1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Application Hijacking Detected - Should I worry?

Discussion in 'Malware and Virus Removal Archive' started by Catastrophe, 2011/01/06.

  1. 2011/01/06
    Catastrophe

    Catastrophe Inactive Thread Starter

    Joined:
    2011/01/05
    Messages:
    3
    Likes Received:
    0
    [Inactive] Application Hijacking Detected - Should I worry?

    Coming here for assistance because my firewall (Sygate) detected Application Hijacking. The two instances of it were of hpwuSchd2.exe trying to make Chrome connect to www.google.com, and of alg.exe trying to trigger iTunesHelper.exe. It said the severity was critical, so I am coming here to fix it and/or get a clean bill of health.

    I did poke around a little and find two things that seemed suspicious to me, but could be entirely unrelated. On my wireless router (which I accessed with another computer) it said there were several computers connected that I didn't recognize. Also, in my C:/ drive, I ran into 3 suspicious (or at least sneaky) sounding files: CabExtractor.exe, UnattendInstallation.bat, and DeleteContent.bat.

    Aside from the couple of hijacks which didn't really go anywhere I've had no other problems, and my antivirus and all the other tools haven't come up with any obviously alarming results (like viruses or trojans), but I figured it was better safe than sorry. I haven't let my computer on the internet since the first couple of hijacks except to update Malwarebyte's Anti-Malware, so that could be the reason for the lack of activity. All the logs (MBAM, GMER, MBRCheck, and DDS) below.

    Thanks for your help!


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5473

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    1/6/2011 2:39:39 PM
    mbam-log-2011-01-06 (14-39-39).txt

    Scan type: Quick scan
    Objects scanned: 147086
    Time elapsed: 3 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-01-06 18:06:37
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK1246GSX rev.LB211A
    Running: r07hv3no.exe; Driver: C:\DOCUME~1\Wyman\LOCALS~1\Temp\uxtdipod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xBA2EAB30]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xB4CCACF0]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xB4CCABAC]
    SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xBA2EA6F0]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xB4CCB160]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xB4CCB08A]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xB4CCA782]
    SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xBA2EA470]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xB4CCAC86]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xB4CCA6C2]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xB4CCA726]
    SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xBA2EAC50]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xB4CCADA6]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xB4CCB22E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xB4CCAD66]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xB4CCAEE6]
    SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xBA2EA990]
    SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xBA2EA8D0]
    SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xBA2EAD60]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB4CD7BAE]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xB4CD79D2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xB4CD7B0C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE ntkrnlpa.exe!ZwLoadDriver 8058413A 7 Bytes JMP B4CD7B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!NtCreateSection 805AB38E 7 Bytes JMP B4CD79D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC502 5 Bytes JMP B4CD35D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObInsertObject 805C2F86 5 Bytes JMP B4CD4FFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP B4CD7BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB97B4000, 0x1A4422, 0xE8000020]
    .text tcpip.sys!IPTransmit + 10FC B4E17D3A 6 Bytes CALL B9D3DE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    .text tcpip.sys!IPTransmit + 2A52 B4E19690 6 Bytes CALL B9D3DE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    .text tcpip.sys!IPRegisterProtocol + 930 B4E2F454 6 Bytes CALL B9D3DE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    .text wanarp.sys BA2CD3FD 4 Bytes CALL B9D3DFA0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    .text wanarp.sys BA2CD402 2 Bytes [90, 90] {NOP ; NOP }

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1860] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [B9D3EC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B9D3EBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [B9D3EB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [B9D3E8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B9D3E8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B9D3EBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B9D3EC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B9D3EB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B9D3EB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B9D3E8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B9D3EBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B9D3EC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B9D3E8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B9D3EB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B9D3EC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B9D3EBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B9D3EC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B9D3EBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B9D3E8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B9D3EB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B9D3E8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B9D3EBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B9D3EC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisOpenAdapter] [B9D3EBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisRegisterProtocol] [B9D3E8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisCloseAdapter] [B9D3EC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisDeregisterProtocol] [B9D3EB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B9D3E8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B9D3EB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B9D3EC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B9D3EBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
    IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device \Driver\aswTdi \Device\AswUdpFilter wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

    AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

    Device \Driver\aswTdi \Device\ASWTDI wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
    Device \Driver\aswTdi \Device\AswTcpFilter wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

    AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cfe0286f
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016cfe0286f (not active ControlSet)

    ---- EOF - GMER 1.0.15 ----


    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 143):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
    0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
    0xB9F79000 ACPI.sys
    0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB9F68000 pci.sys
    0xBA0A8000 isapnp.sys
    0xBA4BC000 compbatt.sys
    0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xBA670000 pciide.sys
    0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xB9F4A000 pcmcia.sys
    0xBA0B8000 MountMgr.sys
    0xB9F2B000 ftdisk.sys
    0xBA330000 PartMgr.sys
    0xBA4C4000 ACPIEC.sys
    0xBA671000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xBA0C8000 VolSnap.sys
    0xB9F13000 atapi.sys
    0xB9E55000 iaStor.sys
    0xBA0D8000 disk.sys
    0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB9E35000 fltMgr.sys
    0xB9E23000 sr.sys
    0xBA0F8000 PxHelp20.sys
    0xB9E0C000 KSecDD.sys
    0xB9D7F000 Ntfs.sys
    0xB9D52000 NDIS.sys
    0xB9D35000 Teefer.sys
    0xB9D1B000 Mup.sys
    0xBA148000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB97B3000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xB979F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB9777000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB9375000 \SystemRoot\system32\DRIVERS\NETw5x32.sys
    0xBA360000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB9351000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xBA368000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xBA158000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xBA378000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xB9319000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0xBA5B0000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xBA388000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xBA390000 \SystemRoot\system32\DRIVERS\nscirda.sys
    0xBA54C000 \SystemRoot\system32\DRIVERS\irenum.sys
    0xBA398000 \SystemRoot\system32\DRIVERS\atmeltpm.sys
    0xBA558000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xBA3A8000 \SystemRoot\system32\DRIVERS\ibmpmdrv.sys
    0xBA178000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xBA188000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xBA198000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xB92CE000 \SystemRoot\system32\DRIVERS\ks.sys
    0xBA3C0000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xBA76B000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA3D0000 \SystemRoot\system32\DRIVERS\rasirda.sys
    0xBA3E0000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xBA1A8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xBA574000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB92B7000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA1B8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA1C8000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xB92A6000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA1D8000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xBA400000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xBA410000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB9276000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xBA1E8000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xBA5B6000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB9218000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA594000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA208000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB50DF000 \SystemRoot\system32\drivers\ADIHdAud.sys
    0xB50BB000 \SystemRoot\system32\drivers\portcls.sys
    0xBA238000 \SystemRoot\system32\drivers\drmk.sys
    0xB50A1000 \SystemRoot\system32\drivers\AEAudio.sys
    0xB506D000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
    0xB4F7B000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
    0xB4EC8000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xBA438000 \SystemRoot\System32\Drivers\Modem.SYS
    0xBA288000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA5C2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA7C1000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA5C6000 \SystemRoot\System32\Drivers\Beep.SYS
    0xBA478000 \SystemRoot\System32\drivers\vga.sys
    0xBA5CA000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA5CE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA488000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xBA498000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB9315000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB4E6D000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB4E14000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xBA2C8000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xBA2D8000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xB4DEE000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xBA2E8000 \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys
    0xB4DC6000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xB4DA4000 \SystemRoot\System32\drivers\afd.sys
    0xBA2F8000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xBA4B0000 \SystemRoot\System32\drivers\TSMAPIP.SYS
    0xBA358000 \SystemRoot\system32\DRIVERS\TPHKDRV.sys
    0xB4D59000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xB4CE9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xBA5D4000 \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
    0xBA308000 \SystemRoot\System32\Drivers\Fips.SYS
    0xB4CC2000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xBA570000 \SystemRoot\System32\drivers\ANC.SYS
    0xBA3A0000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xBA168000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB4BE2000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xBA5D8000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB4EC0000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBA408000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA71F000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF062000 \SystemRoot\System32\ati2cqag.dll
    0xBF0EB000 \SystemRoot\System32\atikvmag.dll
    0xBF158000 \SystemRoot\System32\atiok3x2.dll
    0xBF19B000 \SystemRoot\System32\ati3duag.dll
    0xBF55B000 \SystemRoot\System32\ativvaxx.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB29B6000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xBA5F0000 \??\C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys
    0xB274C000 \SystemRoot\system32\DRIVERS\irda.sys
    0xB287E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB2876000 \SystemRoot\system32\DRIVERS\s24trans.sys
    0xB2776000 \SystemRoot\SYSTEM32\Drivers\wg3n.sys
    0xB276A000 \SystemRoot\SYSTEM32\Drivers\wg4n.sys
    0xB2762000 \SystemRoot\SYSTEM32\Drivers\wg5n.sys
    0xB2872000 \SystemRoot\SYSTEM32\Drivers\wg6n.sys
    0xB248D000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xB22A8000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB23D1000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xB2070000 \SystemRoot\system32\DRIVERS\srv.sys
    0xBA4A8000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xB1BAB000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB1C40000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB186C000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB1196000 \??\C:\DOCUME~1\Wyman\LOCALS~1\Temp\uxtdipod.sys
    0xB116B000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 61):
    0 System Idle Process
    4 System
    616 C:\WINDOWS\system32\smss.exe
    680 csrss.exe
    712 C:\WINDOWS\system32\winlogon.exe
    756 C:\WINDOWS\system32\services.exe
    768 C:\WINDOWS\system32\lsass.exe
    924 C:\WINDOWS\system32\ibmpmsvc.exe
    956 C:\WINDOWS\system32\ati2evxx.exe
    976 C:\WINDOWS\system32\svchost.exe
    1104 svchost.exe
    1144 C:\WINDOWS\system32\svchost.exe
    1288 C:\WINDOWS\system32\ati2evxx.exe
    1428 C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
    1492 svchost.exe
    1564 svchost.exe
    1860 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    560 C:\WINDOWS\system32\spoolsv.exe
    1020 svchost.exe
    1204 C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    1300 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1380 C:\Program Files\Bonjour\mDNSResponder.exe
    1060 svchost.exe
    1520 C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    1608 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    1736 C:\Program Files\Java\jre6\bin\jqs.exe
    1900 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    1948 C:\WINDOWS\system32\svchost.exe
    2200 C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    2480 alg.exe
    2508 wmiprvse.exe
    3116 C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    2028 C:\WINDOWS\explorer.exe
    3368 C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    3392 C:\WINDOWS\system32\rundll32.exe
    3400 C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    3408 C:\Program Files\Analog Devices\Core\smax4pnp.exe
    3420 C:\Program Files\Lenovo\ZOOM\TpScrex.exe
    3444 C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    2412 C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
    3612 C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
    3704 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    3708 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    3816 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    900 C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
    3888 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE
    3968 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    4004 C:\WINDOWS\system32\wbem\unsecapp.exe
    2280 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    2696 wmiprvse.exe
    2656 C:\Program Files\iTunes\iTunesHelper.exe
    1068 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    2928 C:\WINDOWS\system32\ctfmon.exe
    3896 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    2812 C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\soffice.exe
    548 C:\Program Files\OpenOffice.org 3\program\soffice.exe
    1732 C:\Program Files\OpenOffice.org 3\program\soffice.bin
    2936 C:\Program Files\iPod\bin\iPodService.exe
    1212 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    1048 C:\Program Files\Sygate\SPF\Smc.exe
    2720 C:\Documents and Settings\Wyman\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

    PhysicalDrive0 Model Number: TOSHIBAMK1246GSX, Rev: LB211A

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
    SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


    Done!



    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Wyman at 21:59:06.96 on Thu 01/06/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.961 [GMT -6:00]

    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Sygate Personal Firewall *Enabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    svchost.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Lenovo\Zoom\TpScrex.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\Documents and Settings\Wyman\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\wyman\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [SODCPreLoad] c:\program files\ibm\lotus\symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\preload.exe c:\docume~1\wyman\ibm\lotus\symphony\.sodc\
    mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup
    mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
    mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe "
    mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
    mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
    mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
    mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe "
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\docume~1\wyman\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    Notify: ACNotify - ACNotify.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
    Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
    Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
    LSA: Notification Packages = scecli c:\program files\thinkvantage fingerprint software\psqlpwd.dll ACGina

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-23 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-23 17744]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-23 40384]
    R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2008-11-21 12560]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-23 40384]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-23 40384]
    S4 vsdatant;vsdatant; [x]

    =============== Created Last 30 ================

    2011-01-06 20:33:42 -------- d-----w- c:\docume~1\wyman\applic~1\Malwarebytes
    2011-01-06 20:24:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-06 20:24:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-01-06 20:24:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-06 20:24:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-10 14:48:15 -------- d-----w- c:\documents and settings\wyman\trebcache
    2010-12-10 14:48:05 -------- d-----w- c:\program files\Trebuchet Tk

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-10-21 22:22:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-10-21 22:22:41 472808 ----a-w- c:\windows\system32\deployJava1.dll

    ============= FINISH: 21:59:21.40 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/12/2010 12:19:59 PM
    System Uptime: 1/6/2011 1:57:29 PM (8 hours ago)

    Motherboard: LENOVO | | 200746U
    Processor: Genuine Intel(R) CPU T2400 @ 1.83GHz | None | 1828/167mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 108 GiB total, 89.182 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) PRO/1000 PL Network Connection
    Device ID: PCI\VEN_8086&DEV_109A&SUBSYS_200117AA&REV_00\4&192AC53F&0&00E0
    Manufacturer: Intel
    Name: Intel(R) PRO/1000 PL Network Connection
    PNP Device ID: PCI\VEN_8086&DEV_109A&SUBSYS_200117AA&REV_00\4&192AC53F&0&00E0
    Service: e1express

    ==== System Restore Points ===================

    RP17: 10/9/2010 12:09:41 AM - System Checkpoint
    RP18: 10/10/2010 11:17:52 PM - System Checkpoint
    RP19: 10/12/2010 12:56:32 AM - System Checkpoint
    RP20: 10/13/2010 2:46:59 AM - System Checkpoint
    RP21: 10/13/2010 3:00:14 AM - Software Distribution Service 3.0
    RP22: 10/14/2010 9:06:00 AM - System Checkpoint
    RP23: 10/16/2010 1:35:13 AM - System Checkpoint
    RP24: 10/17/2010 8:58:24 PM - System Checkpoint
    RP25: 10/18/2010 9:50:58 PM - System Checkpoint
    RP26: 10/19/2010 9:54:07 PM - System Checkpoint
    RP27: 10/21/2010 1:09:38 PM - Installed Java(TM) 6 Update 22
    RP28: 10/21/2010 4:34:21 PM - Removed Java(TM) 6 Update 20
    RP29: 10/21/2010 4:37:31 PM - Installed Java(TM) 6 Update 22
    RP30: 10/21/2010 4:50:55 PM - Removed Java(TM) 6 Update 22
    RP31: 10/21/2010 4:54:38 PM - Installed Java(TM) 6 Update 22
    RP32: 10/21/2010 5:13:28 PM - Removed Java(TM) 6 Update 22
    RP33: 10/21/2010 5:22:33 PM - Installed Java(TM) 6 Update 22
    RP34: 10/22/2010 7:16:51 PM - System Checkpoint
    RP35: 10/24/2010 10:25:01 PM - System Checkpoint
    RP36: 10/25/2010 11:05:08 PM - System Checkpoint
    RP37: 10/26/2010 12:37:17 AM - Installed J2SE Runtime Environment 5.0 Update 1
    RP38: 10/27/2010 12:56:58 AM - System Checkpoint
    RP39: 10/28/2010 3:12:59 AM - System Checkpoint
    RP40: 10/29/2010 3:46:04 AM - System Checkpoint
    RP41: 10/30/2010 4:07:34 PM - System Checkpoint
    RP42: 10/31/2010 4:19:13 PM - System Checkpoint
    RP43: 11/1/2010 9:23:56 PM - System Checkpoint
    RP44: 11/4/2010 12:03:46 AM - System Checkpoint
    RP45: 11/5/2010 12:08:46 AM - System Checkpoint
    RP46: 11/6/2010 12:10:15 AM - System Checkpoint
    RP47: 11/7/2010 6:46:00 PM - System Checkpoint
    RP48: 11/8/2010 2:27:23 AM - Installed iTunes
    RP49: 11/8/2010 5:27:18 AM - Removed iTunes
    RP50: 11/8/2010 5:42:34 AM - Installed iTunes
    RP51: 11/9/2010 8:47:57 PM - System Checkpoint
    RP52: 11/10/2010 3:00:14 AM - Software Distribution Service 3.0
    RP53: 11/11/2010 12:55:05 PM - System Checkpoint
    RP54: 11/12/2010 1:41:04 PM - System Checkpoint
    RP55: 11/14/2010 1:51:18 AM - System Checkpoint
    RP56: 11/15/2010 3:05:30 AM - System Checkpoint
    RP57: 11/16/2010 4:26:13 AM - System Checkpoint
    RP58: 11/17/2010 5:24:33 AM - System Checkpoint
    RP59: 11/18/2010 5:38:13 PM - System Checkpoint
    RP60: 11/19/2010 8:07:36 PM - System Checkpoint
    RP61: 11/20/2010 9:25:36 PM - System Checkpoint
    RP62: 11/21/2010 10:14:51 PM - System Checkpoint
    RP63: 11/22/2010 11:10:54 PM - System Checkpoint
    RP64: 11/24/2010 4:13:54 AM - System Checkpoint
    RP65: 11/25/2010 3:01:50 PM - System Checkpoint
    RP66: 11/26/2010 5:44:08 PM - System Checkpoint
    RP67: 11/27/2010 11:17:57 PM - System Checkpoint
    RP68: 11/28/2010 11:47:59 PM - System Checkpoint
    RP69: 11/30/2010 12:07:30 AM - System Checkpoint
    RP70: 12/1/2010 2:09:48 PM - System Checkpoint
    RP71: 12/2/2010 7:00:10 PM - System Checkpoint
    RP72: 12/3/2010 7:56:48 PM - System Checkpoint
    RP73: 12/5/2010 4:14:51 PM - System Checkpoint
    RP74: 12/6/2010 4:57:54 PM - System Checkpoint
    RP75: 12/7/2010 8:41:46 PM - System Checkpoint
    RP76: 12/8/2010 9:01:27 PM - System Checkpoint
    RP77: 12/9/2010 11:38:48 PM - System Checkpoint
    RP78: 12/11/2010 12:11:06 AM - System Checkpoint
    RP79: 12/12/2010 12:52:54 AM - System Checkpoint
    RP80: 12/13/2010 1:51:53 AM - System Checkpoint
    RP81: 12/14/2010 2:06:01 AM - System Checkpoint
    RP82: 12/14/2010 3:00:13 AM - Software Distribution Service 3.0
    RP83: 12/15/2010 2:21:21 PM - System Checkpoint
    RP84: 12/16/2010 3:00:15 AM - Software Distribution Service 3.0
    RP85: 12/17/2010 1:13:55 PM - System Checkpoint
    RP86: 12/18/2010 1:31:13 PM - System Checkpoint
    RP87: 12/19/2010 3:03:57 PM - System Checkpoint
    RP88: 12/20/2010 5:16:33 PM - System Checkpoint
    RP89: 12/23/2010 2:46:12 AM - System Checkpoint
    RP90: 12/24/2010 3:14:42 AM - System Checkpoint
    RP91: 12/25/2010 5:55:49 AM - System Checkpoint
    RP92: 12/27/2010 3:32:34 AM - System Checkpoint
    RP93: 12/28/2010 4:42:32 AM - System Checkpoint
    RP94: 1/3/2011 9:54:35 PM - System Checkpoint
    RP95: 1/5/2011 5:12:46 PM - System Checkpoint
    RP96: 1/6/2011 6:01:45 PM - System Checkpoint

    ==== Installed Programs ======================


    1600
    1600_Help
    1600Trb
    Adobe Shockwave Player 11.5
    AIM 7
    AiO_Scan
    AiOSoftware
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    Audacity 1.2.6
    avast! Free Antivirus
    Bonjour
    BufferChm
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    ccc-core-preinstall
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Dutch
    CCC Help English
    CCC Help French
    CCC Help German
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Portuguese
    CCC Help Spanish
    CCC Help Swedish
    Compendium 1.5.2
    Destinations
    Director
    Download Updater (AOL LLC)
    Fax
    Foxit Reader
    Google Chrome
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB981793)
    HP Image Zone 4.7
    HP Image Zone Express
    HP Product Assistant
    HP PSC & OfficeJet 4.7
    HP Software Update
    HPSystemDiagnostics
    IBM Lotus Symphony
    Intel PROSet Wireless
    Intel(R) PRO Network Connections Drivers
    Intel(R) PROSet/Wireless WiFi Software
    InterVideo Register Manager
    InterVideo WinDVD
    iTunes
    J2SE Runtime Environment 5.0 Update 1
    Java Auto Updater
    Java(TM) 6 Update 22
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    On Screen Display
    OpenOffice.org 3.2
    PC-Doctor 5 for Windows
    Presentation Director
    ProductContext
    QFolder
    QuickTime
    Readme
    Scan
    ScannerCopy
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2183461)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Skins
    Sonic Express Labeler
    Sonic RecordNow!
    Sonic Update Manager
    Sygate Personal Firewall
    ThinkPad EasyEject Utility
    ThinkPad FullScreen Magnifier
    ThinkPad Hotkey Features Setup
    ThinkPad Modem
    ThinkPad Power Management Driver
    ThinkPad UltraNav Driver
    ThinkPad UltraNav Utility
    ThinkVantage Access Connections
    ThinkVantage Fingerprint Software 5.8
    TrayApp
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB982664)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    WebReg
    Winamp
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 8
    WinRAR 4.00 beta 1 (32-bit)
    XML Paper Specification Shared Components Pack 1.0

    ==== Event Viewer Messages From Past Week ========

    1/6/2011 3:12:01 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    1/6/2011 1:50:12 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    1/6/2011 1:50:11 PM, error: Service Control Manager [7031] - The Access Connections Main Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/6/2011 1:50:10 PM, error: Service Control Manager [7034] - The Sygate Personal Firewall service terminated unexpectedly. It has done this 1 time(s).
    1/6/2011 1:50:10 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    1/6/2011 1:50:10 PM, error: Service Control Manager [7034] - The IviRegMgr service terminated unexpectedly. It has done this 1 time(s).
    1/6/2011 1:50:10 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless WiFi Service service terminated unexpectedly. It has done this 1 time(s).
    1/6/2011 1:50:10 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).
    1/6/2011 1:50:10 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
    1/6/2011 1:50:10 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    1/6/2011 1:50:10 PM, error: Service Control Manager [7031] - The Ac Profile Manager Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/6/2011 1:50:09 PM, error: Service Control Manager [7034] - The ThinkPad PM Service service terminated unexpectedly. It has done this 1 time(s).
    1/6/2011 1:50:09 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
    1/3/2011 9:22:08 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/3/2011 9:21:56 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
    1/3/2011 9:01:07 PM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
    1/3/2011 5:04:00 PM, error: PlugPlayManager [12] - The device 'Intel(R) PRO/1000 PL Network Connection' (PCI\VEN_8086&DEV_109A&SUBSYS_200117AA&REV_00\4&192ac53f&0&00E0) disappeared from the system without first being prepared for removal.
    1/3/2011 4:45:45 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    1/3/2011 3:34:50 PM, error: Dhcp [1002] - The IP address lease 192.168.1.45 for the Network Card with network address 0018DE019C49 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

    ==== End Of File ===========================
     
    Catastrophe,
    #1
  2. 2011/01/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Welcome aboard :)

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ============================================================

    I don't see anything suspicious, so far, but we can run couple more checks...

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #2


  3. to hide this advert.

  4. 2011/01/09
    Catastrophe

    Catastrophe Inactive Thread Starter

    Joined:
    2011/01/05
    Messages:
    3
    Likes Received:
    0
    Here is the log you requested. I have been using the internet again with this computer, and so far the behavior is the same. I had one more instance of critical application hijacking, at least in Sygate's definition. The alert said:

    Application Hijacking has been detected
    The application: C:\Program Files\OpenOffice.org 3\program\quickstart.exe try to launch another application: C:\WINDOWS\system32\NTOSKRNL.EXE

    I've never really noticed problems with Application Hijacking before, but by Sygate's logs, it appears like a lot of minor application hijacking (mostly Open Office's soffice.exe connecting to update/report addresses at openoffice.org) started after a port scan almost a month ago. Sometimes the firewall will warn me about programs triggering themselves, like "C:/Address/Blah.exe is trying to connect to [x.x.x.x]. Warning, this was triggered by C:/Address/Blah.exe, if you don't recognize the program then don't allow it to connect" (paraphrased).




    Combofix log below:

    ComboFix 11-01-08.05 - Wyman 01/09/2011 18:28:22.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1014 [GMT -6:00]
    Running from: c:\documents and settings\Wyman\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Sygate Personal Firewall *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
    .

    ((((((((((((((((((((((((( Files Created from 2010-12-10 to 2011-01-10 )))))))))))))))))))))))))))))))
    .

    2011-01-06 20:33 . 2011-01-06 20:33 -------- d-----w- c:\documents and settings\Wyman\Application Data\Malwarebytes
    2011-01-06 20:24 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-06 20:24 . 2011-01-06 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-06 20:24 . 2011-01-06 20:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-06 20:24 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-04 02:51 . 2011-01-04 02:51 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-18 18:12 . 2009-04-28 19:40 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26 . 2009-04-28 19:31 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2009-04-28 19:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2009-04-28 19:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2009-04-28 19:30 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2009-04-28 19:30 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2009-04-28 19:30 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2009-04-28 19:31 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-10-21 22:22 . 2010-10-21 22:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-10-21 22:22 . 2010-10-05 06:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update "= "c:\documents and settings\Wyman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-11-08 136176]
    "SODCPreLoad "= "c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\preload.exe" [2009-04-28 40960]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TPHOTKEY "= "c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-09-30 68976]
    "BluetoothAuthenticationAgent "= "bthprops.cpl" [2008-04-14 110592]
    "SoundMAXPnP "= "c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-24 1036288]
    "PSQLLauncher "= "c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2008-11-21 49928]
    "ACTray "= "c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-01-21 425984]
    "IntelZeroConfig "= "c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-02-27 1368064]
    "IntelWireless "= "c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-27 1202448]
    "StartCCC "= "c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
    "ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 1323008]
    "TPFNF7 "= "c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-01-07 60704]
    "EZEJMNAP "= "c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-10-08 256576]
    "SmcService "= "c:\progra~1\Sygate\SPF\smc.exe" [2004-10-16 2577632]
    "avast5 "= "c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

    c:\documents and settings\Wyman\Start Menu\Programs\Startup\
    OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2008-11-21 07:35 95496 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2006-09-06 20:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2008-08-08 23:14 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\WINDOWS\\system32\\dpvsetup.exe "=
    "c:\\Program Files\\AIM\\aim.exe "=
    "c:\\Program Files\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.200810171336\\win32\\x86\\symphony.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Trebuchet Tk\\tclkit\\tcl-kit.exe "=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/23/2010 2:49 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/23/2010 2:49 PM 17744]
    R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [11/21/2008 1:11 AM 12560]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3332162887-2129861479-1533692211-1005Core.job
    - c:\documents and settings\Wyman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-08 10:02]

    2011-01-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3332162887-2129861479-1533692211-1005UA.job
    - c:\documents and settings\Wyman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-08 10:02]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    Notify-ACNotify - ACNotify.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-09 18:33
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
    "ImagePath "=" "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(712)
    c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
    c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
    c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
    c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
    c:\windows\system32\Ati2evxx.dll
    c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
    c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
    c:\program files\ThinkVantage Fingerprint Software\infql2.dll
    c:\program files\ThinkVantage Fingerprint Software\homepass.dll
    c:\program files\ThinkVantage Fingerprint Software\bio.dll
    c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
    c:\program files\Lenovo\HOTKEY\tphklock.dll

    - - - - - - - > 'lsass.exe'(768)
    c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
    c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
    c:\program files\ThinkVantage Fingerprint Software\infql2.dll

    - - - - - - - > 'explorer.exe'(3540)
    c:\windows\system32\WININET.dll
    c:\windows\system32\SSSensor.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ibmpmsvc.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Sygate\SPF\smc.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Intel\WiFi\bin\S24EvMon.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Intel\WiFi\bin\EvtEng.exe
    c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Lenovo\HOTKEY\TPONSCR.exe
    c:\program files\Lenovo\Zoom\TpScrex.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\Synaptics\SynTP\SynTPLpr.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\soffice.exe
    c:\program files\OpenOffice.org 3\program\soffice.exe
    c:\program files\OpenOffice.org 3\program\soffice.bin
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-09 18:38:15 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-10 00:38

    Pre-Run: 95,301,111,808 bytes free
    Post-Run: 95,264,043,008 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug= "do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 8DE4D8204D616733F0C0381D25724485
     
    Catastrophe,
    #3
  5. 2011/01/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Well, if those alerts concern legit applications and files, like in this case:
    there is no reason to be alarmed.
    Your firewall is learning. Once you decide to click on "Allow ", or "Deny" (or whatever options Sygate gives you), Sygate won't bother you anymore i that specific case.
    Many firewalls work in very same way.

    Combofix looks perfectly clean, so I don't see any need to keep looking any farther.
     
    broni,
    #4
  6. 2011/01/11
    Catastrophe

    Catastrophe Inactive Thread Starter

    Joined:
    2011/01/05
    Messages:
    3
    Likes Received:
    0
    Well, thank you for your help!
     
    Catastrophe,
    #5
  7. 2011/01/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're welcome :)
     
    broni,
    #6

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...