKmpSVC.exe [2003-07-11 32768]
R2 UCLauncherService;ThinkVantage System Update; C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe [2005-08-04 40960]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R2 vtserver;Protector Suite Virtual Token; C:\Program Files\Common Files\Virtual Token\vtserver.exe [2004-11-04 40547]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 ACS;ACU Configuration Service; C:\WINDOWS\system32\acs.exe [2005-01-24 36864]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2007-08-09 73728]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 getPlus(R) Helper;getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Tomcat5;Apache Tomcat; c:\tomcat5\bin\tomcat5.exe [2007-08-24 57344]
S4 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-12 138168]

-----------------EOF-----------------

Thanks

noahdfear · 2008/10/19

Please upload the following file to my submission channel for analysis. Leave a link back to this topic.

C:\WINDOWS\system32\qgeku.exe

Thanks!

indyhamilton · 2008/10/19

Hi There,
I have submitted the file for analysis and link to the topic.

thanks

noahdfear · 2008/10/19

Scan with HijackThis and place a check next to the following entries.

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O24 - Desktop Component 0: Ink Desktop - {80E95280-2D38-3CB8-A215-FB5F14C4343E}

Click Fix Checked and close when done.

I cannot confirm the file you submitted is bad, so lets just rename it for now. Right click the file C:\WINDOWS\system32\qgeku.exe and select Rename then add .old to it's name.

Download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot

Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

Click View scan report at the bottom.

Click the Save Report As... button.

Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.

Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Post the Kaspersky log and one more fresh RSIT log.

indyhamilton · 2008/10/20

Hi There,

Here is Kaspersky log:

KASPERSKY ONLINE SCANNER 7 REPORT
Monday, October 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, October 20, 2008 03:44:11
Records in database: 1324048
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 72871
Threat name: 13
Infected objects: 18
Suspicious objects: 9
Duration of the scan: 02:48:57

File name / Threat name / Threats count
C:\Documents and Settings\Inder\Local Settings\Application Data\Identities\{3FE8F3F5-EB38-469A-AA2F-FE46A54F6234}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 5
C:\Documents and Settings\Inder\Local Settings\Application Data\Identities\{3FE8F3F5-EB38-469A-AA2F-FE46A54F6234}\Microsoft\Outlook Express\Hotmail - Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Inder\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\Documents and Settings\Inder\My Documents\Outlook Backup\Hotmail - Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Inder\My Documents\Setup.exe Infected: not-a-virus:WebToolbar.Win32.Zango.bm 1
C:\Documents and Settings\Inder\My Documents\Stream Recorders\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Inder\My Documents\Stream Recorders\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Inder\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\My Downloads\yeh sama tune.wm Infected: Trojan-Downloader.WMA.Wimad.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssadw.dll.vir Infected: Rootkit.Win32.Clbd.ky 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSl.dll.vir Infected: Backdoor.Win32.TDSS.zj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdsslog.dll.vir Infected: Backdoor.Win32.Agent.rfv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssmain.dll.vir Infected: Backdoor.Win32.Agent.tcb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssserf.dll.vir Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1
C:\System Volume Information\_restore{B6DC2836-A7E6-4F3E-B4D1-C4CCB11A3920}\RP737\A0112375.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck 1
C:\System Volume Information\_restore{B6DC2836-A7E6-4F3E-B4D1-C4CCB11A3920}\RP737\A0112378.dll Infected: not-a-virus:WebToolbar.Win32.Zango.bd 1
C:\System Volume Information\_restore{B6DC2836-A7E6-4F3E-B4D1-C4CCB11A3920}\RP741\A0113409.sys Infected: Rootkit.Win32.Agent.eeq 1
C:\System Volume Information\_restore{B6DC2836-A7E6-4F3E-B4D1-C4CCB11A3920}\RP741\A0113517.dll Infected: Rootkit.Win32.Clbd.ky 1
C:\System Volume Information\_restore{B6DC2836-A7E6-4F3E-B4D1-C4CCB11A3920}\RP741\A0113519.dll Infected: Backdoor.Win32.TDSS.zj 1
C:\System Volume Information\_restore{B6DC2836-A7E6-4F3E-B4D1-C4CCB11A3920}\RP741\A0113520.dll Infected: Backdoor.Win32.Agent.rfv 1
C:\System Volume Information\_restore{B6DC2836-A7E6-4F3E-B4D1-C4CCB11A3920}\RP741\A0113521.dll Infected: Backdoor.Win32.Agent.tcb 1
C:\System Volume Information\_restore{B6DC2836-A7E6-4F3E-B4D1-C4CCB11A3920}\RP741\A0113522.dll Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1

The selected area was scanned.

RSIT Log:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Inder at 2008-10-20 04:08:07
Microsoft Windows XP Professional Service Pack 2
System drive C: has 28 GB (52%) free of 53 GB
Total RAM: 502 MB (28% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:08 AM, on 10/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\IBM\Security\uvmserv.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Zinio\ZinioDeliveryManager.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Alias\Alias SketchBook Pro 1.1\AliasSketchSnap.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Inder\Local Settings\Temp\jkos-Inder\binaries\ScanningProcess.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Inder\My Documents\Fixing Trojans\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Inder.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe "
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-3562811570-1294305256-3266001994-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'postgres')
O4 - HKUS\S-1-5-21-3562811570-1294305256-3266001994-1008\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Alias SketchBook Snapshot.lnk = C:\Program Files\Alias\Alias SketchBook Pro 1.1\AliasSketchSnap.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.aajtak.com/wfplayer/tdserver.cab
O16 - DPF: {6B78B13A-6E99-4588-8EAB-C2399B202022} (iVocalize Web Conference 4 Setup) - http://imgenius.mysynergyroom.com/iv4.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM User Verification Manager - IBM - C:\Program Files\IBM\Security\uvmserv.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - c:\tomcat5\bin\tomcat5.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe

--
End of file - 9724 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll [2008-03-25 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-10-14 737776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"QCWLIcon "=C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe [2005-06-13 86016]
"QCTray "=C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe [2005-06-13 745472]
"HP Software Update "=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-05-08 54840]
"Adobe Reader Speed Launcher "=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages "=C:\Program Files\IBM\Messages By IBM\ibmmessages.exe [2004-08-06 442368]
"H/PC Connection Agent "=C:\Program Files\Microsoft ActiveSync\Wcescomm.exe [2006-11-13 1289000]
"Zinio DLM "=C:\Program Files\Zinio\ZinioDeliveryManager.exe [2005-11-01 1003590]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-10-14 68856]
"ctfmon.exe "=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-10-03 185632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc "=3
"ccSetMgr "=2
"ccEvtMgr "=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Alias SketchBook Snapshot.lnk - C:\Program Files\Alias\Alias SketchBook Pro 1.1\AliasSketchSnap.exe
BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-03-10 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\loginkey]
C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll [2004-08-04 47104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\psfus]
C:\Program Files\IBM fingerprint software\psfus.dll [2004-11-04 108636]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\QConGina]
C:\WINDOWS\system32\QConGina.dll [2005-06-13 262144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\TabBtnWL]
C:\WINDOWS\system32\TabBtnWL.dll [2002-08-29 11776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tpgwlnotify]
C:\WINDOWS\system32\tpgwlnot.dll [2004-08-04 30208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
C:\WINDOWS\system32\tphklock.dll [2004-08-12 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages "=scecli
pwdmon

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives "=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun "=
"NoDrives "=
"NoDriveAutoRun "=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE "= "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE:*:Enabled:ActiveSync Connection Manager "
"C:\Program Files\Microsoft ActiveSync\WCESMGR.EXE "= "C:\Program Files\Microsoft ActiveSync\WCESMGR.EXE:*:Enabled:ActiveSync Application "
"C:\Program Files\IBM\Java142\jre\bin\javaw.exe "= "C:\Program Files\IBM\Java142\jre\bin\javaw.exe:*:Enabled:ThinkVantage System Update "
"C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
"%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe "= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "
"C:\jdk1.5.0_14\bin\java.exe "= "C:\jdk1.5.0_14\bin\java.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary "
"C:\Program Files\Java\jre1.6.0_06\bin\javaw.exe "= "C:\Program Files\Java\jre1.6.0_06\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary "
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe "
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe "= "C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe "
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe "= "C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe "
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe "= "C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe "
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe "= "C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe "
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe "= "C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\IBM\Updater\jre\bin\java.exe "= "C:\Program Files\IBM\Updater\jre\bin\java.exe:*:Enabled:IBM Update Connector "
"C:\Program Files\IBM\Updater\jre\bin\javaw.exe "= "C:\Program Files\IBM\Updater\jre\bin\javaw.exe:*:Enabled:IBM Update Connector "
"C:\Program Files\IBM\Updater\ucsmb.exe "= "C:\Program Files\IBM\Updater\ucsmb.exe:*:Enabled:IBM Update Connector "
"C:\Program Files\IBM\Java142\jre\bin\javaw.exe "= "C:\Program Files\IBM\Java142\jre\bin\javaw.exe:*:Enabled:ThinkVantage System Update "
"%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe "= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe "= "C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe "= "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "

======List of files/folders created in the last 3 months======

2008-10-20 03:03:46 ----D---- C:\WINDOWS\LastGood
2008-10-20 03:03:32 ----D---- C:\Program Files\MSXML 6.0
2008-10-19 19:49:27 ----D---- C:\Program Files\trend micro
2008-10-19 19:49:26 ----D---- C:\rsit
2008-10-19 18:21:39 ----D---- C:\Documents and Settings\Inder\Application Data\Malwarebytes
2008-10-19 18:21:33 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-19 18:21:33 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-19 18:10:55 ----D---- C:\Program Files\Adobe
2008-10-19 16:44:03 ----SHD---- C:\RECYCLER
2008-10-19 15:50:36 ----A---- C:\ComboFix.txt
2008-10-19 15:33:42 ----A---- C:\Boot.bak
2008-10-19 15:33:36 ----RASHD---- C:\cmdcons
2008-10-19 15:29:51 ----A---- C:\WINDOWS\zip.exe
2008-10-19 15:29:51 ----A---- C:\WINDOWS\VFIND.exe
2008-10-19 15:29:51 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-10-19 15:29:51 ----A---- C:\WINDOWS\SWSC.exe
2008-10-19 15:29:51 ----A---- C:\WINDOWS\SWREG.exe
2008-10-19 15:29:51 ----A---- C:\WINDOWS\sed.exe
2008-10-19 15:29:51 ----A---- C:\WINDOWS\NIRCMD.exe
2008-10-19 15:29:51 ----A---- C:\WINDOWS\grep.exe
2008-10-19 15:29:51 ----A---- C:\WINDOWS\fdsv.exe
2008-10-19 15:29:46 ----D---- C:\WINDOWS\ERDNT
2008-10-19 15:29:46 ----D---- C:\Qoobox
2008-10-19 10:20:40 ----A---- C:\WINDOWS\ntbtlog.txt
2008-10-18 19:09:42 ----D---- C:\Program Files\Exterminate It!
2008-10-18 16:03:26 ----D---- C:\fixwareout
2008-10-18 13:49:36 ----D---- C:\Program Files\Reference Assemblies
2008-10-18 13:48:53 ----N---- C:\WINDOWS\system32\spmsg2.dll
2008-10-18 13:48:31 ----HDC---- C:\WINDOWS\$NtUninstallWIC$
2008-10-18 11:17:29 ----D---- C:\Documents and Settings\Inder\Application Data\SoftInform
2008-10-18 11:16:50 ----D---- C:\Program Files\iNetFormFiller Trial
2008-10-18 11:14:23 ----D---- C:\Documents and Settings\Inder\Application Data\AdsCleaner
2008-10-18 11:14:20 ----D---- C:\Program Files\SoftInform
2008-10-18 02:28:36 ----D---- C:\WINDOWS\pss
2008-10-18 00:41:22 ----A---- C:\WINDOWS\system32\tmp.txt
2008-10-18 00:40:24 ----A---- C:\rapport.txt
2008-10-17 23:17:08 ----A---- C:\WINDOWS\system32\ffd2038b-.txt
2008-10-17 23:02:14 ----D---- C:\Documents and Settings\All Users\Application Data\xwxcfkfw
2008-10-16 22:49:19 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-16 12:39:46 ----A---- C:\WINDOWS\NCLogConfig.ini
2008-10-15 21:47:12 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-15 21:47:04 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-15 21:46:55 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-15 21:46:37 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-15 21:44:25 ----HDC---- C:\WINDOWS\$NtUninstallKB956390$
2008-10-15 09:58:29 ----A---- C:\WINDOWS\system32\hpz3l054.dll
2008-10-12 20:07:35 ----D---- C:\Program Files\WMR11
2008-10-12 19:51:03 ----A---- C:\WINDOWS\_MSRSTRT.EXE
2008-10-12 19:15:57 ----D---- C:\Program Files\FlashGet
2008-10-10 19:48:11 ----D---- C:\Documents and Settings\Inder\Application Data\HP
2008-10-10 18:50:12 ----D---- C:\Documents and Settings\All Users\Application Data\HP
2008-10-10 18:46:47 ----D---- C:\bin
2008-10-10 18:44:37 ----D---- C:\Documents and Settings\All Users\Application Data\Sonic
2008-10-10 18:44:35 ----D---- C:\Program Files\Common Files\Sonic Shared
2008-10-10 18:40:47 ----D---- C:\Program Files\Common Files\HP
2008-10-10 18:36:35 ----D---- C:\Program Files\Hewlett-Packard
2008-10-10 18:35:40 ----D---- C:\Program Files\Common Files\Hewlett-Packard
2008-10-10 18:33:54 ----A---- C:\WINDOWS\system32\HPZisn12.dll
2008-10-10 18:33:54 ----A---- C:\WINDOWS\system32\HPZipt12.dll
2008-10-10 18:33:54 ----A---- C:\WINDOWS\system32\HPZipr12.dll
2008-10-10 18:33:54 ----A---- C:\WINDOWS\system32\HPZipm12.exe
2008-10-10 18:33:54 ----A---- C:\WINDOWS\system32\HPZinw12.exe
2008-10-10 18:33:54 ----A---- C:\WINDOWS\system32\HPZidr12.dll
2008-10-10 18:31:29 ----D---- C:\Program Files\HP
2008-10-05 19:04:22 ----D---- C:\Documents and Settings\Inder\Application Data\Elluminate
2008-10-03 09:12:15 ----D---- C:\Program Files\Common Files\xing shared
2008-10-03 09:12:03 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2008-10-03 09:11:50 ----A---- C:\WINDOWS\system32\pndx5032.dll
2008-10-03 09:11:50 ----A---- C:\WINDOWS\system32\pndx5016.dll
2008-10-03 09:11:48 ----A---- C:\WINDOWS\system32\pncrt.dll
2008-10-02 13:43:03 ----D---- C:\Documents and Settings\Inder\Application Data\Desktopicon
2008-10-02 13:43:00 ----D---- C:\Program Files\Unlocker
2008-10-02 11:09:56 ----D---- C:\col1832
2008-10-01 08:08:06 ----D---- C:\Documents and Settings\Inder\Application Data\InstallShield
2008-10-01 08:01:16 ----D---- C:\Program Files\SaskTel
2008-09-24 09:35:05 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-09-18 08:49:49 ----D---- C:\Program Files\AL-Software
2008-09-15 11:50:43 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-06 23:51:05 ----HDC---- C:\WINDOWS\$NtUninstallKB953838$
2008-08-30 13:22:11 ----D---- C:\Program Files\NOS
2008-08-30 13:22:11 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2008-08-26 11:39:12 ----D---- C:\WINDOWS\Profiles
2008-08-26 11:39:07 ----D---- C:\Documents and Settings\Inder\Application Data\InterTrust
2008-08-25 20:20:27 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-08-25 20:20:11 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-08-24 16:54:12 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-08-24 16:54:04 ----HDC---- C:\WINDOWS\$NtUninstallKB953839$
2008-08-24 16:52:11 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-08-24 16:51:57 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-08-23 20:08:39 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-08-22 06:44:40 ----D---- C:\Documents and Settings\Inder\Application Data\QcWizard
2008-08-20 20:21:23 ----A---- C:\WINDOWS\system32\qgeku.exe.old
2008-08-20 18:16:38 ----A---- C:\WINDOWS\ModemLog_IBM Integrated 56K Modem.txt
2008-08-09 22:27:56 ----D---- C:\Program Files\Arkon

======List of files/folders modified in the last 3 months======

2008-10-20 04:04:48 ----D---- C:\WINDOWS\Prefetch
2008-10-20 03:04:41 ----HD---- C:\WINDOWS\inf
2008-10-20 03:04:39 ----D---- C:\WINDOWS\system32\CatRoot
2008-10-20 03:04:39 ----AD---- C:\WINDOWS\system32
2008-10-20 03:04:39 ----AD---- C:\WINDOWS
2008-10-20 03:03:45 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-20 03:03:36 ----SHD---- C:\WINDOWS\Installer
2008-10-20 03:03:35 ----D---- C:\WINDOWS\Temp
2008-10-20 03:03:32 ----RD---- C:\Program Files
2008-10-19 21:33:16 ----D---- C:\Program Files\Mozilla Firefox
2008-10-19 21:28:48 ----SD---- C:\WINDOWS\Tasks
2008-10-19 21:26:26 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-19 21:24:17 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-19 18:54:00 ----D---- C:\WINDOWS\Help
2008-10-19 18:21:36 ----D---- C:\WINDOWS\system32\drivers
2008-10-19 18:13:25 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-10-19 18:12:41 ----D---- C:\Program Files\Common Files\Adobe
2008-10-19 17:15:15 ----D---- C:\WINDOWS\WinSxS
2008-10-19 15:41:15 ----A---- C:\WINDOWS\system.ini
2008-10-19 15:38:17 ----D---- C:\WINDOWS\system32\config
2008-10-19 15:35:49 ----D---- C:\WINDOWS\AppPatch
2008-10-19 15:35:49 ----D---- C:\Program Files\Common Files
2008-10-19 15:33:42 ----RASH---- C:\BOOT.INI
2008-10-19 10:52:22 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-19 10:52:18 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-19 10:23:25 ----D---- C:\WINDOWS\Minidump
2008-10-19 10:21:34 ----A---- C:\WINDOWS\DUMP56ab.tmp
2008-10-18 19:29:05 ----D---- C:\WINDOWS\network diagnostic
2008-10-18 16:46:01 ----D---- C:\WINDOWS\Microsoft.Net
2008-10-18 14:47:16 ----RSD---- C:\WINDOWS\assembly
2008-10-18 14:46:59 ----RSD---- C:\WINDOWS\Fonts
2008-10-18 14:46:59 ----D---- C:\WINDOWS\system32\en-US
2008-10-18 13:56:18 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-18 13:49:07 ----D---- C:\WINDOWS\system32\spool
2008-10-18 13:48:55 ----RSHD---- C:\WINDOWS\system32\dllcache
2008-10-18 13:17:41 ----D---- C:\Documents and Settings\Inder\Application Data\Mozilla
2008-10-18 12:56:33 ----A---- C:\WINDOWS\win.ini
2008-10-18 03:21:17 ----SHD---- C:\WINDOWS\CSC
2008-10-17 23:46:03 ----D---- C:\IBMSHARE
2008-10-17 22:38:44 ----D---- C:\Program Files\Internet Explorer
2008-10-16 22:49:28 ----A---- C:\WINDOWS\imsins.BAK
2008-10-16 22:48:36 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-15 19:33:20 ----A---- C:\WINDOWS\NeroDigital.ini
2008-10-15 09:58:13 ----D---- C:\WINDOWS\twain_32
2008-10-12 19:53:28 ----D---- C:\Program Files\Google
2008-10-07 12:19:42 ----A---- C:\WINDOWS\system32\MRT.exe
2008-10-06 15:57:35 ----A---- C:\WINDOWS\cdplayer.ini
2008-10-03 09:13:54 ----D---- C:\Documents and Settings\Inder\Application Data\Real
2008-10-03 09:12:10 ----D---- C:\Program Files\Common Files\Real
2008-10-02 13:25:59 ----D---- C:\Program Files\Common Files\Symantec Shared
2008-10-01 08:15:34 ----D---- C:\Program Files\InstallShield Installation Information
2008-10-01 08:12:49 ----D---- C:\Documents and Settings\Inder\Application Data\Bell
2008-10-01 08:12:49 ----D---- C:\Documents and Settings\All Users\Application Data\Bell
2008-09-29 18:32:33 ----A---- C:\WINDOWS\HPSETUP.INI
2008-09-24 09:35:05 ----D---- C:\WINDOWS\Debug
2008-08-25 20:20:30 ----D---- C:\Program Files\Messenger
2008-08-25 19:41:17 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-08-25 19:34:19 ----D---- C:\Program Files\Ahead
2008-08-25 19:33:17 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2008-08-25 19:28:00 ----D---- C:\Documents and Settings\Inder\Application Data\Adobe
2008-08-25 18:33:46 ----D---- C:\Documents and Settings\Inder\Application Data\skypePM
2008-08-19 23:33:20 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-08-19 23:33:19 ----A---- C:\WINDOWS\system32\wininet.dll
2008-08-19 23:33:19 ----A---- C:\WINDOWS\system32\urlmon.dll
2008-08-19 23:33:19 ----A---- C:\WINDOWS\system32\shlwapi.dll
2008-08-19 23:33:19 ----A---- C:\WINDOWS\system32\shdocvw.dll
2008-08-19 23:33:19 ----A---- C:\WINDOWS\system32\mshtmled.dll
2008-08-19 23:33:19 ----A---- C:\WINDOWS\system32\jsproxy.dll
2008-08-19 23:33:19 ----A---- C:\WINDOWS\system32\browseui.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\pngfilt.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\mstime.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\msrating.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\inseng.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\iepeers.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\extmgr.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\dxtrans.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2008-08-19 23:33:18 ----A---- C:\WINDOWS\system32\danim.dll
2008-08-19 23:33:17 ----A---- C:\WINDOWS\system32\cdfview.dll
2008-08-19 03:20:32 ----A---- C:\WINDOWS\system32\xpsp3res.dll
2008-08-14 03:57:20 ----A---- C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 03:18:44 ----A---- C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-25 07:52:50 ----D---- C:\WINDOWS\Registration
2008-07-25 07:52:23 ----D---- C:\Program Files\ComPlus Applications

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ANC;ANC; C:\WINDOWS\System32\drivers\ANC.SYS [2005-06-13 11520]
R1 IBMTPCHK;IBMTPCHK; C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2005-06-13 2432]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R1 ShockMgr;ShockMgr; C:\WINDOWS\system32\drivers\ShockMgr.sys [2004-05-14 4608]
R1 Smapint;Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [2005-01-21 14848]
R1 TDSMAPI;TDSMAPI; C:\WINDOWS\System32\drivers\TDSMAPI.SYS [2005-01-21 9340]
R1 TPHKDRV;TPHKDRV; C:\WINDOWS\system32\drivers\TPHKDRV.sys [2004-09-06 16370]
R1 TPPWRIF;TPPWRIF; C:\WINDOWS\System32\drivers\Tppwrif.sys [2005-04-13 4442]
R1 TSMAPIP;TSMAPIP; C:\WINDOWS\System32\drivers\TSMAPIP.SYS [2005-04-01 7168]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2005-12-04 17801]
R2 EGATHDRV;IBM Access Support; \??\C:\WINDOWS\SYSTEM32\EGATHDRV.SYS []
R2 ibmfilter;ibmfilter; \??\C:\WINDOWS\system32\drivers\ibmfilter.sys []
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2004-08-04 87424]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 PMEM;PMEM; \??\C:\WINDOWS\SYSTEM32\Drivers\PMEMNT.SYS []
R2 smi2;smi2; \??\C:\WINDOWS\system32\drivers\smi2.sys []
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2004-05-17 133200]
R3 AR5211;Dual-band Wi-Fi Wireless Mini PCI Adapter; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2004-12-28 449856]
R3 AtmelTpm;AtmelTpm; C:\WINDOWS\system32\DRIVERS\AtmelTpm.sys [2005-01-26 15360]
R3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2005-05-25 17408]
R3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\system32\DRIVERS\btport.sys [2005-05-25 30299]
R3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2005-05-25 148040]
R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2005-05-25 55288]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 fcdabus;fcdabus; C:\WINDOWS\system32\DRIVERS\fcdabus.sys [2005-05-12 11136]
R3 FVDSCSI;FVDSCSI; C:\WINDOWS\system32\DRIVERS\fvdscsi.sys [2005-04-25 57216]
R3 HBtnKey;IBM Tablet PC Keyboard Buttons HID Driver; C:\WINDOWS\system32\DRIVERS\tkbtnpn.sys [2005-02-01 7475]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-11-10 1041664]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2004-11-10 200448]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-03-10 827100]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2004-11-05 12944]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2004-08-04 28672]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-12-05 10368]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-04 67584]
R3 SMBusDH;IBM - SMB Hub Controller; C:\WINDOWS\system32\DRIVERS\smbusdh.sys [2005-12-04 11648]
R3 SMBusHC;SMBus Host Controller; C:\WINDOWS\system32\DRIVERS\smbushc.sys [2005-12-04 29696]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-02-10 260224]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2004-11-04 24832]
R3 Tp4Track;IBM PS/2 TrackPoint Driver; C:\WINDOWS\system32\DRIVERS\tp4track.sys [2005-02-18 13872]
R3 TPInput;TPInput; C:\WINDOWS\System32\DRIVERS\TPInput.sys [2004-12-02 6016]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-09-16 57856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 WacomPen;Wacom Serial Pen HID Driver; C:\WINDOWS\system32\DRIVERS\wacompen.sys [2004-08-04 13568]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-11-10 685184]
S1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
S1 lusbaudio;Logitech USB Microphone; C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 25216]
S3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
S3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-12-06 126720]
S3 Bridge;MAC Bridge; C:\WINDOWS\system32\DRIVERS\bridge.sys [2004-08-04 71552]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\system32\DRIVERS\bridge.sys [2004-08-04 71552]
S3 BthEnum;Bluetooth Request Block Driver; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2004-08-03 17024]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2004-08-03 100992]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2004-08-03 18944]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 hp4200c;%usbscan.SvcDesc%; C:\WINDOWS\system32\DRIVERS\hp4200c.sys [2001-02-19 9312]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2006-04-12 49664]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2006-04-12 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2006-04-12 21568]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2004-08-04 40320]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
S3 PcdrNdisuio;PCDRNDISUIO Usermode I/O Protocol; C:\WINDOWS\system32\DRIVERS\pcdrndisuio.sys [2005-02-01 12416]
S3 psadd;IBM PSA Access Driver; \??\C:\WINDOWS\system32\Drivers\psadd.sys []
S3 QCAbsee;Logitech QuickCam Web (0801); C:\WINDOWS\system32\DRIVERS\OVCA.sys [2001-08-17 25088]
S3 QCNDISIF;QCNDISIF; C:\WINDOWS\System32\drivers\qcndisif.SYS [2005-06-13 12288]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2004-08-03 59648]
S3 sffdisk;SFF Storage Class Driver; C:\WINDOWS\system32\DRIVERS\sffdisk.sys [2004-08-04 11136]
S3 sffp_sd;SFF Storage Protocol Driver for SDBus; C:\WINDOWS\system32\DRIVERS\sffp_sd.sys [2004-08-04 10240]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2004-08-04 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2004-08-04 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2004-08-04 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2004-08-04 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2004-08-04 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2004-08-04 41088]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2004-08-04 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 btwdins;Bluetooth Service; C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe [2005-05-25 163840]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2007-01-22 192104]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2007-01-22 169576]
R2 IBM Rapid Restore Ultra Service;IBM Rapid Restore Ultra Service; C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe [2004-12-16 385024]
R2 IBM User Verification Manager;IBM User Verification Manager; C:\Program Files\IBM\Security\uvmserv.exe [2005-03-24 614400]
R2 IBMPMSVC;IBM PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2004-11-05 57344]
R2 ibmsmbus;SMBus Upgrade Service for Windows 2000 and above; C:\WINDOWS\System32\ibmsmbus.exe [2004-07-06 28160]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 pgsql-8.2;PostgreSQL Database Server 8.2; C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe [2007-09-17 79948]
R2 QCONSVC;QCONSVC; C:\WINDOWS\System32\QCONSVC.EXE [2005-06-13 77824]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2007-07-17 1174152]
R2 TPHDEXLGSVC;IBM HDD APS Logging Service; C:\WINDOWS\System32\TPHDEXLG.EXE [2004-05-24 77824]
R2 TpKmpSVC;IBM KCU Service; C:\WINDOWS\system32\TpKmpSVC.exe [2003-07-11 32768]
R2 UCLauncherService;ThinkVantage System Update; C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe [2005-08-04 40960]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R2 vtserver;Protector Suite Virtual Token; C:\Program Files\Common Files\Virtual Token\vtserver.exe [2004-11-04 40547]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 ACS;ACU Configuration Service; C:\WINDOWS\system32\acs.exe [2005-01-24 36864]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2007-08-09 73728]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Tomcat5;Apache Tomcat; c:\tomcat5\bin\tomcat5.exe [2007-08-24 57344]
S4 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-12 138168]

-----------------EOF-----------------

noahdfear · 2008/10/20

Please delete the following files and folders.

C:\Documents and Settings\Inder\My Documents\Setup.exe
C:\Documents and Settings\Inder\My Documents\Stream Recorders\SmitfraudFixvirus
C:\Documents and Settings\Inder\My Documents\Stream Recorders\SmitfraudFix.exe
C:\Documents and Settings\Inder\SmitfraudFix
C:\My Downloads\yeh sama tune.wm

Empty your Outlook Express Deleted items folder.
There is an infected email in your Outlook Express Hotmail Inbox and the Inbox backup located at C:\Documents and Settings\Inder\My Documents\Outlook Backup\Hotmail - Inbox.dbx
There is also at least one infected email in your Outlook email program as well.
Unfortunately, the Kaspersky scan did not reveal which emails they are, so you will have to try to identify which they might be. You could also try installing the free trial of Kaspersky Internet Security Suite and do a full system scan to see if it picks up on them and will remove them.

If you've not noticed any problems created by renaming the C:\WINDOWS\system32\qgeku.exe file, I recommend you delete it.

Looks good otherwise, so lets clean up.

Open MBAM and remove any items quarantined. Do the same with your resident antivirus.

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.
You can delete any other logs that were created/saved too.

Download OTMoveIt2 by OldTimer and save it to your desktop.

Double-click OTMoveIt2.exe to run it.

Now click CleanUp

If prompted to download a file, please allow it.

When you receive a message that the file download is complete, click Yes.

It should run briefly, then prompt you to reboot.

Allow it to reboot and OTMoveIt2.exe should be gone upon logon.

Run ATF Cleaner again as previously described and reboot when done. Let me know how your computer is running and if any issues remain.

indyhamilton · 2008/10/21

Hi There,

Thanks for the Help Everything looks ok I have done as advised But there are couple of Questions in my mind I still have some of the softwares that we used during all these steps and these are MBAM,RSIT,ATF-Cleaner, HJTInstall. Should i delete these too or i can keep them as I feel that I can use some of them Like MBAM and ATF-cleaner for general cleaning up too. Infact I was actually thinking that may be i should keep ComboFix too Beacuse that seemed to be the one which removed infection but i deleted it as advised by you but would like to know about the ones listed above.

Secondly i noticed that many times when i open the browser there is a flickering (as if something else just opened and vanished) after the requested page comes up making me think that if it is some kind of bug that gets activated or what? rest everything seems to be fine and i am really thankful to you for all the help extended. Just wondering how can i get this knowledge so that i can check the log files and see what needs to be done next?

noahdfear · 2008/10/21

MBAM and ATF Cleaner are keepers, RSIT and HJT optional (your option) and the other 2 dump. ComboFix is not a keeper because it is regularly updated, and generally prescribed to be used under supervision of someone trained with it's use.

See if the behavior you describe with IE is with specific sites, or any site at any time.

The knowledge? Lots and lots of study. Lots of Googling. And if interested in learning to the point of helping others, as we do here, ping me privately and I will point you to a training facility.

I'll mark this resolved now. Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!

Log in or Sign up

Solved Hijacked search results

indyhamilton Inactive Thread Starter

noahdfear Inactive

indyhamilton Inactive Thread Starter

noahdfear Inactive

indyhamilton Inactive Thread Starter

noahdfear Inactive

indyhamilton Inactive Thread Starter

noahdfear Inactive

indyhamilton Inactive Thread Starter

noahdfear Inactive

indyhamilton Inactive Thread Starter

noahdfear Inactive

indyhamilton Inactive Thread Starter

noahdfear Inactive

indyhamilton Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Solved Hijacked search results

indyhamilton Inactive Thread Starter

noahdfear Inactive

indyhamilton Inactive Thread Starter

noahdfear Inactive

indyhamilton Inactive Thread Starter

noahdfear Inactive

indyhamilton Inactive Thread Starter

noahdfear Inactive

indyhamilton Inactive Thread Starter

noahdfear Inactive

indyhamilton Inactive Thread Starter

noahdfear Inactive

indyhamilton Inactive Thread Starter

noahdfear Inactive

indyhamilton Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches