1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved IE 6.0 Home Page Hijacked to 345dh.cn?tg=7

Discussion in 'Malware and Virus Removal Archive' started by DianeR, 2008/11/04.

  1. 2008/11/04
    DianeR

    DianeR Inactive Thread Starter

    Joined:
    2008/11/04
    Messages:
    17
    Likes Received:
    0
    [Resolved] IE 6.0 Home Page Hijacked to 345dh.cn?tg=7

    Hi. This is my first time posting but I've finally given up on trying to solve this problem by myself. The first machine that I worked on that had this issue I wound up reimaging. I'd prefer not to have to do that again.

    Details on this machine:
    IE v. 6.0.2900.2180.xpsp_sp2_qfe.070227-2300
    WinXP - Volume license - SP2
    Symantec Anti Virus (corp.) v. 10.1.5.5000, scan engine uptodate (81.8.0.25)

    Details on what's happening and what I've tried:
    When user opens IE, home page of http://345dh.cn?tg=7 comes up (or at least tries to)
    I've tried to change the home page via multiple methods, including registry entries but to no avail.
    I've scanned w/ Symantec (found and quarantined a number of "baddies" but home page still can't be changed to stick.
    I've tried running Sophos Root Kit and that didn't solve the problem either.
    Nor did Malwarebytes Anti-Malware software, Trend Micro's on-line Housecall scanner, nor SUPERAntiSpyware (although this app now tells me every time the home page is hijacked (about 2 seconds after I tell it to ignore the hijacking).

    I can re-run any of these again and give you logs, if necessary.


    Results of the RSIT scan(s)...


    LOG.TXT contents:

    Logfile of random's system information tool 1.04 (written by random/random)
    Run by joannek at 2008-11-04 18:13:18
    Microsoft Windows XP Professional Service Pack 2
    System drive C: has 6 GB (25%) free of 26 GB
    Total RAM: 767 MB (42% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:13, on 2008-11-04
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\Program Files\SalesLogix\SLXServer.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\SalesLogix\SLXLoggingServer.exe
    C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\SalesLogix\SLXSystem.exe
    C:\WINDOWS\System32\svchost.exe
    c:\program files\lenovo\system update\suservice.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    c:\program files\verizon wireless\venturi\Client\ventc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Downloads\RSIT.exe
    C:\Program Files\trend micro\joannek.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.345dh.cn?tg=7
    O1 - Hosts: 72.164.41.74 ftp.uniteddrugs.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
    O4 - HKLM\..\RunOnce: [Setup] MSIEXEC.EXE /i "\\SambaServ\public\IT\Network\end_user_apps\SalesLogix\1 Sales Logix Client\SalesLogix Client\SalesLogix Client.msi" /qf CLIENT_TYPE=2 BROWSER=Yes SETUPEXEDIR= "\\SambaServ\public\IT\Network\end_user_apps\SalesLogix\1 Sales Logix Client\SalesLogix Client" AFTERREBOOT=1
    O4 - HKLM\..\RunOnce: [FdsT] %systemroot%\system32\rundll32.exe %systemroot%\system32\knlzem.dll,DllRegisterServer
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172079149573
    O16 - DPF: {6D868B99-8B01-4B25-9BD1-ED37AFDF5E29} (Ontrack Data Recovery Verifile Data Reports) - http://www.ontrackdatarecovery.com/verifile/npvfasp.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
    O16 - DPF: {F3E70CEA-956E-49CC-B444-73AFE593AD7F} - http://down.sandai.net/kankan/KanKanPlayer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = phoenix02.uniteddrugs.com
    O17 - HKLM\Software\..\Telephony: DomainName = phoenix02.uniteddrugs.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = phoenix02.uniteddrugs.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = phoenix02.uniteddrugs.com
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
    O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
    O23 - Service: SalesLogix Server (SalesLogix Server Service) - Best Software, Inc. - C:\Program Files\SalesLogix\SLXServer.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: SalesLogix SpeedSearch (SlxSearch) - Best Software, Inc. - C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe

    --
    End of file - 12049 bytes

    ======Scheduled tasks folder======

    C:\WINDOWS\tasks\BMMTask.job

    ======Registry dump======

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2008-10-08 2403392]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
    AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2008-10-08 2403392]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr "=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2003-06-24 126976]
    "SynTPEnh "=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2003-06-24 561152]
    "Synchronization Manager "=C:\WINDOWS\system32\mobsync.exe [2004-08-04 143360]
    "Acrobat Assistant 7.0 "=C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]
    "ccApp "=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-07-19 52896]
    "vptray "=C:\PROGRA~1\SYMANT~1\VPTray.exe [2006-09-27 125168]
    "TVT Scheduler Proxy "=C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [2006-12-10 536576]
    "ATIPTA "=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2007-02-06 344064]
    "ACTray "=C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [2007-05-17 413696]
    "ACWLIcon "=C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [2007-05-17 126976]
    "SoundMAXPnP "=C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe [2004-10-14 1388544]
    "BMMGAG "=RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll []
    "BMMLREF "=C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE [2005-04-20 20480]
    "BMMMONWND "=C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll [2005-04-20 396288]
    "BLOG "=C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL [2005-04-20 208896]
    "LogMeIn GUI "=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2007-08-03 63048]
    "HP Software Update "=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2005-05-11 49152]
    "MSConfig "=C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [2005-09-26 169984]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Setup "=MSIEXEC.EXE /i \\SambaServ\public\IT\Network\end_user_apps\SalesLogix\1 Sales Logix Client\SalesLogix Client\SalesLogix Client.msi /qf CLIENT_TYPE=2 BROWSER=Yes SETUPEXEDIR=\\SambaServ\public\IT\Network\end_user_apps\SalesLogix\1 Sales Logix Client\SalesLogix Client AFTERREBOOT=1 []
    "FdsT "=C:\WINDOWS\system32\knlzem.dll []

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
    "SUPERAntiSpyware "=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-09-03 1576176]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    C:\WINDOWS\AGRSMMSG.exe [2003-06-27 88363]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "wycl "=2
    "nbs "=2
    "imbs "=2
    "iWs "=2
    "exm "=2
    "52ting "=2
    "ngf "=2

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACNotify]
    C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll [2007-05-17 32768]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
    C:\WINDOWS\system32\Ati2evxx.dll [2007-02-06 46080]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
    C:\WINDOWS\system32\LMIinit.dll [2008-10-17 87352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
    C:\WINDOWS\system32\NavLogon.dll [2006-09-27 43760]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "notification packages "=scecli
    ACGina

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername "=0
    "legalnoticecaption "=
    "legalnoticetext "=
    "shutdownwithoutlogon "=1
    "undockwithoutlogon "=1

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoWelcomeScreen "=1
    "NoDrives "=0

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun "=
    "NoDrives "=
    "NoDriveAutoRun "=

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    shell\AutoRun\command - E:\LaunchU3.exe -a


    ======List of files/folders created in the last 3 months======

    2008-11-04 18:13:19 ----D---- C:\Program Files\trend micro
    2008-11-04 18:13:18 ----D---- C:\rsit
    2008-11-04 12:56:20 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-11-04 12:55:56 ----D---- C:\Program Files\SUPERAntiSpyware
    2008-11-04 12:55:56 ----D---- C:\Documents and Settings\JOannek\Application Data\SUPERAntiSpyware.com
    2008-11-03 17:31:03 ----D---- C:\Program Files\outlook express
    2008-11-03 17:31:03 ----D---- C:\Program Files\msn gaming zone
    2008-11-03 16:25:51 ----SH---- C:\bot.txt
    2008-11-03 10:16:56 ----D---- C:\WINDOWS\pss
    2008-10-31 15:43:57 ----D---- C:\Documents and Settings\JOannek\Application Data\HouseCall 6.6
    2008-10-31 12:55:17 ----D---- C:\Program Files\Sophos
    2008-10-31 12:27:44 ----D---- C:\WINDOWS\ERUNT
    2008-10-31 12:23:01 ----D---- C:\SDFix
    2008-10-31 10:55:38 ----D---- C:\Documents and Settings\JOannek\Application Data\Malwarebytes
    2008-10-31 10:55:21 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-31 10:55:20 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-30 17:07:56 ----SHD---- C:\RECYCLER
    2008-10-30 17:03:56 ----D---- C:\fixwareout
    2008-10-30 17:03:40 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
    2008-10-30 17:00:30 ----D---- C:\WINDOWS\temp
    2008-10-30 17:00:26 ----A---- C:\ComboFix.txt
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\zip.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\VFIND.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\SWXCACLS.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\SWSC.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\SWREG.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\sed.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\NIRCMD.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\grep.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\fdsv.exe
    2008-10-30 16:10:07 ----D---- C:\WINDOWS\ERDNT
    2008-10-30 15:56:19 ----A---- C:\WINDOWS\ntbtlog.txt
    2008-10-27 08:25:07 ----A---- C:\sssb.exe
    2008-10-22 16:37:00 ----A---- C:\WINDOWS\system32\tmpacj1.exe
    2008-10-22 16:33:28 ----D---- C:\WINDOWS\Window Med1a
    2008-10-22 14:04:11 ----D---- C:\WINDOWS\system32\Patch
    2008-10-22 14:04:08 ----D---- C:\WINDOWS\system32\inf
    2008-10-22 14:03:47 ----D---- C:\WINDOWS\system32\Studio
    2008-10-22 14:03:45 ----A---- C:\WINDOWS\system32\Slxc.exe
    2008-10-22 14:03:45 ----A---- C:\WINDOWS\system32\Sltc.exe
    2008-10-14 11:03:27 ----A---- C:\WINDOWS\system32\wmpns.dll
    2008-10-08 08:54:13 ----D---- C:\Documents and Settings\JOannek\Application Data\Google
    2008-10-08 08:51:16 ----D---- C:\WINDOWS\Sun
    2008-10-08 08:51:16 ----D---- C:\Documents and Settings\JOannek\Application Data\Sun
    2008-10-08 08:45:50 ----D---- C:\Documents and Settings\All Users\Application Data\Google
    2008-10-08 08:45:48 ----D---- C:\Program Files\Google
    2008-10-08 08:45:30 ----A---- C:\WINDOWS\system32\javaws.exe
    2008-10-08 08:45:30 ----A---- C:\WINDOWS\system32\javaw.exe
    2008-10-08 08:45:30 ----A---- C:\WINDOWS\system32\java.exe
    2008-10-08 08:44:42 ----D---- C:\Program Files\Java
    2008-10-08 08:43:37 ----D---- C:\Program Files\Common Files\Java
    2008-09-02 10:41:20 ----A---- C:\WINDOWS\ModemLog_Kyocera CDMA Wireless Modem #3.txt
    2008-09-02 10:18:20 ----D---- C:\OldArchivedOutlook
    2008-09-02 08:08:20 ----D---- C:\Restore
    2008-08-29 16:51:12 ----D---- C:\HD_Recovery
    2008-08-21 10:37:38 ----HD---- C:\WINDOWS\PIF
    2008-08-21 08:06:32 ----D---- C:\Program Files\Ontrack Data Recovery
    2008-08-20 20:04:55 ----D---- C:\Documents and Settings\JOannek\Application Data\CoreFTP
    2008-08-20 20:04:19 ----D---- C:\Program Files\CoreFTP
    2008-08-15 11:22:00 ----D---- C:\Program Files\Citrix
    2008-08-06 12:27:22 ----D---- C:\Back 10-20-08

    ======List of files/folders modified in the last 3 months======

    2008-11-04 18:13:19 ----RD---- C:\Program Files
    2008-11-04 18:12:53 ----D---- C:\Downloads
    2008-11-04 16:28:56 ----D---- C:\WINDOWS\Prefetch
    2008-11-04 16:12:06 ----RASH---- C:\boot.ini
    2008-11-04 16:12:06 ----A---- C:\WINDOWS\win.ini
    2008-11-04 16:12:06 ----A---- C:\WINDOWS\system.ini
    2008-11-04 16:04:37 ----D---- C:\WINDOWS\system32\CatRoot2
    2008-11-04 16:03:11 ----D---- C:\Program Files\Symantec AntiVirus
    2008-11-04 16:02:25 ----D---- C:\WINDOWS
    2008-11-04 16:02:12 ----A---- C:\WINDOWS\SchedLgU.Txt
    2008-11-04 14:00:14 ----D---- C:\WINDOWS\system32
    2008-11-04 12:56:06 ----SHD---- C:\WINDOWS\Installer
    2008-11-04 12:56:06 ----HD---- C:\Config.Msi
    2008-11-04 12:49:19 ----D---- C:\Program Files\LogMeIn
    2008-11-03 16:47:15 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
    2008-11-03 15:55:32 ----SHD---- C:\WINDOWS\CSC
    2008-11-03 14:03:40 ----D---- C:\WINDOWS\Help
    2008-10-31 15:49:26 ----D---- C:\WINDOWS\system32\drivers
    2008-10-31 13:15:41 ----D---- C:\Program Files\Internet Explorer
    2008-10-31 12:54:33 ----D---- C:\Temp
    2008-10-31 12:22:31 ----D---- C:\Program Files\ZipCentral
    2008-10-31 11:49:31 ----SHD---- C:\System Volume Information
    2008-10-31 11:49:31 ----D---- C:\WINDOWS\system32\Restore
    2008-10-30 16:49:01 ----D---- C:\WINDOWS\system32\config
    2008-10-30 16:47:15 ----D---- C:\WINDOWS\AppPatch
    2008-10-30 16:47:15 ----D---- C:\Program Files\Common Files
    2008-10-30 16:17:59 ----D---- C:\WINDOWS\security
    2008-10-30 16:06:46 ----D---- C:\Documents and Settings\JOannek\Application Data\U3
    2008-10-29 10:17:15 ----D---- C:\Program Files\SalesLogix
    2008-10-29 08:08:06 ----A---- C:\WINDOWS\system32\gvc_trace.txt
    2008-10-27 09:37:25 ----RSHDC---- C:\WINDOWS\system32\dllcache
    2008-10-27 09:35:43 ----D---- C:\WINDOWS\system
    2008-10-23 10:50:27 ----A---- C:\WINDOWS\ModemLog_Kyocera CDMA Wireless Modem #2.txt
    2008-10-22 16:34:59 ----D---- C:\Program Files\Microsoft Office
    2008-10-17 15:34:33 ----A---- C:\WINDOWS\ModemLog_Agere Systems AC'97 Modem.txt
    2008-10-17 15:30:23 ----D---- C:\WINDOWS\network diagnostic
    2008-10-17 08:07:02 ----A---- C:\WINDOWS\system32\LMIRfsClientNP.dll
    2008-10-17 08:07:00 ----A---- C:\WINDOWS\system32\LMIport.dll
    2008-10-17 08:07:00 ----A---- C:\WINDOWS\system32\lmimirr2.dll
    2008-10-17 08:06:59 ----A---- C:\WINDOWS\system32\lmimirr.dll
    2008-10-17 08:06:59 ----A---- C:\WINDOWS\system32\LMIinit.dll
    2008-10-15 13:43:28 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
    2008-10-14 11:04:35 ----SD---- C:\Documents and Settings\JOannek\Application Data\Microsoft
    2008-10-08 08:51:13 ----SD---- C:\WINDOWS\Downloaded Program Files
    2008-08-20 23:02:21 ----D---- C:\SalesLogixLoad
    2008-08-20 23:02:15 ----D---- C:\Documents and Settings\All Users\Application Data\SalesLogix

    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R1 ANC;ANC; C:\WINDOWS\System32\drivers\ANC.SYS [2005-11-08 11520]
    R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
    R1 IBMTPCHK;IBMTPCHK; \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys []
    R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
    R1 RCFOX;SonicWALL IPsec Driver; \??\C:\WINDOWS\system32\Drivers\RCFOX.sys []
    R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
    R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
    R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
    R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
    R1 Smapint;Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [2006-10-02 14848]
    R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
    R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2006-08-07 195776]
    R1 TDSMAPI;TDSMAPI; C:\WINDOWS\System32\drivers\TDSMAPI.SYS [2006-10-02 9343]
    R1 TPPWR;TPPWR; C:\WINDOWS\System32\drivers\Tppwr.sys [2005-04-20 16384]
    R1 TSMAPIP;TSMAPIP; C:\WINDOWS\System32\drivers\TSMAPIP.SYS [2007-03-09 7168]
    R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
    R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2007-06-25 17801]
    R2 irda;IrDA Protocol; C:\WINDOWS\System32\DRIVERS\irda.sys [2004-08-03 87424]
    R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
    R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
    R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
    R2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2006-11-08 62336]
    R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2006-06-16 10970]
    R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
    R2 vnccom;vnccom; C:\WINDOWS\System32\Drivers\vnccom.SYS [2004-06-26 6016]
    R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2005-03-04 127872]
    R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2003-06-27 1196352]
    R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2007-02-06 1133568]
    R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-03 14080]
    R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2007-07-09 128144]
    R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2006-01-12 163328]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
    R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\System32\DRIVERS\ibmpmdrv.sys [2007-02-27 21040]
    R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2007-08-03 10144]
    R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081104.003\naveng.sys []
    R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081104.003\navex15.sys []
    R3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\System32\DRIVERS\nscirda.sys [2004-08-03 28672]
    R3 psadd;Lenovo Parties Service Access Device Driver; C:\WINDOWS\system32\DRIVERS\psadd.sys [2006-09-12 28224]
    R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
    R3 rcvpn;SonicWALL VPN Adapter; C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2005-11-08 24876]
    R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
    R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-03-28 220992]
    R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
    R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2006-08-07 24768]
    R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\System32\DRIVERS\SynTP.sys [2003-06-24 265744]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2006-10-23 30208]
    R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2006-10-23 59264]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2006-10-23 20608]
    R3 vncdrv;vncdrv; C:\WINDOWS\system32\DRIVERS\vncdrv.sys [2004-06-26 4736]
    R3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w70n51.sys [2006-07-13 674560]
    S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
    S3 catchme;catchme; \??\C:\DOCUME~1\JOannek\LOCALS~1\Temp\catchme.sys []
    S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2005-05-17 5315]
    S3 E1000;Intel(R) PRO/1000 Network Connection Driver; C:\WINDOWS\System32\DRIVERS\e1000325.sys [2006-04-27 164352]
    S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
    S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-12-16 51120]
    S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-12-16 16496]
    S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-12-16 21744]
    S3 HSF_DPV;HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys [2005-01-25 1038208]
    S3 HSFHWICH;HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [2005-01-25 207616]
    S3 kwkxusb;Kyocera CDMA Wireless Modem Driver; C:\WINDOWS\system32\DRIVERS\kwusb2k.sys [2004-11-29 29952]
    S3 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\9.tmp []
    S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
    S3 NAL;Nal Service ; \??\C:\WINDOWS\system32\Drivers\iqvw32.sys []
    S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS []
    S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
    S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-10-23 17152]
    S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
    S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
    S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
    S3 vsdatant;vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys []
    S3 w29n51;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2007-04-04 2208768]
    S3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2005-01-25 703616]
    S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
    S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []
    S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2004-08-03 73472]

    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R2 AcPrfMgrSvc;Ac Profile Manager Service; C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe [2007-05-17 65536]
    R2 AcSvc;Access Connections Main Service; C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe [2007-05-17 184320]
    R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-02-06 364544]
    R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-07-19 192160]
    R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-07-19 169632]
    R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-09-27 31472]
    R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2007-02-27 36400]
    R2 Irmon;Infrared Monitor; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
    R2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2008-10-17 116032]
    R2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2007-08-03 63040]
    R2 MSSQLSERVER;MSSQLSERVER; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [2002-12-17 7520337]
    R2 RegSrvc;RegSrvc; C:\WINDOWS\system32\RegSrvc.exe [2006-06-16 122880]
    R2 S24EventMonitor;Spectrum24 Event Monitor; C:\WINDOWS\system32\S24EvMon.exe [2006-06-16 426051]
    R2 SalesLogix Server Service;SalesLogix Server; C:\Program Files\SalesLogix\SLXServer.exe [2006-10-16 536576]
    R2 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
    R2 SlxSearch;SalesLogix SpeedSearch; C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe [2007-01-05 940544]
    R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
    R2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2006-04-11 1160848]
    R2 SUService;System Update; c:\program files\lenovo\system update\suservice.exe [2007-02-12 13312]
    R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-09-27 1813232]
    R2 TVT Scheduler;TVT Scheduler; C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe [2006-12-10 1118208]
    R2 Venturi2;Venturi Client; c:\program files\verizon wireless\venturi\Client\ventc.exe [2005-01-24 1204306]
    S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
    S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-08 138168]
    S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
    S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
    S3 RampartSvc;SonicWall VPN Client Service; C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe [2007-09-27 230672]
    S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2006-08-07 214720]
    S3 SQLSERVERAGENT;SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE [2002-12-17 311872]
    S4 nbs;nbs; C:\WINDOWS\system32\nbs.exe []

    -----------------EOF-----------------

    INFO.TXT text in next post...
     
  2. 2008/11/04
    DianeR

    DianeR Inactive Thread Starter

    Joined:
    2008/11/04
    Messages:
    17
    Likes Received:
    0
    Here's the test from INFO.TXT:

    info.txt logfile of random's system information tool 1.04 2008-11-04 18:13:33

    ======Uninstall list======

    -->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
    -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    Adobe Acrobat 7.0 Standard-->msiexec /I {AC76BA86-1033-0000-BA7E-100000000002}
    Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
    Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
    Agere Systems AC'97 Modem-->agrsmdel
    ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
    ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
    ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
    Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
    Core FTP LE 2.1-->C:\PROGRA~1\CoreFTP\UNWISE.EXE C:\PROGRA~1\CoreFTP\INSTALL.LOG
    Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
    Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar2.dll "
    HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
    HijackThis 2.0.2--> "C:\Program Files\trend micro\HijackThis.exe" /uninstall
    Hotfix for MSXML 2 (KB887606)--> "C:\WINDOWS\$SQLUninstallMSXML2SP6-KB887606-x86-ENU$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB319740)--> "C:\WINDOWS\$NtUninstallKB319740$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB889527)--> "C:\WINDOWS\$NtUninstallKB889527$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB896344)--> "C:\WINDOWS\$NtUninstallKB896344$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB897338)--> "C:\WINDOWS\$NtUninstallKB897338$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB898900)--> "C:\WINDOWS\$NtUninstallKB898900$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB903234)--> "C:\WINDOWS\$NtUninstallKB903234$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB904412)--> "C:\WINDOWS\$NtUninstallKB904412$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB906569)--> "C:\WINDOWS\$NtUninstallKB906569$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB907865)--> "C:\WINDOWS\$NtUninstallKB907865$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB909095)--> "C:\WINDOWS\$NtUninstallKB909095$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB910728)--> "C:\WINDOWS\$NtUninstallKB910728$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB912461)--> "C:\WINDOWS\$NtUninstallKB912461$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB912817)--> "C:\WINDOWS\$NtUninstallKB912817$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB913538)--> "C:\WINDOWS\$NtUninstallKB913538$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB914440)--> "C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB917021)--> "C:\WINDOWS\$NtUninstallKB917021$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB918005)--> "C:\WINDOWS\$NtUninstallKB918005$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB918093)--> "C:\WINDOWS\$NtUninstallKB918093$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB918766)--> "C:\WINDOWS\$NtUninstallKB918766$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB919071)--> "C:\WINDOWS\$NtUninstallKB919071$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB924867)--> "C:\WINDOWS\$NtUninstallKB924867$\spuninst\spuninst.exe "
    Hotfix for Windows XP (KB924941)--> "C:\WINDOWS\$NtUninstallKB924941$\spuninst\spuninst.exe "
    HouseCall 6.6--> "C:\Documents and Settings\JOannek\Application Data\HouseCall 6.6\uninstaller.exe "
    HP Image Zone Express-->MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
    HP Imaging Device Functions 5.3-->C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
    HP PSC & OfficeJet 5.3.B--> "C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe" -datfile hposcr07.dat
    HP Software Update-->MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
    HP Solution Center & Imaging Support Tools 5.3-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
    IBM ThinkPad Battery MaxiMiser and Power Management Features-->C:\WINDOWS\IsUninst.exe -f "C:\Program Files\ThinkPad\Utilities\Unbmm.isu" -c "C:\Program Files\ThinkPad\Utilities\Tpinsbmm.dll "
    IBM ThinkPad UltraNav Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll ",standAloneUninstall
    Intel(R) PRO Network Connections-->MsiExec.exe /I{205C26CB-6D52-458C-A87F-1EE77F9625C6}
    Intel(R) Sebring API -->MsiExec.exe /I{67D7BC74-E8DF-4811-9B41-6023A8C9BB3F}
    Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
    LiveUpdate 3.1 (Symantec Corporation)--> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
    LogMeIn-->MsiExec.exe /I{7E7658A2-CD3F-48A7-93EA-0882BCA4FD2A}
    Lotus Notes 5.0 Connector (remove only)-->C:\Program Files\Common Files\PUMATECH Shared\Connectors\SDK27\Lotus Notes 5.0 Connector\LN5Uninstall
    Malwarebytes' Anti-Malware--> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe "
    Microsoft .NET Framework 1.1 Hotfix (KB886903)--> "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903Uninstall.msp "
    Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
    Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
    Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
    Microsoft Base Smart Card Cryptographic Service Provider Package--> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe "
    Microsoft Office Publisher 2003-->MsiExec.exe /I{90190409-6000-11D3-8CFE-0150048383C9}
    Microsoft Office Standard Edition 2003-->MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
    Microsoft SQL Server Desktop Engine-->MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
    Microsoft Streets and Trips 2005-->MsiExec.exe /I{67E4EE98-59F4-4210-89A6-A20AF5BEC689}
    Microsoft Windows Journal Viewer-->MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
    MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
    MSXML 6.0 Parser (KB927977)-->MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
    Ontrack Data Recovery Verifile Data Reports-->RunDll32.exe C:\WINDOWS\DOWNLO~1\npVfAsp.dll,DllUninstallServer
    Redistributable_MM-->MsiExec.exe /I{9D4B411F-42F9-4566-9621-13D3A969F871}
    SalesLogix Client-->MsiExec.exe /I{0102F1E3-EEE6-4AC3-9CFC-0B39B2A7851C}
    Security Update for Microsoft .NET Framework 2.0 (KB917283)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {967B098A-042D-4367-BAC9-8BC11684174F} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
    Security Update for Microsoft .NET Framework 2.0 (KB922770)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {0E92DD42-76F5-4EF2-B381-F9C1D72BE23D} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
    Security Update for Step By Step Interactive Training (KB898458)--> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe "
    Security Update for Windows Media Player (KB911564)--> "C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe "
    Security Update for Windows Media Player 9 (KB911565)--> "C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB893756)--> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB896358)--> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB896422)--> "C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB896423)--> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB896424)--> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB896428)--> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB899587)--> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB899589)--> "C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB899591)--> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB900725)--> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB901017)--> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB901190)--> "C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB901214)--> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB902400)--> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB904706)--> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB905414)--> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB905749)--> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB908519)--> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB911562)--> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB911567)--> "C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB911927)--> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB912919)--> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB913580)--> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB914388)--> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB914389)--> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB917344)--> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB917422)--> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB917537)--> "C:\WINDOWS\$NtUninstallKB917537$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB917953)--> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB918118)--> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB918439)--> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB919007)--> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB920213)--> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB920214)--> "C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB920670)--> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB920683)--> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB920685)--> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB921398)--> "C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB922616)--> "C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB922760)--> "C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB922819)--> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB923191)--> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB923414)--> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB923689)--> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
    Security Update for Windows XP (KB923980)--> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB924191)--> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB924270)--> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB924496)--> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB924667)--> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB925486)--> "C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB925902)--> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB926255)--> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB926436)--> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB927779)--> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB927802)--> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB928090)--> "C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB928255)--> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB928843)--> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB929969)--> "C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB930178)--> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB931261)--> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB931768)--> "C:\WINDOWS\$NtUninstallKB931768$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB931784)--> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe "
    Security Update for Windows XP (KB932168)--> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe "
    SonicWALL Global VPN Client 4.0.0.830-->C:\Program Files\InstallShield Installation Information\{53648F92-1CC5-22D2-A6DF-00A0C9A23BCD}\setup.exe -runfromtemp -l0x0009 -FromCPL -removeonly
    Sophos Anti-Rootkit 1.3.1-->C:\Program Files\Sophos\Sophos Anti-Rootkit\helper.exe remove
    SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
    SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
    Symantec AntiVirus-->MsiExec.exe /I{33CFCF98-F8D6-4549-B469-6F4295676D83}
    System Update-->MsiExec.exe /X{8675339C-128C-44DD-83BF-0A5D6ABD8297}
    ThinkPad Configuration-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC081D4D-DF1B-4CF1-B530-027E4118D846}\setup.exe" -l0x9 -AddRemove
    ThinkPad Integrated 56K Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_05591014\HXFSETUP.EXE -U -ITkp0559K.INF
    ThinkPad Power Management Driver-->RunDll32.exe tpinspm.dll,Uninstall
    ThinkPad Presentation Director-->C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNNPDR.isu -c "C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll "
    ThinkVantage Access Connections-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7EB114D8-207F-45AE-BABD-1669715F2630}\setup.exe" -l0x9 anything
    UltraVNC v1.0.2--> "C:\Program Files\UltraVNC\unins000.exe "
    Update for Windows XP (KB894391)--> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe "
    Update for Windows XP (KB897663)--> "C:\WINDOWS\$NtUninstallKB897663$\spuninst\spuninst.exe "
    Update for Windows XP (KB898461)--> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe "
    Update for Windows XP (KB900485)--> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe "
    Update for Windows XP (KB904942)--> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe "
    Update for Windows XP (KB907265)--> "C:\WINDOWS\$NtUninstallKB907265$\spuninst\spuninst.exe "
    Update for Windows XP (KB908521)--> "C:\WINDOWS\$NtUninstallKB908521$\spuninst\spuninst.exe "
    Update for Windows XP (KB908531)--> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe "
    Update for Windows XP (KB910437)--> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe "
    Update for Windows XP (KB911280)--> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe "
    Update for Windows XP (KB916595)--> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe "
    Update for Windows XP (KB916846)--> "C:\WINDOWS\$NtUninstallKB916846$\spuninst\spuninst.exe "
    Update for Windows XP (KB920342)--> "C:\WINDOWS\$NtUninstallKB920342$\spuninst\spuninst.exe "
    Update for Windows XP (KB920872)--> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe "
    Update for Windows XP (KB922120)--> "C:\WINDOWS\$NtUninstallKB922120$\spuninst\spuninst.exe "
    Update for Windows XP (KB922582)--> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe "
    Update for Windows XP (KB925876)--> "C:\WINDOWS\$NtUninstallKB925876$\spuninst\spuninst.exe "
    Update for Windows XP (KB927891)--> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe "
    Update for Windows XP (KB929338)--> "C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe "
    Update for Windows XP (KB930916)--> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe "
    Update for Windows XP (KB931836)--> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe "
    Venturi Client 3.1.4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C59FA2E-EEDA-41FA-90AC-F8FCBD032E85}\Setup.exe" -l0x9 -vuninstall
    VZAccess Manager-->C:\PROGRA~1\VERIZO~1\VZACCE~1\UNWISE.EXE C:\PROGRA~1\VERIZO~1\VZACCE~1\INSTALL.LOG
    Windows Installer 3.1 (KB893803)--> "C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe "
    Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
    Windows XP Hotfix - KB884020-->C:\WINDOWS\$NtUninstallKB884020$\spuninst\spuninst.exe
    Windows XP Hotfix - KB884883--> "C:\WINDOWS\$NtUninstallKB884883$\spuninst\spuninst.exe "
    Windows XP Hotfix - KB885222--> "C:\WINDOWS\$NtUninstallKB885222$\spuninst\spuninst.exe "
    Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
    Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
    Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
    Windows XP Hotfix - KB886677-->C:\WINDOWS\$NtUninstallKB886677$\spuninst\spuninst.exe
    Windows XP Hotfix - KB886716--> "C:\WINDOWS\$NtUninstallKB886716$\spuninst\spuninst.exe "
    Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
    Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
    Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
    Windows XP Hotfix - KB889673-->C:\WINDOWS\$NtUninstallKB889673$\spuninst\spuninst.exe
    Windows XP Hotfix - KB890859--> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe "
    Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
    Windows XP Hotfix - KB894395--> "C:\WINDOWS\$NtUninstallKB894395$\spuninst\spuninst.exe "
    Windows XP Hotfix - KB896613--> "C:\WINDOWS\$NtUninstallKB896613$\spuninst\spuninst.exe "
    Windows XP Hotfix - KB896626--> "C:\WINDOWS\$NtUninstallKB896626$\spuninst\spuninst.exe "
    Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
    ZipCentral 4.01--> "C:\Program Files\ZipCentral\unins000.exe "

    ======Hosts File======

    192.168.20.61 phlox.phoenix02.uniteddrugs.com
    192.168.20.12 sambaserv.phoenix02.uniteddrugs.com
    72.164.41.74 ftp.uniteddrugs.com

    ======Security center information======

    AV: Symantec AntiVirus Corporate Edition

    ======Environment variables======

    "ComSpec "=%SystemRoot%\system32\cmd.exe
    "FP_NO_HOST_CHECK "=NO
    "NUMBER_OF_PROCESSORS "=1
    "OS "=Windows_NT
    "Path "=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ThinkPad\Utilities;c:\Program Files\Intel\DMIX;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\ThinkPad\ConnectUtilities
    "PATHEXT "=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    "PROCESSOR_ARCHITECTURE "=x86
    "PROCESSOR_IDENTIFIER "=x86 Family 6 Model 9 Stepping 5, GenuineIntel
    "PROCESSOR_LEVEL "=6
    "PROCESSOR_REVISION "=0905
    "TEMP "=%SystemRoot%\TEMP
    "TMP "=%SystemRoot%\TEMP
    "windir "=%SystemRoot%

    -----------------EOF-----------------
     

  3. to hide this advert.

  4. 2008/11/05
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS DianeR :)

    Since you already have ComboFix, please start by first posting the C:\ComboFix log and the SDFix log in the C:\SDFix folder.

    Then, run ComboFix again after closing all other programs and disabling realtime protection apps, allowing it to update and restart the computer if needed. Do not click on the ComboFix window whilst it runs. After restart ComboFix will continue to run and open a log when it completes. Post that log here please.
     
  5. 2008/11/05
    DianeR

    DianeR Inactive Thread Starter

    Joined:
    2008/11/04
    Messages:
    17
    Likes Received:
    0
    Hi. I've been working on this machine in the interim so should I run a new ComboFix and SDFix as well as a new RSIT?

    Thanks for looking into this for me.
     
  6. 2008/11/05
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Run only ComboFix followed by RSIT, and post the original ComboFix and SDFix logs.
     
  7. 2008/11/05
    DianeR

    DianeR Inactive Thread Starter

    Joined:
    2008/11/04
    Messages:
    17
    Likes Received:
    0
    Okey Dokey. On their way in a minute. Thanks. :)
     
  8. 2008/11/05
    DianeR

    DianeR Inactive Thread Starter

    Joined:
    2008/11/04
    Messages:
    17
    Likes Received:
    0
    ORIGINAL COMBOFIX LOG

    ComboFix 08-10-30.04 - joannek 2008-10-30 16:45:31.2 - NTFSx86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.622 [GMT -7:00]
    Running from: C:\Documents and Settings\JOannek\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-30 )))))))))))))))))))))))))))))))
    .

    2008-10-30 16:13 . 2001-08-23 05:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
    2008-10-29 15:19 . 2008-10-29 15:19 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
    2008-10-29 10:35 . 2008-10-29 10:34 61,440 -rahs---- C:\WINDOWS\EXVPL81K7.exe
    2008-10-29 10:35 . 2008-10-29 10:35 28,672 --a------ C:\WINDOWS\0UFC90.exe
    2008-10-29 09:02 . 2008-10-29 09:02 20,992 ---hs---- C:\WINDOWS\system32\wycl.exe
    2008-10-29 08:32 . 2008-10-29 08:32 20,992 ---hs---- C:\WINDOWS\system32\nbss.exe
    2008-10-27 10:16 . 2008-10-27 10:16 20,992 ---hs---- C:\WINDOWS\system32\exm.exe
    2008-10-27 08:25 . 2008-10-27 08:25 1,308 --a------ C:\sssb.exe
    2008-10-27 08:24 . 2008-10-27 08:24 20,992 --a------ C:\sssd.exe
    2008-10-22 16:37 . 2004-08-04 00:56 388,608 --a------ C:\WINDOWS\system32\tmpacj1.exe
    2008-10-22 16:33 . 2008-10-27 09:40 <DIR> d-------- C:\WINDOWS\Window Med1a
    2008-10-22 14:04 . 2008-10-22 15:56 <DIR> d-------- C:\WINDOWS\system32\Patch
    2008-10-22 14:04 . 2008-10-30 16:12 <DIR> d-------- C:\WINDOWS\system32\inf
    2008-10-22 14:04 . 2008-10-22 14:04 20,992 ---hs---- C:\WINDOWS\system32\wat.exe
    2008-10-22 14:04 . 2008-10-22 14:03 20,992 ---hs---- C:\WINDOWS\system32\iWs.exe
    2008-10-22 14:03 . 2008-10-27 09:39 <DIR> d-------- C:\WINDOWS\system32\Studio
    2008-10-22 14:03 . 2004-08-04 00:56 388,608 --a------ C:\WINDOWS\system32\Sltc.exe
    2008-10-22 14:03 . 2008-10-22 14:03 65,536 --a------ C:\WINDOWS\system32\SysSetup.xml
    2008-10-22 14:03 . 2004-08-04 00:56 42,496 --a------ C:\WINDOWS\system32\Slxc.exe
    2008-10-20 10:03 . 2008-10-20 10:03 60,744 --a------ C:\Documents and Settings\JOannek\g2mdlhlpx.exe
    2008-10-14 11:03 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2008-10-08 08:51 . 2008-10-08 08:51 <DIR> d-------- C:\WINDOWS\Sun
    2008-10-08 08:45 . 2008-10-14 07:17 <DIR> d-------- C:\Program Files\Google
    2008-10-08 08:45 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-10-08 08:44 . 2008-10-08 08:45 <DIR> d-------- C:\Program Files\Java
    2008-10-08 08:43 . 2008-10-08 08:43 <DIR> d-------- C:\Program Files\Common Files\Java
    2008-09-02 10:18 . 2008-09-02 10:18 <DIR> d-------- C:\OldArchivedOutlook
    2008-09-02 08:08 . 2008-09-02 09:54 <DIR> d-------- C:\Restore

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-30 23:06 --------- d-----w C:\Documents and Settings\JOannek\Application Data\U3
    2008-10-30 22:46 --------- d-----w C:\Program Files\Symantec AntiVirus
    2008-10-30 22:42 --------- d-----w C:\Program Files\LogMeIn
    2008-10-29 17:17 --------- d-----w C:\Program Files\SalesLogix
    2008-10-17 15:07 47,640 ----a-w C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
    2008-10-15 15:13 --------- d-----w C:\Program Files\ZipCentral
    2004-08-04 07:56 461,085 --sh--w C:\WINDOWS\system32\agent.exe
    .

    ((((((((((((((((((((((((((((( snapshot@2008-10-30_16.27.07.68 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-07-17 07:55:32 70,934 ----a-w C:\WINDOWS\system32\perfc009.dat
    + 2008-10-30 23:23:23 70,532 ----a-w C:\WINDOWS\system32\perfc009.dat
    - 2008-07-17 07:55:32 422,366 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2008-10-30 23:23:23 421,798 ----a-w C:\WINDOWS\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]
    "SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]
    "Synchronization Manager "= "C:\WINDOWS\system32\mobsync.exe" [2004-08-04 143360]
    "Acrobat Assistant 7.0 "= "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
    "vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
    "TVT Scheduler Proxy "= "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-12-10 536576]
    "ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 344064]
    "ACTray "= "C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-05-17 413696]
    "ACWLIcon "= "C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 126976]
    "SoundMAXPnP "= "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
    "BMMGAG "= "C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
    "BMMLREF "= "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
    "BMMMONWND "= "C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
    "BLOG "= "C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
    "LogMeIn GUI "= "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
    "HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "AGRSMMSG "= "AGRSMMSG.exe" [2003-06-27 C:\WINDOWS\AGRSMMSG.exe]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv "= "grpconv -o" [X]
    "FdsT "= "%systemroot%\system32\knlzem.dll" [BU]
    "Setup "= "MSIEXEC.EXE" [2005-05-04 C:\WINDOWS\system32\msiexec.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
    Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen "= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
    2007-05-17 11:41 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2008-10-17 08:06 87352 C:\WINDOWS\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli ACGina

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\1\0]
    "Script "=inventory.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\2\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\1\0]
    "Script "=inventory.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\2\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1319\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1319\Scripts\Logon\1\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001
    "UpdatesDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=

    R0 zntbv;zntbv;C:\WINDOWS\system32\drivers\zntbv.sys [2004-08-04 25312]
    R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2007-09-27 101528]
    R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2005-11-08 24876]
    S1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 11520]
    S1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 4224]
    S1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 16384]
    S2 52ting;52ting;C:\WINDOWS\system32\wat.exe [2008-10-22 20992]
    S2 agent;agent;C:\WINDOWS\System32\agent.exe [2004-08-04 461085]
    S2 exm;exm;C:\WINDOWS\system32\exm.exe [2008-10-27 20992]
    S2 iWs;iWs;C:\WINDOWS\system32\iWs.exe [2008-10-22 20992]
    S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
    S2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-10-17 47640]
    S2 nbss;nbss;C:\WINDOWS\system32\nbss.exe [2008-10-29 20992]
    S2 SalesLogix Server Service;SalesLogix Server;C:\Program Files\SalesLogix\SLXServer.exe [2006-10-16 536576]
    S2 SlxSearch;SalesLogix SpeedSearch;C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe [2007-01-05 940544]
    S2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 6016]
    S2 wycl;wycl;C:\WINDOWS\system32\wycl.exe [2008-10-29 20992]
    S3 0ZV5JYXOJE13;M5BP29AYUB;C:\WINDOWS\Z6ZKRP8PKT6.txt [2008-10-29 3045]
    S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;C:\WINDOWS\system32\DRIVERS\kwusb2k.sys [2004-11-29 29952]
    S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2005-12-13 20480]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a
    .
    Contents of the 'Scheduled Tasks' folder

    2008-07-17 C:\WINDOWS\Tasks\BMMTask.job
    - C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 01:38]
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-RunOnce-<NO NAME> - (no file)


    .
    ------- Supplementary Scan -------
    .
    R0 -: HKCU-Main,Start Page = www.345dh.cn?tg=7
    O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 -: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O18 -: Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - C:\Program Files\CoreFTP\pftpns.dll

    O16 -: {6D868B99-8B01-4B25-9BD1-ED37AFDF5E29} - hxxp://www.ontrackdatarecovery.com/verifile/npvfasp.cab
    C:\WINDOWS\Downloaded Program Files\npVfAsp.inf
    C:\WINDOWS\system32\npVfAspFrench.dll
    C:\WINDOWS\system32\npVfAspGerman.dll
    C:\WINDOWS\system32\npVfAspItalian.dll
    C:\WINDOWS\system32\npVfAspJapanese.dll
    C:\WINDOWS\system32\npVfAspSpanish.dll
    C:\WINDOWS\system32\npVfAspPolish.dll
    C:\WINDOWS\system32\npVfAspRussian.dll
    C:\WINDOWS\Downloaded Program Files\npVfAsp.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-30 16:52:45
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\0ZV5JYXOJE13]
    "ImagePath "= "\??\C:\WINDOWS\Z6ZKRP8PKT6.txt "
    .
    Completion time: 2008-10-30 17:00:25 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-10-31 00:00:21
    ComboFix2.txt 2008-10-30 23:27:35

    Pre-Run: 4,877,205,504 bytes free
    Post-Run: 4,863,451,136 bytes free

    191 --- E O F --- 2007-06-13 00:02:09


    ORIGINAL SDFIX LOG



    SDFix: Version 1.238
    Run by joannek on 2008-11-03 at 15:50

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :


    Restoring Default Security Values
    Restoring Default Hosts File

    Rebooting


    Checking Files :

    Trojan Files Found:

    C:\WINDOWS\system32\1.tmp - Deleted
    C:\WINDOWS\system32\1.tmp - Deleted





    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-11-03 16:01:01
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :




    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "

    Remaining Files :


    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Wed 29 Oct 2008 61,440 A.SHR --- "C:\WINDOWS\EXVPL81K7.exe "
    Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe "
    Wed 4 Aug 2004 461,085 ..SH. --- "C:\WINDOWS\system32\agent.exe "
    Mon 27 Oct 2008 20,992 ..SH. --- "C:\WINDOWS\system32\exm.exe "
    Fri 31 Oct 2008 22,016 ..SH. --- "C:\WINDOWS\system32\imbs.exe "
    Wed 22 Oct 2008 20,992 ..SH. --- "C:\WINDOWS\system32\iWs.exe "
    Wed 29 Oct 2008 20,992 ..SH. --- "C:\WINDOWS\system32\nbss.exe "
    Wed 22 Oct 2008 20,992 ..SH. --- "C:\WINDOWS\system32\wat.exe "
    Wed 29 Oct 2008 20,992 ..SH. --- "C:\WINDOWS\system32\wycl.exe "
    Wed 29 Oct 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak "

    Finished!


    Running new ComboFix and RSIT. Post to follow...
     
  9. 2008/11/05
    DianeR

    DianeR Inactive Thread Starter

    Joined:
    2008/11/04
    Messages:
    17
    Likes Received:
    0
    NEW COMBOFIX LOG (FYI - I realized after it had started running that I'd forgotten to turn off Symantec AV's Auto Protect. Please let me know if you need me to run it again.)

    Also, as it launched, I got the RUNDLL error that I get when I log into the machine. I have a screen shot (.jpg) of it that I can send along... just not sure how to attach such things.


    ComboFix 08-11-05.02 - joannek 2008-11-05 22:29:54.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.221 [GMT -7:00]
    Running from: c:\documents and settings\JOannek\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
    .

    2008-11-05 21:06 . 2008-11-05 21:06 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3
    2008-11-05 21:05 . 2008-11-05 21:05 0 --a------ c:\windows\nsreg.dat
    2008-11-05 18:59 . 2008-11-05 20:12 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6
    2008-11-05 17:54 . 2008-11-05 18:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\CoreFTP
    2008-11-05 16:50 . 2008-11-05 17:43 <DIR> d-------- c:\program files\EsetOnlineScanner
    2008-11-05 15:37 . 2008-11-05 15:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2008-11-05 14:52 . 2008-11-05 14:56 4,274 --a------ c:\windows\system32\tmp.reg
    2008-11-04 18:13 . 2008-11-04 19:18 <DIR> d-------- C:\rsit
    2008-11-04 18:13 . 2008-11-05 22:04 <DIR> d-------- c:\program files\trend micro
    2008-11-04 12:56 . 2008-11-04 12:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-11-04 12:55 . 2008-11-04 12:55 <DIR> d-------- c:\program files\SUPERAntiSpyware
    2008-11-04 12:55 . 2008-11-04 12:55 <DIR> d-------- c:\documents and settings\JOannek\Application Data\SUPERAntiSpyware.com
    2008-10-31 15:43 . 2008-10-31 17:01 <DIR> d-------- c:\documents and settings\JOannek\Application Data\HouseCall 6.6
    2008-10-31 13:14 . 2008-11-03 09:10 <DIR> d-------- c:\documents and settings\JOannek\.housecall6.6
    2008-10-31 12:55 . 2008-10-31 12:55 <DIR> d-------- c:\program files\Sophos
    2008-10-31 12:49 . 2008-10-31 12:49 1,181,383 --a------ c:\temp\SophosAntiRootKit_sarsfx.exe
    2008-10-31 12:49 . 2008-10-31 12:49 1,181,383 --a------ c:\documents and settings\JOannek\SophosAntiRootKit_sarsfx.exe
    2008-10-31 12:27 . 2008-10-31 12:27 <DIR> d-------- c:\windows\ERUNT
    2008-10-31 12:23 . 2008-11-03 16:03 <DIR> d-------- C:\SDFix
    2008-10-31 10:55 . 2008-10-31 10:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2008-10-31 10:55 . 2008-10-31 10:55 <DIR> d-------- c:\documents and settings\JOannek\Application Data\Malwarebytes
    2008-10-31 10:55 . 2008-10-31 10:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2008-10-31 10:55 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2008-10-31 10:55 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2008-10-30 17:03 . 2008-11-04 09:42 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
    2008-10-30 17:03 . 2008-10-30 17:08 <DIR> d-------- C:\fixwareout
    2008-10-30 16:13 . 2001-08-23 05:00 4,224 --a------ c:\windows\system32\drivers\beep.sys
    2008-10-29 15:19 . 2008-10-29 15:19 <DIR> d---s---- c:\documents and settings\LocalService\UserData
    2008-10-22 16:37 . 2004-08-04 00:56 388,608 --a------ c:\windows\system32\tmpacj1.exe
    2008-10-22 16:33 . 2008-10-27 09:40 <DIR> d-------- c:\windows\Window Med1a
    2008-10-22 14:04 . 2008-10-22 15:56 <DIR> d-------- c:\windows\system32\Patch
    2008-10-22 14:04 . 2008-10-30 16:12 <DIR> d-------- c:\windows\system32\inf
    2008-10-22 14:03 . 2004-08-04 00:56 388,608 --a------ c:\windows\system32\Sltc.exe
    2008-10-22 14:03 . 2008-10-22 14:03 65,536 --a------ c:\windows\system32\SysSetup.xml
    2008-10-22 14:03 . 2004-08-04 00:56 42,496 --a------ c:\windows\system32\Slxc.exe
    2008-10-20 10:03 . 2008-10-20 10:03 60,744 --a------ c:\documents and settings\JOannek\g2mdlhlpx.exe
    2008-10-14 11:03 . 2004-08-04 00:56 221,184 --a------ c:\windows\system32\wmpns.dll
    2008-10-08 08:51 . 2008-10-08 08:51 <DIR> d-------- c:\windows\Sun
    2008-10-08 08:45 . 2008-10-14 07:17 <DIR> d-------- c:\program files\Google
    2008-10-08 08:45 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
    2008-10-08 08:44 . 2008-10-08 08:45 <DIR> d-------- c:\program files\Java
    2008-10-08 08:43 . 2008-10-08 08:43 <DIR> d-------- c:\program files\Common Files\Java

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-11-06 05:37 --------- d-----w c:\program files\Symantec AntiVirus
    2008-11-05 21:52 --------- d-----w c:\documents and settings\JOannek\Application Data\CoreFTP
    2008-11-05 16:03 --------- d-----w c:\program files\LogMeIn
    2008-10-31 19:22 --------- d-----w c:\program files\ZipCentral
    2008-10-30 23:06 --------- d-----w c:\documents and settings\JOannek\Application Data\U3
    2008-10-29 17:17 --------- d-----w c:\program files\SalesLogix
    2008-10-17 15:07 47,640 ----a-w c:\windows\system32\drivers\LMIRfsDriver.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]
    "Synchronization Manager "= "c:\windows\system32\mobsync.exe" [2004-08-04 143360]
    "Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
    "ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
    "vptray "= "c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
    "TVT Scheduler Proxy "= "c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-12-10 536576]
    "ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 344064]
    "ACTray "= "c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-05-17 413696]
    "ACWLIcon "= "c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 126976]
    "SoundMAXPnP "= "c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
    "BMMGAG "= "c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
    "BMMLREF "= "c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
    "BMMMONWND "= "c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
    "BLOG "= "c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
    "LogMeIn GUI "= "c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
    "MSConfig "= "c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2005-09-26 169984]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Setup "= "MSIEXEC.EXE" [2005-05-04 c:\windows\system32\msiexec.exe]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
    Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen "= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
    2007-05-17 11:41 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2008-10-17 08:06 87352 c:\windows\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli ACGina

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\1\0]
    "Script "=inventory.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\2\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\1\0]
    "Script "=inventory.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\2\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1319\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1319\Scripts\Logon\1\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    --a------ 2003-06-27 08:53 88363 c:\windows\AGRSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "wycl "=2 (0x2)
    "nbs "=2 (0x2)
    "imbs "=2 (0x2)
    "iWs "=2 (0x2)
    "exm "=2 (0x2)
    "52ting "=2 (0x2)
    "ngf "=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "= "0x00000000 "
    "UpdatesDisableNotify "= "0x00000000 "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=

    R0 zntbv;zntb;c:\windows\system32\drivers\zntbv.sys [2004-08-04 25312]
    R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2005-11-08 11520]
    R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\Drivers\IBMBLDID.sys [2007-04-02 4224]
    R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\Drivers\RCFOX.sys [2007-09-27 101528]
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\Tppwr.sys [2005-04-20 16384]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-17 47640]
    R2 SalesLogix Server Service;SalesLogix Server;c:\program files\SalesLogix\SLXServer.exe [2006-10-16 536576]
    R2 SlxSearch;SalesLogix SpeedSearch;c:\program files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe [2007-01-05 940544]
    R2 vnccom;vnccom;c:\windows\system32\Drivers\vnccom.SYS [2004-06-26 6016]
    R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys [2005-11-08 24876]
    S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;c:\windows\system32\DRIVERS\kwusb2k.sys [2004-11-29 29952]
    S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\9.tmp [ ]
    S3 NAL;Nal Service ;c:\windows\system32\Drivers\iqvw32.sys [2005-12-13 20480]
    S4 nbs;nbs;c:\windows\system32\nbs.exe [ ]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a
    .
    Contents of the 'Scheduled Tasks' folder

    2008-07-17 c:\windows\Tasks\BMMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 01:38]
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-RunOnce-FdsT - %systemroot%\system32\knlzem.dll


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - c:\documents and settings\JOannek\Application Data\Mozilla\Firefox\Profiles\u2711s2p.default\
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-11-05 22:39:31
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath "= "\??\c:\windows\system32\9.tmp "
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ibmpmsvc.exe
    c:\windows\system32\ati2evxx.exe
    c:\windows\system32\S24EvMon.exe
    c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    c:\program files\Symantec AntiVirus\DefWatch.exe
    c:\program files\LogMeIn\x86\ramaint.exe
    c:\program files\LogMeIn\x86\LogMeIn.exe
    c:\program files\LogMeIn\x86\LMIGuardian.exe
    c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    c:\windows\system32\RegSrvc.exe
    c:\program files\Symantec AntiVirus\SavRoam.exe
    c:\program files\SalesLogix\SLXLoggingServer.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\program files\SalesLogix\SLXSystem.exe
    c:\program files\Lenovo\System Update\SUService.exe
    c:\program files\Symantec AntiVirus\Rtvscan.exe
    c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
    c:\program files\Verizon Wireless\venturi\Client\VentC.exe
    c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    c:\windows\system32\ati2evxx.exe
    c:\windows\system32\rundll32.exe
    c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    c:\program files\LogMeIn\x86\LMIGuardian.exe
    c:\program files\HP\Digital Imaging\bin\hpqste08.exe
    c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    c:\windows\system32\imapi.exe
    .
    **************************************************************************
    .
    Completion time: 2008-11-05 22:48:52 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-11-06 05:48:46
    ComboFix2.txt 2008-10-31 00:00:26

    Pre-Run: 6,385,012,736 bytes free
    Post-Run: 6,389,608,448 bytes free

    220 --- E O F --- 2007-06-13 00:02:09



    Running RSIT and will post that next.
     
  10. 2008/11/06
    DianeR

    DianeR Inactive Thread Starter

    Joined:
    2008/11/04
    Messages:
    17
    Likes Received:
    0
    NEW RSIT LOG (um, I only got the log.txt file, but no info.txt... Should I have gotten both?)


    Logfile of random's system information tool 1.04 (written by random/random)
    Run by joannek at 2008-11-05 23:00:14
    Microsoft Windows XP Professional Service Pack 2
    System drive C: has 6 GB (24%) free of 26 GB
    Total RAM: 767 MB (39% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:00, on 2008-11-05
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\Program Files\SalesLogix\SLXServer.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\SalesLogix\SLXLoggingServer.exe
    C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\SalesLogix\SLXSystem.exe
    C:\WINDOWS\System32\svchost.exe
    c:\program files\lenovo\system update\suservice.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    c:\program files\verizon wireless\venturi\Client\ventc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\JOannek\Desktop\RSIT.exe
    C:\Program Files\trend micro\joannek.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.345dh.cn?tg=7
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O1 - Hosts: 72.164.41.74 ftp.uniteddrugs.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
    O4 - HKLM\..\RunOnce: [Setup] MSIEXEC.EXE /i "\\SambaServ\public\IT\Network\end_user_apps\SalesLogix\1 Sales Logix Client\SalesLogix Client\SalesLogix Client.msi" /qf CLIENT_TYPE=2 BROWSER=Yes SETUPEXEDIR= "\\SambaServ\public\IT\Network\end_user_apps\SalesLogix\1 Sales Logix Client\SalesLogix Client" AFTERREBOOT=1
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172079149573
    O16 - DPF: {6D868B99-8B01-4B25-9BD1-ED37AFDF5E29} (Ontrack Data Recovery Verifile Data Reports) - http://www.ontrackdatarecovery.com/verifile/npvfasp.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
    O16 - DPF: {F3E70CEA-956E-49CC-B444-73AFE593AD7F} - http://down.sandai.net/kankan/KanKanPlayer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = phoenix02.uniteddrugs.com
    O17 - HKLM\Software\..\Telephony: DomainName = phoenix02.uniteddrugs.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = phoenix02.uniteddrugs.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = phoenix02.uniteddrugs.com
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
    O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
    O23 - Service: SalesLogix Server (SalesLogix Server Service) - Best Software, Inc. - C:\Program Files\SalesLogix\SLXServer.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: SalesLogix SpeedSearch (SlxSearch) - Best Software, Inc. - C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe

    --
    End of file - 12237 bytes

    ======Scheduled tasks folder======

    C:\WINDOWS\tasks\BMMTask.job

    ======Registry dump======

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2008-10-08 2403392]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
    AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2008-10-08 2403392]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr "=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2003-06-24 126976]
    "SynTPEnh "=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2003-06-24 561152]
    "Synchronization Manager "=C:\WINDOWS\system32\mobsync.exe [2004-08-04 143360]
    "Acrobat Assistant 7.0 "=C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]
    "ccApp "=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-07-19 52896]
    "vptray "=C:\PROGRA~1\SYMANT~1\VPTray.exe [2006-09-27 125168]
    "TVT Scheduler Proxy "=C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [2006-12-10 536576]
    "ATIPTA "=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2007-02-06 344064]
    "ACTray "=C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [2007-05-17 413696]
    "ACWLIcon "=C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [2007-05-17 126976]
    "SoundMAXPnP "=C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe [2004-10-14 1388544]
    "BMMGAG "=RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll []
    "BMMLREF "=C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE [2005-04-20 20480]
    "BMMMONWND "=C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll [2005-04-20 396288]
    "BLOG "=C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL [2005-04-20 208896]
    "LogMeIn GUI "=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2007-08-03 63048]
    "HP Software Update "=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2005-05-11 49152]
    "MSConfig "=C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [2005-09-26 169984]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Setup "=MSIEXEC.EXE /i \\SambaServ\public\IT\Network\end_user_apps\SalesLogix\1 Sales Logix Client\SalesLogix Client\SalesLogix Client.msi /qf CLIENT_TYPE=2 BROWSER=Yes SETUPEXEDIR=\\SambaServ\public\IT\Network\end_user_apps\SalesLogix\1 Sales Logix Client\SalesLogix Client AFTERREBOOT=1 []

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    C:\WINDOWS\AGRSMMSG.exe [2003-06-27 88363]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "wycl "=2
    "nbs "=2
    "imbs "=2
    "iWs "=2
    "exm "=2
    "52ting "=2
    "ngf "=2

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACNotify]
    C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll [2007-05-17 32768]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
    C:\WINDOWS\system32\Ati2evxx.dll [2007-02-06 46080]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
    C:\WINDOWS\system32\LMIinit.dll [2008-10-17 87352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
    C:\WINDOWS\system32\NavLogon.dll [2006-09-27 43760]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "notification packages "=scecli
    ACGina

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername "=0
    "legalnoticecaption "=
    "legalnoticetext "=
    "shutdownwithoutlogon "=1
    "undockwithoutlogon "=1

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoWelcomeScreen "=1
    "NoDrives "=0

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun "=
    "NoDrives "=
    "NoDriveAutoRun "=

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    shell\AutoRun\command - E:\LaunchU3.exe -a


    ======List of files/folders created in the last 3 months======

    2008-11-05 22:59:07 ----A---- C:\ComboFix2.txt
    2008-11-05 22:48:53 ----A---- C:\ComboFix.txt
    2008-11-05 22:27:41 ----D---- C:\Qoobox
    2008-11-05 22:18:44 ----D---- C:\Documents and Settings\JOannek\Application Data\Mozilla
    2008-11-05 21:04:51 ----D---- C:\Program Files\Mozilla Firefox
    2008-11-05 16:50:48 ----D---- C:\Program Files\EsetOnlineScanner
    2008-11-05 14:52:43 ----A---- C:\WINDOWS\system32\tmp.txt
    2008-11-05 14:52:39 ----A---- C:\rapport.txt
    2008-11-04 18:13:19 ----D---- C:\Program Files\trend micro
    2008-11-04 18:13:18 ----D---- C:\rsit
    2008-11-04 12:56:20 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-11-04 12:55:56 ----D---- C:\Program Files\SUPERAntiSpyware
    2008-11-04 12:55:56 ----D---- C:\Documents and Settings\JOannek\Application Data\SUPERAntiSpyware.com
    2008-11-03 17:31:03 ----D---- C:\Program Files\outlook express
    2008-11-03 17:31:03 ----D---- C:\Program Files\msn gaming zone
    2008-11-03 10:16:56 ----D---- C:\WINDOWS\pss
    2008-10-31 15:43:57 ----D---- C:\Documents and Settings\JOannek\Application Data\HouseCall 6.6
    2008-10-31 12:55:17 ----D---- C:\Program Files\Sophos
    2008-10-31 12:27:44 ----D---- C:\WINDOWS\ERUNT
    2008-10-31 12:23:01 ----D---- C:\SDFix
    2008-10-31 10:55:38 ----D---- C:\Documents and Settings\JOannek\Application Data\Malwarebytes
    2008-10-31 10:55:21 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-31 10:55:20 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-30 17:03:56 ----D---- C:\fixwareout
    2008-10-30 17:03:40 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
    2008-10-30 17:00:30 ----D---- C:\WINDOWS\temp
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\zip.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\VFIND.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\SWXCACLS.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\SWSC.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\SWREG.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\sed.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\NIRCMD.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\grep.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\fdsv.exe
    2008-10-30 16:10:07 ----D---- C:\WINDOWS\ERDNT
    2008-10-30 15:56:19 ----A---- C:\WINDOWS\ntbtlog.txt
    2008-10-22 16:37:00 ----A---- C:\WINDOWS\system32\tmpacj1.exe
    2008-10-22 16:33:28 ----D---- C:\WINDOWS\Window Med1a
    2008-10-22 14:04:11 ----D---- C:\WINDOWS\system32\Patch
    2008-10-22 14:04:08 ----D---- C:\WINDOWS\system32\inf
    2008-10-22 14:03:45 ----A---- C:\WINDOWS\system32\Slxc.exe
    2008-10-22 14:03:45 ----A---- C:\WINDOWS\system32\Sltc.exe
    2008-10-14 11:03:27 ----A---- C:\WINDOWS\system32\wmpns.dll
    2008-10-08 08:54:13 ----D---- C:\Documents and Settings\JOannek\Application Data\Google
    2008-10-08 08:51:16 ----D---- C:\WINDOWS\Sun
    2008-10-08 08:51:16 ----D---- C:\Documents and Settings\JOannek\Application Data\Sun
    2008-10-08 08:45:50 ----D---- C:\Documents and Settings\All Users\Application Data\Google
    2008-10-08 08:45:48 ----D---- C:\Program Files\Google
    2008-10-08 08:45:30 ----A---- C:\WINDOWS\system32\javaws.exe
    2008-10-08 08:45:30 ----A---- C:\WINDOWS\system32\javaw.exe
    2008-10-08 08:45:30 ----A---- C:\WINDOWS\system32\java.exe
    2008-10-08 08:44:42 ----D---- C:\Program Files\Java
    2008-10-08 08:43:37 ----D---- C:\Program Files\Common Files\Java
    2008-09-02 10:41:20 ----A---- C:\WINDOWS\ModemLog_Kyocera CDMA Wireless Modem #3.txt
    2008-09-02 10:18:20 ----D---- C:\OldArchivedOutlook
    2008-09-02 08:08:20 ----D---- C:\Restore
    2008-08-29 16:51:12 ----D---- C:\HD_Recovery
    2008-08-21 10:37:38 ----HD---- C:\WINDOWS\PIF
    2008-08-21 08:06:32 ----D---- C:\Program Files\Ontrack Data Recovery
    2008-08-20 20:04:55 ----D---- C:\Documents and Settings\JOannek\Application Data\CoreFTP
    2008-08-20 20:04:19 ----D---- C:\Program Files\CoreFTP
    2008-08-15 11:22:00 ----D---- C:\Program Files\Citrix
    2008-08-06 12:27:22 ----D---- C:\Back 10-20-08

    ======List of files/folders modified in the last 3 months======

    2008-11-05 22:59:57 ----D---- C:\Downloads
    2008-11-05 22:51:23 ----D---- C:\Program Files\Symantec AntiVirus
    2008-11-05 22:48:59 ----D---- C:\WINDOWS\system32
    2008-11-05 22:48:57 ----D---- C:\WINDOWS
    2008-11-05 22:48:47 ----D---- C:\WINDOWS\Prefetch
    2008-11-05 22:39:07 ----A---- C:\WINDOWS\system.ini
    2008-11-05 22:38:29 ----D---- C:\WINDOWS\system32\CatRoot2
    2008-11-05 22:36:16 ----D---- C:\WINDOWS\system32\drivers
    2008-11-05 22:34:49 ----D---- C:\WINDOWS\system32\config
    2008-11-05 22:32:09 ----D---- C:\WINDOWS\AppPatch
    2008-11-05 22:32:09 ----D---- C:\Program Files\Common Files
    2008-11-05 22:29:09 ----A---- C:\WINDOWS\SchedLgU.Txt
    2008-11-05 22:28:31 ----SHD---- C:\System Volume Information
    2008-11-05 22:28:31 ----D---- C:\WINDOWS\system32\Restore
    2008-11-05 22:17:29 ----D---- C:\WINDOWS\security
    2008-11-05 21:10:55 ----RSHDC---- C:\WINDOWS\system32\dllcache
    2008-11-05 21:04:51 ----RD---- C:\Program Files
    2008-11-05 20:22:04 ----D---- C:\Program Files\Internet Explorer
    2008-11-05 16:49:25 ----SD---- C:\WINDOWS\Downloaded Program Files
    2008-11-05 09:03:21 ----D---- C:\Program Files\LogMeIn
    2008-11-04 16:12:06 ----RASH---- C:\boot.ini
    2008-11-04 16:12:06 ----A---- C:\WINDOWS\win.ini
    2008-11-04 12:56:06 ----SHD---- C:\WINDOWS\Installer
    2008-11-04 12:56:06 ----HD---- C:\Config.Msi
    2008-11-03 16:47:15 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
    2008-11-03 15:55:32 ----SHD---- C:\WINDOWS\CSC
    2008-11-03 14:03:40 ----D---- C:\WINDOWS\Help
    2008-10-31 12:54:33 ----D---- C:\Temp
    2008-10-31 12:22:31 ----D---- C:\Program Files\ZipCentral
    2008-10-30 16:06:46 ----D---- C:\Documents and Settings\JOannek\Application Data\U3
    2008-10-29 10:17:15 ----D---- C:\Program Files\SalesLogix
    2008-10-29 08:08:06 ----A---- C:\WINDOWS\system32\gvc_trace.txt
    2008-10-27 09:35:43 ----D---- C:\WINDOWS\system
    2008-10-23 10:50:27 ----A---- C:\WINDOWS\ModemLog_Kyocera CDMA Wireless Modem #2.txt
    2008-10-22 16:34:59 ----D---- C:\Program Files\Microsoft Office
    2008-10-17 15:34:33 ----A---- C:\WINDOWS\ModemLog_Agere Systems AC'97 Modem.txt
    2008-10-17 15:30:23 ----D---- C:\WINDOWS\network diagnostic
    2008-10-17 08:07:02 ----A---- C:\WINDOWS\system32\LMIRfsClientNP.dll
    2008-10-17 08:07:00 ----A---- C:\WINDOWS\system32\LMIport.dll
    2008-10-17 08:07:00 ----A---- C:\WINDOWS\system32\lmimirr2.dll
    2008-10-17 08:06:59 ----A---- C:\WINDOWS\system32\lmimirr.dll
    2008-10-17 08:06:59 ----A---- C:\WINDOWS\system32\LMIinit.dll
    2008-10-15 13:43:28 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
    2008-10-14 11:04:35 ----SD---- C:\Documents and Settings\JOannek\Application Data\Microsoft
    2008-08-20 23:02:21 ----D---- C:\SalesLogixLoad
    2008-08-20 23:02:15 ----D---- C:\Documents and Settings\All Users\Application Data\SalesLogix

    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R1 ANC;ANC; C:\WINDOWS\System32\drivers\ANC.SYS [2005-11-08 11520]
    R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
    R1 IBMTPCHK;IBMTPCHK; \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys []
    R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
    R1 RCFOX;SonicWALL IPsec Driver; \??\C:\WINDOWS\system32\Drivers\RCFOX.sys []
    R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
    R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
    R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
    R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
    R1 Smapint;Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [2006-10-02 14848]
    R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
    R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2006-08-07 195776]
    R1 TDSMAPI;TDSMAPI; C:\WINDOWS\System32\drivers\TDSMAPI.SYS [2006-10-02 9343]
    R1 TPPWR;TPPWR; C:\WINDOWS\System32\drivers\Tppwr.sys [2005-04-20 16384]
    R1 TSMAPIP;TSMAPIP; C:\WINDOWS\System32\drivers\TSMAPIP.SYS [2007-03-09 7168]
    R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
    R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2007-06-25 17801]
    R2 irda;IrDA Protocol; C:\WINDOWS\System32\DRIVERS\irda.sys [2004-08-03 87424]
    R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
    R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
    R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
    R2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2006-11-08 62336]
    R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2006-06-16 10970]
    R2 vnccom;vnccom; C:\WINDOWS\System32\Drivers\vnccom.SYS [2004-06-26 6016]
    R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2005-03-04 127872]
    R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2003-06-27 1196352]
    R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2007-02-06 1133568]
    R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-03 14080]
    R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2007-07-09 128144]
    R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2006-01-12 163328]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
    R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\System32\DRIVERS\ibmpmdrv.sys [2007-02-27 21040]
    R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2007-08-03 10144]
    R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081105.004\naveng.sys []
    R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081105.004\navex15.sys []
    R3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\System32\DRIVERS\nscirda.sys [2004-08-03 28672]
    R3 psadd;Lenovo Parties Service Access Device Driver; C:\WINDOWS\system32\DRIVERS\psadd.sys [2006-09-12 28224]
    R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
    R3 rcvpn;SonicWALL VPN Adapter; C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2005-11-08 24876]
    R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
    R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-03-28 220992]
    R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
    R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2006-08-07 24768]
    R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\System32\DRIVERS\SynTP.sys [2003-06-24 265744]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2006-10-23 30208]
    R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2006-10-23 59264]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2006-10-23 20608]
    R3 vncdrv;vncdrv; C:\WINDOWS\system32\DRIVERS\vncdrv.sys [2004-06-26 4736]
    R3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w70n51.sys [2006-07-13 674560]
    S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
    S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2005-05-17 5315]
    S3 E1000;Intel(R) PRO/1000 Network Connection Driver; C:\WINDOWS\System32\DRIVERS\e1000325.sys [2006-04-27 164352]
    S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
    S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-12-16 51120]
    S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-12-16 16496]
    S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-12-16 21744]
    S3 HSF_DPV;HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys [2005-01-25 1038208]
    S3 HSFHWICH;HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [2005-01-25 207616]
    S3 kwkxusb;Kyocera CDMA Wireless Modem Driver; C:\WINDOWS\system32\DRIVERS\kwusb2k.sys [2004-11-29 29952]
    S3 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\9.tmp []
    S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
    S3 NAL;Nal Service ; \??\C:\WINDOWS\system32\Drivers\iqvw32.sys []
    S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS []
    S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
    S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-10-23 17152]
    S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
    S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
    S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
    S3 vsdatant;vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys []
    S3 w29n51;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2007-04-04 2208768]
    S3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2005-01-25 703616]
    S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
    S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []

    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R2 AcPrfMgrSvc;Ac Profile Manager Service; C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe [2007-05-17 65536]
    R2 AcSvc;Access Connections Main Service; C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe [2007-05-17 184320]
    R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-02-06 364544]
    R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-07-19 192160]
    R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-07-19 169632]
    R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-09-27 31472]
    R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2007-02-27 36400]
    R2 Irmon;Infrared Monitor; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
    R2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2008-10-17 116032]
    R2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2007-08-03 63040]
    R2 MSSQLSERVER;MSSQLSERVER; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [2002-12-17 7520337]
    R2 RegSrvc;RegSrvc; C:\WINDOWS\system32\RegSrvc.exe [2006-06-16 122880]
    R2 S24EventMonitor;Spectrum24 Event Monitor; C:\WINDOWS\system32\S24EvMon.exe [2006-06-16 426051]
    R2 SalesLogix Server Service;SalesLogix Server; C:\Program Files\SalesLogix\SLXServer.exe [2006-10-16 536576]
    R2 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
    R2 SlxSearch;SalesLogix SpeedSearch; C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe [2007-01-05 940544]
    R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
    R2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2006-04-11 1160848]
    R2 SUService;System Update; c:\program files\lenovo\system update\suservice.exe [2007-02-12 13312]
    R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-09-27 1813232]
    R2 TVT Scheduler;TVT Scheduler; C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe [2006-12-10 1118208]
    R2 Venturi2;Venturi Client; c:\program files\verizon wireless\venturi\Client\ventc.exe [2005-01-24 1204306]
    S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
    S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-08 138168]
    S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
    S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
    S3 RampartSvc;SonicWall VPN Client Service; C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe [2007-09-27 230672]
    S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2006-08-07 214720]
    S3 SQLSERVERAGENT;SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE [2002-12-17 311872]
    S4 nbs;nbs; C:\WINDOWS\system32\nbs.exe []

    -----------------EOF-----------------
     
  11. 2008/11/06
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I will look over these logs the evening after work. In the meantime, please post the contents of C:\Qoobox\ComboFix.txt

    The info.txt file will only be created the first time RSIT is run.
     
  12. 2008/11/10
    DianeR

    DianeR Inactive Thread Starter

    Joined:
    2008/11/04
    Messages:
    17
    Likes Received:
    0
    Here is the combofix file from 10/30. (was also posted as part of #7, I thought)

    ComboFix 08-10-30.04 - joannek 2008-10-30 16:45:31.2 - NTFSx86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.622 [GMT -7:00]
    Running from: C:\Documents and Settings\JOannek\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-30 )))))))))))))))))))))))))))))))
    .

    2008-10-30 16:13 . 2001-08-23 05:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
    2008-10-29 15:19 . 2008-10-29 15:19 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
    2008-10-29 10:35 . 2008-10-29 10:34 61,440 -rahs---- C:\WINDOWS\EXVPL81K7.exe
    2008-10-29 10:35 . 2008-10-29 10:35 28,672 --a------ C:\WINDOWS\0UFC90.exe
    2008-10-29 09:02 . 2008-10-29 09:02 20,992 ---hs---- C:\WINDOWS\system32\wycl.exe
    2008-10-29 08:32 . 2008-10-29 08:32 20,992 ---hs---- C:\WINDOWS\system32\nbss.exe
    2008-10-27 10:16 . 2008-10-27 10:16 20,992 ---hs---- C:\WINDOWS\system32\exm.exe
    2008-10-27 08:25 . 2008-10-27 08:25 1,308 --a------ C:\sssb.exe
    2008-10-27 08:24 . 2008-10-27 08:24 20,992 --a------ C:\sssd.exe
    2008-10-22 16:37 . 2004-08-04 00:56 388,608 --a------ C:\WINDOWS\system32\tmpacj1.exe
    2008-10-22 16:33 . 2008-10-27 09:40 <DIR> d-------- C:\WINDOWS\Window Med1a
    2008-10-22 14:04 . 2008-10-22 15:56 <DIR> d-------- C:\WINDOWS\system32\Patch
    2008-10-22 14:04 . 2008-10-30 16:12 <DIR> d-------- C:\WINDOWS\system32\inf
    2008-10-22 14:04 . 2008-10-22 14:04 20,992 ---hs---- C:\WINDOWS\system32\wat.exe
    2008-10-22 14:04 . 2008-10-22 14:03 20,992 ---hs---- C:\WINDOWS\system32\iWs.exe
    2008-10-22 14:03 . 2008-10-27 09:39 <DIR> d-------- C:\WINDOWS\system32\Studio
    2008-10-22 14:03 . 2004-08-04 00:56 388,608 --a------ C:\WINDOWS\system32\Sltc.exe
    2008-10-22 14:03 . 2008-10-22 14:03 65,536 --a------ C:\WINDOWS\system32\SysSetup.xml
    2008-10-22 14:03 . 2004-08-04 00:56 42,496 --a------ C:\WINDOWS\system32\Slxc.exe
    2008-10-20 10:03 . 2008-10-20 10:03 60,744 --a------ C:\Documents and Settings\JOannek\g2mdlhlpx.exe
    2008-10-14 11:03 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2008-10-08 08:51 . 2008-10-08 08:51 <DIR> d-------- C:\WINDOWS\Sun
    2008-10-08 08:45 . 2008-10-14 07:17 <DIR> d-------- C:\Program Files\Google
    2008-10-08 08:45 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-10-08 08:44 . 2008-10-08 08:45 <DIR> d-------- C:\Program Files\Java
    2008-10-08 08:43 . 2008-10-08 08:43 <DIR> d-------- C:\Program Files\Common Files\Java
    2008-09-02 10:18 . 2008-09-02 10:18 <DIR> d-------- C:\OldArchivedOutlook
    2008-09-02 08:08 . 2008-09-02 09:54 <DIR> d-------- C:\Restore

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-30 23:06 --------- d-----w C:\Documents and Settings\JOannek\Application Data\U3
    2008-10-30 22:46 --------- d-----w C:\Program Files\Symantec AntiVirus
    2008-10-30 22:42 --------- d-----w C:\Program Files\LogMeIn
    2008-10-29 17:17 --------- d-----w C:\Program Files\SalesLogix
    2008-10-17 15:07 47,640 ----a-w C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
    2008-10-15 15:13 --------- d-----w C:\Program Files\ZipCentral
    2004-08-04 07:56 461,085 --sh--w C:\WINDOWS\system32\agent.exe
    .

    ((((((((((((((((((((((((((((( snapshot@2008-10-30_16.27.07.68 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-07-17 07:55:32 70,934 ----a-w C:\WINDOWS\system32\perfc009.dat
    + 2008-10-30 23:23:23 70,532 ----a-w C:\WINDOWS\system32\perfc009.dat
    - 2008-07-17 07:55:32 422,366 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2008-10-30 23:23:23 421,798 ----a-w C:\WINDOWS\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]
    "SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]
    "Synchronization Manager "= "C:\WINDOWS\system32\mobsync.exe" [2004-08-04 143360]
    "Acrobat Assistant 7.0 "= "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
    "vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
    "TVT Scheduler Proxy "= "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-12-10 536576]
    "ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 344064]
    "ACTray "= "C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-05-17 413696]
    "ACWLIcon "= "C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 126976]
    "SoundMAXPnP "= "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
    "BMMGAG "= "C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
    "BMMLREF "= "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
    "BMMMONWND "= "C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
    "BLOG "= "C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
    "LogMeIn GUI "= "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
    "HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "AGRSMMSG "= "AGRSMMSG.exe" [2003-06-27 C:\WINDOWS\AGRSMMSG.exe]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv "= "grpconv -o" [X]
    "FdsT "= "%systemroot%\system32\knlzem.dll" [BU]
    "Setup "= "MSIEXEC.EXE" [2005-05-04 C:\WINDOWS\system32\msiexec.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
    Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen "= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
    2007-05-17 11:41 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2008-10-17 08:06 87352 C:\WINDOWS\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli ACGina

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\1\0]
    "Script "=inventory.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\2\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\1\0]
    "Script "=inventory.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\2\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1319\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1319\Scripts\Logon\1\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001
    "UpdatesDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=

    R0 zntbv;zntbv;C:\WINDOWS\system32\drivers\zntbv.sys [2004-08-04 25312]
    R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2007-09-27 101528]
    R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2005-11-08 24876]
    S1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 11520]
    S1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 4224]
    S1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 16384]
    S2 52ting;52ting;C:\WINDOWS\system32\wat.exe [2008-10-22 20992]
    S2 agent;agent;C:\WINDOWS\System32\agent.exe [2004-08-04 461085]
    S2 exm;exm;C:\WINDOWS\system32\exm.exe [2008-10-27 20992]
    S2 iWs;iWs;C:\WINDOWS\system32\iWs.exe [2008-10-22 20992]
    S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
    S2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-10-17 47640]
    S2 nbss;nbss;C:\WINDOWS\system32\nbss.exe [2008-10-29 20992]
    S2 SalesLogix Server Service;SalesLogix Server;C:\Program Files\SalesLogix\SLXServer.exe [2006-10-16 536576]
    S2 SlxSearch;SalesLogix SpeedSearch;C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe [2007-01-05 940544]
    S2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 6016]
    S2 wycl;wycl;C:\WINDOWS\system32\wycl.exe [2008-10-29 20992]
    S3 0ZV5JYXOJE13;M5BP29AYUB;C:\WINDOWS\Z6ZKRP8PKT6.txt [2008-10-29 3045]
    S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;C:\WINDOWS\system32\DRIVERS\kwusb2k.sys [2004-11-29 29952]
    S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2005-12-13 20480]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a
    .
    Contents of the 'Scheduled Tasks' folder

    2008-07-17 C:\WINDOWS\Tasks\BMMTask.job
    - C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 01:38]
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-RunOnce-<NO NAME> - (no file)


    .
    ------- Supplementary Scan -------
    .
    R0 -: HKCU-Main,Start Page = www.345dh.cn?tg=7
    O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 -: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O18 -: Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - C:\Program Files\CoreFTP\pftpns.dll

    O16 -: {6D868B99-8B01-4B25-9BD1-ED37AFDF5E29} - hxxp://www.ontrackdatarecovery.com/verifile/npvfasp.cab
    C:\WINDOWS\Downloaded Program Files\npVfAsp.inf
    C:\WINDOWS\system32\npVfAspFrench.dll
    C:\WINDOWS\system32\npVfAspGerman.dll
    C:\WINDOWS\system32\npVfAspItalian.dll
    C:\WINDOWS\system32\npVfAspJapanese.dll
    C:\WINDOWS\system32\npVfAspSpanish.dll
    C:\WINDOWS\system32\npVfAspPolish.dll
    C:\WINDOWS\system32\npVfAspRussian.dll
    C:\WINDOWS\Downloaded Program Files\npVfAsp.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-30 16:52:45
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\0ZV5JYXOJE13]
    "ImagePath "= "\??\C:\WINDOWS\Z6ZKRP8PKT6.txt "
    .
    Completion time: 2008-10-30 17:00:25 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-10-31 00:00:21
    ComboFix2.txt 2008-10-30 23:27:35

    Pre-Run: 4,877,205,504 bytes free
    Post-Run: 4,863,451,136 bytes free

    191 --- E O F --- 2007-06-13 00:02:09
     
  13. 2008/11/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    That is the same log, and not the one I was looking for. I was hoping to see what was in the first ComboFix report. It's header would show a 1 where I have bolded red below (and a different time of course).

    ComboFix 08-10-30.04 - joannek 2008-10-30 16:45:31.2

    It's been long enough since we saw a report though that I feel a new RSIT log is in order, to see what, if anything, has changed. Please include details of the machine's current behavior.
     
  14. 2008/11/10
    DianeR

    DianeR Inactive Thread Starter

    Joined:
    2008/11/04
    Messages:
    17
    Likes Received:
    0
    Sorry... I don't see that one. :-(

    Here's the latest though...

    Logfile of random's system information tool 1.04 (written by random/random)
    Run by joannek at 2008-11-10 17:32:51
    Microsoft Windows XP Professional Service Pack 2
    System drive C: has 6 GB (23%) free of 26 GB
    Total RAM: 767 MB (36% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:33, on 2008-11-10
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\Program Files\SalesLogix\SLXServer.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\SalesLogix\SLXLoggingServer.exe
    C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\SalesLogix\SLXSystem.exe
    C:\WINDOWS\System32\svchost.exe
    c:\program files\lenovo\system update\suservice.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    c:\program files\verizon wireless\venturi\Client\ventc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\JOannek\Desktop\RSIT.exe
    C:\Program Files\trend micro\joannek.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.345dh.cn?tg=7
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O1 - Hosts: 72.164.41.74 ftp.uniteddrugs.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
    O4 - HKLM\..\RunOnce: [Setup] MSIEXEC.EXE /i "\\SambaServ\public\IT\Network\end_user_apps\SalesLogix\1 Sales Logix Client\SalesLogix Client\SalesLogix Client.msi" /qf CLIENT_TYPE=2 BROWSER=Yes SETUPEXEDIR= "\\SambaServ\public\IT\Network\end_user_apps\SalesLogix\1 Sales Logix Client\SalesLogix Client" AFTERREBOOT=1
    O4 - HKLM\..\RunOnce: [FdsT] %systemroot%\system32\rundll32.exe %systemroot%\system32\knlzem.dll,DllRegisterServer
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172079149573
    O16 - DPF: {6D868B99-8B01-4B25-9BD1-ED37AFDF5E29} (Ontrack Data Recovery Verifile Data Reports) - http://www.ontrackdatarecovery.com/verifile/npvfasp.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
    O16 - DPF: {F3E70CEA-956E-49CC-B444-73AFE593AD7F} - http://down.sandai.net/kankan/KanKanPlayer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = phoenix02.uniteddrugs.com
    O17 - HKLM\Software\..\Telephony: DomainName = phoenix02.uniteddrugs.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = phoenix02.uniteddrugs.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = phoenix02.uniteddrugs.com
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
    O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
    O23 - Service: SalesLogix Server (SalesLogix Server Service) - Best Software, Inc. - C:\Program Files\SalesLogix\SLXServer.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: SalesLogix SpeedSearch (SlxSearch) - Best Software, Inc. - C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe

    --
    End of file - 12386 bytes

    ======Scheduled tasks folder======

    C:\WINDOWS\tasks\BMMTask.job

    ======Registry dump======

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2008-10-08 2403392]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
    AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2008-10-08 2403392]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr "=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2003-06-24 126976]
    "SynTPEnh "=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2003-06-24 561152]
    "Synchronization Manager "=C:\WINDOWS\system32\mobsync.exe [2004-08-04 143360]
    "Acrobat Assistant 7.0 "=C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]
    "ccApp "=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-07-19 52896]
    "vptray "=C:\PROGRA~1\SYMANT~1\VPTray.exe [2006-09-27 125168]
    "TVT Scheduler Proxy "=C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [2006-12-10 536576]
    "ATIPTA "=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2007-02-06 344064]
    "ACTray "=C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [2007-05-17 413696]
    "ACWLIcon "=C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [2007-05-17 126976]
    "SoundMAXPnP "=C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe [2004-10-14 1388544]
    "BMMGAG "=RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll []
    "BMMLREF "=C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE [2005-04-20 20480]
    "BMMMONWND "=C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll [2005-04-20 396288]
    "BLOG "=C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL [2005-04-20 208896]
    "LogMeIn GUI "=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2007-08-03 63048]
    "HP Software Update "=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2005-05-11 49152]
    "MSConfig "=C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [2005-09-26 169984]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Setup "=MSIEXEC.EXE /i \\SambaServ\public\IT\Network\end_user_apps\SalesLogix\1 Sales Logix Client\SalesLogix Client\SalesLogix Client.msi /qf CLIENT_TYPE=2 BROWSER=Yes SETUPEXEDIR=\\SambaServ\public\IT\Network\end_user_apps\SalesLogix\1 Sales Logix Client\SalesLogix Client AFTERREBOOT=1 []
    "FdsT "=C:\WINDOWS\system32\knlzem.dll []

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    C:\WINDOWS\AGRSMMSG.exe [2003-06-27 88363]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "wycl "=2
    "nbs "=2
    "imbs "=2
    "iWs "=2
    "exm "=2
    "52ting "=2
    "ngf "=2

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACNotify]
    C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll [2007-05-17 32768]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
    C:\WINDOWS\system32\Ati2evxx.dll [2007-02-06 46080]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
    C:\WINDOWS\system32\LMIinit.dll [2008-10-17 87352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
    C:\WINDOWS\system32\NavLogon.dll [2006-09-27 43760]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "notification packages "=scecli
    ACGina

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername "=0
    "legalnoticecaption "=
    "legalnoticetext "=
    "shutdownwithoutlogon "=1
    "undockwithoutlogon "=1

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoWelcomeScreen "=1
    "NoDrives "=0

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun "=
    "NoDrives "=
    "NoDriveAutoRun "=

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    shell\AutoRun\command - E:\LaunchU3.exe -a


    ======List of files/folders created in the last 3 months======

    2008-11-05 22:59:07 ----A---- C:\ComboFix2.txt
    2008-11-05 22:48:53 ----A---- C:\ComboFix.txt
    2008-11-05 22:27:41 ----D---- C:\Qoobox
    2008-11-05 22:18:44 ----D---- C:\Documents and Settings\JOannek\Application Data\Mozilla
    2008-11-05 21:04:51 ----D---- C:\Program Files\Mozilla Firefox
    2008-11-05 16:50:48 ----D---- C:\Program Files\EsetOnlineScanner
    2008-11-05 14:52:43 ----A---- C:\WINDOWS\system32\tmp.txt
    2008-11-05 14:52:39 ----A---- C:\rapport.txt
    2008-11-04 18:13:19 ----D---- C:\Program Files\trend micro
    2008-11-04 18:13:18 ----D---- C:\rsit
    2008-11-04 12:56:20 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-11-04 12:55:56 ----D---- C:\Program Files\SUPERAntiSpyware
    2008-11-04 12:55:56 ----D---- C:\Documents and Settings\JOannek\Application Data\SUPERAntiSpyware.com
    2008-11-03 17:31:03 ----D---- C:\Program Files\outlook express
    2008-11-03 17:31:03 ----D---- C:\Program Files\msn gaming zone
    2008-11-03 10:16:56 ----D---- C:\WINDOWS\pss
    2008-10-31 15:43:57 ----D---- C:\Documents and Settings\JOannek\Application Data\HouseCall 6.6
    2008-10-31 12:55:17 ----D---- C:\Program Files\Sophos
    2008-10-31 12:27:44 ----D---- C:\WINDOWS\ERUNT
    2008-10-31 12:23:01 ----D---- C:\SDFix
    2008-10-31 10:55:38 ----D---- C:\Documents and Settings\JOannek\Application Data\Malwarebytes
    2008-10-31 10:55:21 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-31 10:55:20 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-30 17:03:56 ----D---- C:\fixwareout
    2008-10-30 17:03:40 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
    2008-10-30 17:00:30 ----D---- C:\WINDOWS\temp
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\zip.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\VFIND.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\SWXCACLS.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\SWSC.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\SWREG.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\sed.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\NIRCMD.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\grep.exe
    2008-10-30 16:10:08 ----A---- C:\WINDOWS\fdsv.exe
    2008-10-30 16:10:07 ----D---- C:\WINDOWS\ERDNT
    2008-10-30 15:56:19 ----A---- C:\WINDOWS\ntbtlog.txt
    2008-10-22 16:37:00 ----A---- C:\WINDOWS\system32\tmpacj1.exe
    2008-10-22 16:33:28 ----D---- C:\WINDOWS\Window Med1a
    2008-10-22 14:04:11 ----D---- C:\WINDOWS\system32\Patch
    2008-10-22 14:04:08 ----D---- C:\WINDOWS\system32\inf
    2008-10-22 14:03:45 ----A---- C:\WINDOWS\system32\Slxc.exe
    2008-10-22 14:03:45 ----A---- C:\WINDOWS\system32\Sltc.exe
    2008-10-14 11:03:27 ----A---- C:\WINDOWS\system32\wmpns.dll
    2008-10-08 08:54:13 ----D---- C:\Documents and Settings\JOannek\Application Data\Google
    2008-10-08 08:51:16 ----D---- C:\WINDOWS\Sun
    2008-10-08 08:51:16 ----D---- C:\Documents and Settings\JOannek\Application Data\Sun
    2008-10-08 08:45:50 ----D---- C:\Documents and Settings\All Users\Application Data\Google
    2008-10-08 08:45:48 ----D---- C:\Program Files\Google
    2008-10-08 08:45:30 ----A---- C:\WINDOWS\system32\javaws.exe
    2008-10-08 08:45:30 ----A---- C:\WINDOWS\system32\javaw.exe
    2008-10-08 08:45:30 ----A---- C:\WINDOWS\system32\java.exe
    2008-10-08 08:44:42 ----D---- C:\Program Files\Java
    2008-10-08 08:43:37 ----D---- C:\Program Files\Common Files\Java
    2008-09-02 10:41:20 ----A---- C:\WINDOWS\ModemLog_Kyocera CDMA Wireless Modem #3.txt
    2008-09-02 10:18:20 ----D---- C:\OldArchivedOutlook
    2008-09-02 08:08:20 ----D---- C:\Restore
    2008-08-29 16:51:12 ----D---- C:\HD_Recovery
    2008-08-21 10:37:38 ----HD---- C:\WINDOWS\PIF
    2008-08-21 08:06:32 ----D---- C:\Program Files\Ontrack Data Recovery
    2008-08-20 20:04:55 ----D---- C:\Documents and Settings\JOannek\Application Data\CoreFTP
    2008-08-20 20:04:19 ----D---- C:\Program Files\CoreFTP
    2008-08-15 11:22:00 ----D---- C:\Program Files\Citrix

    ======List of files/folders modified in the last 3 months======

    2008-11-10 17:33:02 ----D---- C:\WINDOWS\Prefetch
    2008-11-10 00:11:30 ----D---- C:\Program Files\LogMeIn
    2008-11-05 23:21:24 ----D---- C:\Program Files\Symantec AntiVirus
    2008-11-05 22:59:57 ----D---- C:\Downloads
    2008-11-05 22:48:59 ----D---- C:\WINDOWS\system32\drivers
    2008-11-05 22:48:59 ----D---- C:\WINDOWS\system32
    2008-11-05 22:48:57 ----D---- C:\WINDOWS
    2008-11-05 22:39:07 ----A---- C:\WINDOWS\system.ini
    2008-11-05 22:38:29 ----D---- C:\WINDOWS\system32\CatRoot2
    2008-11-05 22:34:49 ----D---- C:\WINDOWS\system32\config
    2008-11-05 22:32:09 ----D---- C:\WINDOWS\AppPatch
    2008-11-05 22:32:09 ----D---- C:\Program Files\Common Files
    2008-11-05 22:29:09 ----A---- C:\WINDOWS\SchedLgU.Txt
    2008-11-05 22:28:31 ----SHD---- C:\System Volume Information
    2008-11-05 22:28:31 ----D---- C:\WINDOWS\system32\Restore
    2008-11-05 22:17:29 ----D---- C:\WINDOWS\security
    2008-11-05 21:10:55 ----RSHDC---- C:\WINDOWS\system32\dllcache
    2008-11-05 21:04:51 ----RD---- C:\Program Files
    2008-11-05 20:22:04 ----D---- C:\Program Files\Internet Explorer
    2008-11-05 16:49:25 ----SD---- C:\WINDOWS\Downloaded Program Files
    2008-11-04 16:12:06 ----RASH---- C:\boot.ini
    2008-11-04 16:12:06 ----A---- C:\WINDOWS\win.ini
    2008-11-04 12:56:06 ----SHD---- C:\WINDOWS\Installer
    2008-11-04 12:56:06 ----HD---- C:\Config.Msi
    2008-11-03 16:47:15 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
    2008-11-03 15:55:32 ----SHD---- C:\WINDOWS\CSC
    2008-11-03 14:03:40 ----D---- C:\WINDOWS\Help
    2008-10-31 12:54:33 ----D---- C:\Temp
    2008-10-31 12:22:31 ----D---- C:\Program Files\ZipCentral
    2008-10-30 16:06:46 ----D---- C:\Documents and Settings\JOannek\Application Data\U3
    2008-10-29 10:17:15 ----D---- C:\Program Files\SalesLogix
    2008-10-29 08:08:06 ----A---- C:\WINDOWS\system32\gvc_trace.txt
    2008-10-27 09:35:43 ----D---- C:\WINDOWS\system
    2008-10-23 10:50:27 ----A---- C:\WINDOWS\ModemLog_Kyocera CDMA Wireless Modem #2.txt
    2008-10-22 16:34:59 ----D---- C:\Program Files\Microsoft Office
    2008-10-17 15:34:33 ----A---- C:\WINDOWS\ModemLog_Agere Systems AC'97 Modem.txt
    2008-10-17 15:30:23 ----D---- C:\WINDOWS\network diagnostic
    2008-10-17 08:07:02 ----A---- C:\WINDOWS\system32\LMIRfsClientNP.dll
    2008-10-17 08:07:00 ----A---- C:\WINDOWS\system32\LMIport.dll
    2008-10-17 08:07:00 ----A---- C:\WINDOWS\system32\lmimirr2.dll
    2008-10-17 08:06:59 ----A---- C:\WINDOWS\system32\lmimirr.dll
    2008-10-17 08:06:59 ----A---- C:\WINDOWS\system32\LMIinit.dll
    2008-10-15 13:43:28 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
    2008-10-14 11:04:35 ----SD---- C:\Documents and Settings\JOannek\Application Data\Microsoft
    2008-08-22 14:57:26 ----D---- C:\Back 10-20-08
    2008-08-20 23:02:21 ----D---- C:\SalesLogixLoad
    2008-08-20 23:02:15 ----D---- C:\Documents and Settings\All Users\Application Data\SalesLogix

    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R1 ANC;ANC; C:\WINDOWS\System32\drivers\ANC.SYS [2005-11-08 11520]
    R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
    R1 IBMTPCHK;IBMTPCHK; \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys []
    R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
    R1 RCFOX;SonicWALL IPsec Driver; \??\C:\WINDOWS\system32\Drivers\RCFOX.sys []
    R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
    R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
    R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
    R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
    R1 Smapint;Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [2006-10-02 14848]
    R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
    R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2006-08-07 195776]
    R1 TDSMAPI;TDSMAPI; C:\WINDOWS\System32\drivers\TDSMAPI.SYS [2006-10-02 9343]
    R1 TPPWR;TPPWR; C:\WINDOWS\System32\drivers\Tppwr.sys [2005-04-20 16384]
    R1 TSMAPIP;TSMAPIP; C:\WINDOWS\System32\drivers\TSMAPIP.SYS [2007-03-09 7168]
    R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
    R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2007-06-25 17801]
    R2 irda;IrDA Protocol; C:\WINDOWS\System32\DRIVERS\irda.sys [2004-08-03 87424]
    R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
    R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
    R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
    R2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2006-11-08 62336]
    R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2006-06-16 10970]
    R2 vnccom;vnccom; C:\WINDOWS\System32\Drivers\vnccom.SYS [2004-06-26 6016]
    R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2005-03-04 127872]
    R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2003-06-27 1196352]
    R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2007-02-06 1133568]
    R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-03 14080]
    R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2007-07-09 128144]
    R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2006-01-12 163328]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
    R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\System32\DRIVERS\ibmpmdrv.sys [2007-02-27 21040]
    R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2007-08-03 10144]
    R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081109.003\naveng.sys []
    R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081109.003\navex15.sys []
    R3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\System32\DRIVERS\nscirda.sys [2004-08-03 28672]
    R3 psadd;Lenovo Parties Service Access Device Driver; C:\WINDOWS\system32\DRIVERS\psadd.sys [2006-09-12 28224]
    R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
    R3 rcvpn;SonicWALL VPN Adapter; C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2005-11-08 24876]
    R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
    R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-03-28 220992]
    R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
    R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2006-08-07 24768]
    R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\System32\DRIVERS\SynTP.sys [2003-06-24 265744]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2006-10-23 30208]
    R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2006-10-23 59264]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2006-10-23 20608]
    R3 vncdrv;vncdrv; C:\WINDOWS\system32\DRIVERS\vncdrv.sys [2004-06-26 4736]
    R3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w70n51.sys [2006-07-13 674560]
    S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
    S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2005-05-17 5315]
    S3 E1000;Intel(R) PRO/1000 Network Connection Driver; C:\WINDOWS\System32\DRIVERS\e1000325.sys [2006-04-27 164352]
    S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
    S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-12-16 51120]
    S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-12-16 16496]
    S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-12-16 21744]
    S3 HSF_DPV;HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys [2005-01-25 1038208]
    S3 HSFHWICH;HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [2005-01-25 207616]
    S3 kwkxusb;Kyocera CDMA Wireless Modem Driver; C:\WINDOWS\system32\DRIVERS\kwusb2k.sys [2004-11-29 29952]
    S3 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\9.tmp []
    S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
    S3 NAL;Nal Service ; \??\C:\WINDOWS\system32\Drivers\iqvw32.sys []
    S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS []
    S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
    S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-10-23 17152]
    S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
    S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
    S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
    S3 vsdatant;vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys []
    S3 w29n51;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2007-04-04 2208768]
    S3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2005-01-25 703616]
    S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
    S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []

    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R2 AcPrfMgrSvc;Ac Profile Manager Service; C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe [2007-05-17 65536]
    R2 AcSvc;Access Connections Main Service; C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe [2007-05-17 184320]
    R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-02-06 364544]
    R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-07-19 192160]
    R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-07-19 169632]
    R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-09-27 31472]
    R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2007-02-27 36400]
    R2 Irmon;Infrared Monitor; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
    R2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2008-10-17 116032]
    R2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2007-08-03 63040]
    R2 MSSQLSERVER;MSSQLSERVER; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [2002-12-17 7520337]
    R2 RegSrvc;RegSrvc; C:\WINDOWS\system32\RegSrvc.exe [2006-06-16 122880]
    R2 S24EventMonitor;Spectrum24 Event Monitor; C:\WINDOWS\system32\S24EvMon.exe [2006-06-16 426051]
    R2 SalesLogix Server Service;SalesLogix Server; C:\Program Files\SalesLogix\SLXServer.exe [2006-10-16 536576]
    R2 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
    R2 SlxSearch;SalesLogix SpeedSearch; C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe [2007-01-05 940544]
    R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
    R2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2006-04-11 1160848]
    R2 SUService;System Update; c:\program files\lenovo\system update\suservice.exe [2007-02-12 13312]
    R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-09-27 1813232]
    R2 TVT Scheduler;TVT Scheduler; C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe [2006-12-10 1118208]
    R2 Venturi2;Venturi Client; c:\program files\verizon wireless\venturi\Client\ventc.exe [2005-01-24 1204306]
    S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
    S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-08 138168]
    S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
    S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
    S3 RampartSvc;SonicWall VPN Client Service; C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe [2007-09-27 230672]
    S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2006-08-07 214720]
    S3 SQLSERVERAGENT;SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE [2002-12-17 311872]
    S4 nbs;nbs; C:\WINDOWS\system32\nbs.exe []

    -----------------EOF-----------------
     
  15. 2008/11/10
    DianeR

    DianeR Inactive Thread Starter

    Joined:
    2008/11/04
    Messages:
    17
    Likes Received:
    0
    Here is the "ComboFix 08-10-30.04 - joannek 2008-10-30 16:45:31.1 "

    ComboFix 08-10-30.04 - joannek 2008-10-30 16:11:03.1 - NTFSx86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.605 [GMT -7:00]
    Running from: C:\Documents and Settings\JOannek\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\bot.txt
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\h.exe
    C:\i.exe
    C:\Program Files\Common Files\PushWare
    C:\Program Files\Common Files\PushWare\Uninst.exe
    C:\Program Files\zzToolBar
    C:\Program Files\zzToolBar\IP.dat
    C:\Program Files\zzToolBar\SearchEngineConfig
    C:\Program Files\zzToolBar\ToolBand.dll
    C:\Program Files\zzToolBar\Toolbar_bho.dll
    C:\Program Files\zzToolBar\uISGRLFile.dat
    C:\Program Files\zzToolBar\Uninstall.exe
    C:\WINDOWS\checkcj.ini
    C:\WINDOWS\dcbdcatys32_081021a.dll
    C:\WINDOWS\sebs
    C:\WINDOWS\system32\inf\scsys16_081021.dll
    C:\WINDOWS\system32\inf\svchoct.exe
    C:\WINDOWS\system32\knlzem.dll
    C:\WINDOWS\system32\mywfhit.ini
    C:\WINDOWS\system32\mywfhit.ini.tmp
    C:\WINDOWS\system32\wicheck081021.dll
    C:\WINDOWS\tawisys.ini
    C:\WINDOWS\wftadfi16_081021a.dll

    ----- BITS: Possible infected sites -----

    hxxp://wsus
    Infected copy of C:\WINDOWS\system32\drivers\beep.sys was found and disinfected
    Restored copy from - C:\System Volume Information\_restore{496955E8-BB42-4C96-8CAB-61B562678F3E}\RP115\A0007158.sys


    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_NETWORK_SERVICES
    -------\Service_Apcdli
    -------\Service_Network Services


    ((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-30 )))))))))))))))))))))))))))))))
    .

    2008-10-30 16:13 . 2001-08-23 05:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
    2008-10-29 15:19 . 2008-10-29 15:19 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
    2008-10-29 10:35 . 2008-10-29 10:34 61,440 -rahs---- C:\WINDOWS\EXVPL81K7.exe
    2008-10-29 10:35 . 2008-10-29 10:35 28,672 --a------ C:\WINDOWS\0UFC90.exe
    2008-10-29 09:02 . 2008-10-29 09:02 20,992 ---hs---- C:\WINDOWS\system32\wycl.exe
    2008-10-29 08:32 . 2008-10-29 08:32 20,992 ---hs---- C:\WINDOWS\system32\nbss.exe
    2008-10-27 10:16 . 2008-10-27 10:16 20,992 ---hs---- C:\WINDOWS\system32\exm.exe
    2008-10-27 08:25 . 2008-10-27 08:25 1,308 --a------ C:\sssb.exe
    2008-10-27 08:24 . 2008-10-27 08:24 20,992 --a------ C:\sssd.exe
    2008-10-22 16:37 . 2004-08-04 00:56 388,608 --a------ C:\WINDOWS\system32\tmpacj1.exe
    2008-10-22 16:33 . 2008-10-27 09:40 <DIR> d-------- C:\WINDOWS\Window Med1a
    2008-10-22 14:04 . 2008-10-22 15:56 <DIR> d-------- C:\WINDOWS\system32\Patch
    2008-10-22 14:04 . 2008-10-30 16:12 <DIR> d-------- C:\WINDOWS\system32\inf
    2008-10-22 14:04 . 2008-10-22 14:04 20,992 ---hs---- C:\WINDOWS\system32\wat.exe
    2008-10-22 14:04 . 2008-10-22 14:03 20,992 ---hs---- C:\WINDOWS\system32\iWs.exe
    2008-10-22 14:03 . 2008-10-27 09:39 <DIR> d-------- C:\WINDOWS\system32\Studio
    2008-10-22 14:03 . 2004-08-04 00:56 388,608 --a------ C:\WINDOWS\system32\Sltc.exe
    2008-10-22 14:03 . 2008-10-22 14:03 65,536 --a------ C:\WINDOWS\system32\SysSetup.xml
    2008-10-22 14:03 . 2004-08-04 00:56 42,496 --a------ C:\WINDOWS\system32\Slxc.exe
    2008-10-20 10:03 . 2008-10-20 10:03 60,744 --a------ C:\Documents and Settings\JOannek\g2mdlhlpx.exe
    2008-10-14 11:03 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2008-10-08 08:51 . 2008-10-08 08:51 <DIR> d-------- C:\WINDOWS\Sun
    2008-10-08 08:45 . 2008-10-14 07:17 <DIR> d-------- C:\Program Files\Google
    2008-10-08 08:45 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-10-08 08:44 . 2008-10-08 08:45 <DIR> d-------- C:\Program Files\Java
    2008-10-08 08:43 . 2008-10-08 08:43 <DIR> d-------- C:\Program Files\Common Files\Java
    2008-09-02 10:18 . 2008-09-02 10:18 <DIR> d-------- C:\OldArchivedOutlook
    2008-09-02 08:08 . 2008-09-02 09:54 <DIR> d-------- C:\Restore

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-30 23:06 --------- d-----w C:\Documents and Settings\JOannek\Application Data\U3
    2008-10-30 22:46 --------- d-----w C:\Program Files\Symantec AntiVirus
    2008-10-30 22:42 --------- d-----w C:\Program Files\LogMeIn
    2008-10-29 17:17 --------- d-----w C:\Program Files\SalesLogix
    2008-10-17 15:07 47,640 ----a-w C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
    2008-10-15 15:13 --------- d-----w C:\Program Files\ZipCentral
    2004-08-04 07:56 461,085 --sh--w C:\WINDOWS\system32\agent.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]
    "SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]
    "Synchronization Manager "= "C:\WINDOWS\system32\mobsync.exe" [2004-08-04 143360]
    "Acrobat Assistant 7.0 "= "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
    "vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
    "TVT Scheduler Proxy "= "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-12-10 536576]
    "ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 344064]
    "ACTray "= "C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-05-17 413696]
    "ACWLIcon "= "C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 126976]
    "SoundMAXPnP "= "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
    "BMMGAG "= "C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
    "BMMLREF "= "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
    "BMMMONWND "= "C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
    "BLOG "= "C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
    "LogMeIn GUI "= "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
    "HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "AGRSMMSG "= "AGRSMMSG.exe" [2003-06-27 C:\WINDOWS\AGRSMMSG.exe]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Setup "= "MSIEXEC.EXE" [2005-05-04 C:\WINDOWS\system32\msiexec.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
    Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen "= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
    2007-05-17 11:41 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2008-10-17 08:06 87352 C:\WINDOWS\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli ACGina

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\1\0]
    "Script "=inventory.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\2\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\1\0]
    "Script "=inventory.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\2\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1319\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1319\Scripts\Logon\1\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001
    "UpdatesDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=

    R0 zntbv;zntbv;C:\WINDOWS\system32\drivers\zntbv.sys [2004-08-04 25312]
    R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2007-09-27 101528]
    R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2005-11-08 24876]
    S1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 11520]
    S1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 4224]
    S1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 16384]
    S2 52ting;52ting;C:\WINDOWS\system32\wat.exe [2008-10-22 20992]
    S2 agent;agent;C:\WINDOWS\System32\agent.exe [2004-08-04 461085]
    S2 exm;exm;C:\WINDOWS\system32\exm.exe [2008-10-27 20992]
    S2 iWs;iWs;C:\WINDOWS\system32\iWs.exe [2008-10-22 20992]
    S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
    S2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-10-17 47640]
    S2 nbss;nbss;C:\WINDOWS\system32\nbss.exe [2008-10-29 20992]
    S2 SalesLogix Server Service;SalesLogix Server;C:\Program Files\SalesLogix\SLXServer.exe [2006-10-16 536576]
    S2 SlxSearch;SalesLogix SpeedSearch;C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe [2007-01-05 940544]
    S2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 6016]
    S2 wycl;wycl;C:\WINDOWS\system32\wycl.exe [2008-10-29 20992]
    S3 0ZV5JYXOJE13;M5BP29AYUB;C:\WINDOWS\Z6ZKRP8PKT6.txt [2008-10-29 3045]
    S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;C:\WINDOWS\system32\DRIVERS\kwusb2k.sys [2004-11-29 29952]
    S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2005-12-13 20480]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a
    .
    Contents of the 'Scheduled Tasks' folder

    2008-07-17 C:\WINDOWS\Tasks\BMMTask.job
    - C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 01:38]
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-RunOnce-FdsT - %systemroot%\system32\knlzem.dll


    .
    ------- Supplementary Scan -------
    .
    R0 -: HKCU-Main,Start Page = www.345dh.cn?tg=7
    O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 -: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O18 -: Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - C:\Program Files\CoreFTP\pftpns.dll

    O16 -: {6D868B99-8B01-4B25-9BD1-ED37AFDF5E29} - hxxp://www.ontrackdatarecovery.com/verifile/npvfasp.cab
    C:\WINDOWS\Downloaded Program Files\npVfAsp.inf
    C:\WINDOWS\system32\npVfAspFrench.dll
    C:\WINDOWS\system32\npVfAspGerman.dll
    C:\WINDOWS\system32\npVfAspItalian.dll
    C:\WINDOWS\system32\npVfAspJapanese.dll
    C:\WINDOWS\system32\npVfAspSpanish.dll
    C:\WINDOWS\system32\npVfAspPolish.dll
    C:\WINDOWS\system32\npVfAspRussian.dll
    C:\WINDOWS\Downloaded Program Files\npVfAsp.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-30 16:19:42
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\0ZV5JYXOJE13]
    "ImagePath "= "\??\C:\WINDOWS\Z6ZKRP8PKT6.txt "
    .
    Completion time: 2008-10-30 16:27:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-10-30 23:27:30

    Pre-Run: 4,567,019,520 bytes free
    Post-Run: 4,865,769,472 bytes free

    218 --- E O F --- 2007-06-13 00:02:09
     
  16. 2008/11/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    You found it. Great! :)
    Lets get this mess cleaned up! ;)

    Please allow ComboFix to update when prompted, and I recommend you allow the Recovery Console to be downloaded and installed when prompted.

    Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    File::
    C:\WINDOWS\Z6ZKRP8PKT6.txt
    c:\windows\system32\tmpacj1.exe
    c:\windows\system32\Sltc.exe
    c:\windows\system32\SysSetup.xml
    c:\windows\system32\Slxc.exe
    c:\documents and settings\JOannek\g2mdlhlpx.exe
    c:\windows\system32\knlzem.dll
    C:\WINDOWS\system32\nbs.exe
    Folder::
    c:\windows\Window Med1a
    c:\windows\system32\Patch
    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\0ZV5JYXOJE13]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
     "FdsT "=-
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
     "wycl "=-
     "nbs "=-
     "imbs "=-
     "iWs "=-
     "exm "=-
     "52ting "=-
     "ngf "=-
    Driver::
    0ZV5JYXOJE13
    MEMSWEEP2
    nbs
    
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.
     
  17. 2008/11/10
    DianeR

    DianeR Inactive Thread Starter

    Joined:
    2008/11/04
    Messages:
    17
    Likes Received:
    0
    okay... so I misunderstood the instructions intially and ran a regular combofix w/ the text you wanted. When that ran though, it tried to update but the update failed. Then I got the error message about the knlzem.dll file not being found (the start up error I mentioned earlier)... then ComboFix completed running and rebooted. Here is the log from that...

    ComboFix 08-11-10.01 - joannek 2008-11-10 20:01:00.4 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.257 [GMT -7:00]
    Running from: c:\documents and settings\JOannek\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
    .

    2008-11-05 21:06 . 2008-11-05 21:06 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3
    2008-11-05 21:05 . 2008-11-05 21:05 0 --a------ c:\windows\nsreg.dat
    2008-11-05 18:59 . 2008-11-05 20:12 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6
    2008-11-05 17:54 . 2008-11-05 18:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\CoreFTP
    2008-11-05 16:50 . 2008-11-05 17:43 <DIR> d-------- c:\program files\EsetOnlineScanner
    2008-11-05 15:37 . 2008-11-05 15:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2008-11-05 14:52 . 2008-11-05 14:56 4,274 --a------ c:\windows\system32\tmp.reg
    2008-11-04 18:13 . 2008-11-10 17:56 <DIR> d-------- C:\rsit
    2008-11-04 18:13 . 2008-11-10 17:32 <DIR> d-------- c:\program files\trend micro
    2008-11-04 12:56 . 2008-11-04 12:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-11-04 12:55 . 2008-11-04 12:55 <DIR> d-------- c:\program files\SUPERAntiSpyware
    2008-11-04 12:55 . 2008-11-04 12:55 <DIR> d-------- c:\documents and settings\JOannek\Application Data\SUPERAntiSpyware.com
    2008-10-31 15:43 . 2008-10-31 17:01 <DIR> d-------- c:\documents and settings\JOannek\Application Data\HouseCall 6.6
    2008-10-31 13:14 . 2008-11-03 09:10 <DIR> d-------- c:\documents and settings\JOannek\.housecall6.6
    2008-10-31 12:55 . 2008-10-31 12:55 <DIR> d-------- c:\program files\Sophos
    2008-10-31 12:49 . 2008-10-31 12:49 1,181,383 --a------ c:\temp\SophosAntiRootKit_sarsfx.exe
    2008-10-31 12:49 . 2008-10-31 12:49 1,181,383 --a------ c:\documents and settings\JOannek\SophosAntiRootKit_sarsfx.exe
    2008-10-31 12:27 . 2008-10-31 12:27 <DIR> d-------- c:\windows\ERUNT
    2008-10-31 12:23 . 2008-11-03 16:03 <DIR> d-------- C:\SDFix
    2008-10-31 10:55 . 2008-10-31 10:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2008-10-31 10:55 . 2008-10-31 10:55 <DIR> d-------- c:\documents and settings\JOannek\Application Data\Malwarebytes
    2008-10-31 10:55 . 2008-10-31 10:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2008-10-31 10:55 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2008-10-31 10:55 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2008-10-30 17:03 . 2008-11-04 09:42 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
    2008-10-30 17:03 . 2008-10-30 17:08 <DIR> d-------- C:\fixwareout
    2008-10-30 16:13 . 2001-08-23 05:00 4,224 --a------ c:\windows\system32\drivers\beep.sys
    2008-10-29 15:19 . 2008-10-29 15:19 <DIR> d---s---- c:\documents and settings\LocalService\UserData
    2008-10-22 16:37 . 2004-08-04 00:56 388,608 --a------ c:\windows\system32\tmpacj1.exe
    2008-10-22 16:33 . 2008-10-27 09:40 <DIR> d-------- c:\windows\Window Med1a
    2008-10-22 14:04 . 2008-10-22 15:56 <DIR> d-------- c:\windows\system32\Patch
    2008-10-22 14:04 . 2008-10-30 16:12 <DIR> d-------- c:\windows\system32\inf
    2008-10-22 14:03 . 2004-08-04 00:56 388,608 --a------ c:\windows\system32\Sltc.exe
    2008-10-22 14:03 . 2008-10-22 14:03 65,536 --a------ c:\windows\system32\SysSetup.xml
    2008-10-22 14:03 . 2004-08-04 00:56 42,496 --a------ c:\windows\system32\Slxc.exe
    2008-10-20 10:03 . 2008-10-20 10:03 60,744 --a------ c:\documents and settings\JOannek\g2mdlhlpx.exe
    2008-10-14 11:03 . 2004-08-04 00:56 221,184 --a------ c:\windows\system32\wmpns.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-11-11 03:08 --------- d-----w c:\program files\Symantec AntiVirus
    2008-11-10 07:11 --------- d-----w c:\program files\LogMeIn
    2008-11-05 21:52 --------- d-----w c:\documents and settings\JOannek\Application Data\CoreFTP
    2008-10-31 19:22 --------- d-----w c:\program files\ZipCentral
    2008-10-30 23:06 --------- d-----w c:\documents and settings\JOannek\Application Data\U3
    2008-10-29 17:17 --------- d-----w c:\program files\SalesLogix
    2008-10-17 15:07 47,640 ----a-w c:\windows\system32\drivers\LMIRfsDriver.sys
    2008-10-14 14:17 --------- d-----w c:\program files\Google
    2008-10-08 15:45 --------- d-----w c:\program files\Java
    2008-10-08 15:43 --------- d-----w c:\program files\Common Files\Java
    .

    ((((((((((((((((((((((((((((( snapshot@2008-11-05_22.48.16.84 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-11-11 03:07:38 16,384 ----atw c:\windows\temp\Perflib_Perfdata_2d8.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]
    "Synchronization Manager "= "c:\windows\system32\mobsync.exe" [2004-08-04 143360]
    "Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
    "ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
    "vptray "= "c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
    "TVT Scheduler Proxy "= "c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-12-10 536576]
    "ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 344064]
    "ACTray "= "c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-05-17 413696]
    "ACWLIcon "= "c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 126976]
    "SoundMAXPnP "= "c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
    "BMMGAG "= "c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
    "BMMLREF "= "c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
    "BMMMONWND "= "c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
    "BLOG "= "c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
    "LogMeIn GUI "= "c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
    "MSConfig "= "c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2005-09-26 169984]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "FdsT "= "%systemroot%\system32\knlzem.dll" [BU]
    "Setup "= "MSIEXEC.EXE" [2005-05-04 c:\windows\system32\msiexec.exe]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
    Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen "= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
    2007-05-17 11:41 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2008-10-17 08:06 87352 c:\windows\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli ACGina

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\1\0]
    "Script "=inventory.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\2\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\1\0]
    "Script "=inventory.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\2\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1319\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1319\Scripts\Logon\1\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    --a------ 2003-06-27 08:53 88363 c:\windows\AGRSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "wycl "=2 (0x2)
    "nbs "=2 (0x2)
    "imbs "=2 (0x2)
    "iWs "=2 (0x2)
    "exm "=2 (0x2)
    "52ting "=2 (0x2)
    "ngf "=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "= "0x00000000 "
    "UpdatesDisableNotify "= "0x00000000 "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=

    R0 zntbv;zntb;c:\windows\system32\drivers\zntbv.sys [2004-08-04 25312]
    R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2005-11-08 11520]
    R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\Drivers\IBMBLDID.sys [2007-04-02 4224]
    R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\Drivers\RCFOX.sys [2007-09-27 101528]
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\Tppwr.sys [2005-04-20 16384]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-17 47640]
    R2 SalesLogix Server Service;SalesLogix Server;c:\program files\SalesLogix\SLXServer.exe [2006-10-16 536576]
    R2 SlxSearch;SalesLogix SpeedSearch;c:\program files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe [2007-01-05 940544]
    R2 vnccom;vnccom;c:\windows\system32\Drivers\vnccom.SYS [2004-06-26 6016]
    R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys [2005-11-08 24876]
    S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;c:\windows\system32\DRIVERS\kwusb2k.sys [2004-11-29 29952]
    S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\9.tmp [ ]
    S3 NAL;Nal Service ;c:\windows\system32\Drivers\iqvw32.sys [2005-12-13 20480]
    S4 nbs;nbs;c:\windows\system32\nbs.exe [ ]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a
    .
    Contents of the 'Scheduled Tasks' folder

    2008-07-17 c:\windows\Tasks\BMMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 01:38]
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - c:\documents and settings\JOannek\Application Data\Mozilla\Firefox\Profiles\u2711s2p.default\
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-11-10 20:09:36
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath "= "\??\c:\windows\system32\9.tmp "
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ibmpmsvc.exe
    c:\windows\system32\ati2evxx.exe
    c:\windows\system32\S24EvMon.exe
    c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    c:\program files\Symantec AntiVirus\DefWatch.exe
    c:\program files\LogMeIn\x86\ramaint.exe
    c:\program files\LogMeIn\x86\LogMeIn.exe
    c:\program files\LogMeIn\x86\LMIGuardian.exe
    c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    c:\windows\system32\RegSrvc.exe
    c:\program files\Symantec AntiVirus\SavRoam.exe
    c:\program files\SalesLogix\SLXLoggingServer.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\program files\SalesLogix\SLXSystem.exe
    c:\program files\Lenovo\System Update\SUService.exe
    c:\program files\Symantec AntiVirus\Rtvscan.exe
    c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
    c:\program files\Verizon Wireless\venturi\Client\VentC.exe
    c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    c:\windows\system32\ati2evxx.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Adobe\Acrobat 7.0\Distillr\acrodist.exe
    c:\program files\LogMeIn\x86\LMIGuardian.exe
    c:\program files\HP\Digital Imaging\bin\hpqste08.exe
    c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    c:\windows\system32\imapi.exe
    .
    **************************************************************************
    .
    Completion time: 2008-11-10 20:18:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-11-11 03:18:05
    ComboFix2.txt 2008-11-06 05:48:53
    ComboFix3.txt 2008-10-31 00:00:26

    Pre-Run: 6,208,643,072 bytes free
    Post-Run: 6,194,925,568 bytes free

    222 --- E O F --- 2007-06-13 00:02:09



    Then, I realized what you wanted so I ran it again... here is the proper log you were looking for (w/ the txt file dragged onto the combo fix.

    ComboFix 08-11-10.01 - joannek 2008-11-10 20:22:58.5 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.297 [GMT -7:00]
    Running from: c:\documents and settings\JOannek\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\JOannek\Desktop\CFScript.txt
    * Created a new restore point

    FILE ::
    c:\documents and settings\JOannek\g2mdlhlpx.exe
    c:\windows\system32\knlzem.dll
    c:\windows\system32\nbs.exe
    c:\windows\system32\Sltc.exe
    c:\windows\system32\Slxc.exe
    c:\windows\system32\SysSetup.xml
    c:\windows\system32\tmpacj1.exe
    c:\windows\Z6ZKRP8PKT6.txt
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\JOannek\g2mdlhlpx.exe
    c:\windows\system32\Patch
    c:\windows\system32\Sltc.exe
    c:\windows\system32\Slxc.exe
    c:\windows\system32\SysSetup.xml
    c:\windows\system32\tmpacj1.exe
    c:\windows\Window Med1a

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_MEMSWEEP2
    -------\Legacy_NBS
    -------\Service_MEMSWEEP2
    -------\Service_nbs


    ((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
    .

    2008-11-05 21:06 . 2008-11-05 21:06 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3
    2008-11-05 21:05 . 2008-11-05 21:05 0 --a------ c:\windows\nsreg.dat
    2008-11-05 18:59 . 2008-11-05 20:12 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6
    2008-11-05 17:54 . 2008-11-05 18:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\CoreFTP
    2008-11-05 16:50 . 2008-11-05 17:43 <DIR> d-------- c:\program files\EsetOnlineScanner
    2008-11-05 15:37 . 2008-11-05 15:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2008-11-05 14:52 . 2008-11-05 14:56 4,274 --a------ c:\windows\system32\tmp.reg
    2008-11-04 18:13 . 2008-11-10 17:56 <DIR> d-------- C:\rsit
    2008-11-04 18:13 . 2008-11-10 17:32 <DIR> d-------- c:\program files\trend micro
    2008-11-04 12:56 . 2008-11-04 12:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-11-04 12:55 . 2008-11-04 12:55 <DIR> d-------- c:\program files\SUPERAntiSpyware
    2008-11-04 12:55 . 2008-11-04 12:55 <DIR> d-------- c:\documents and settings\JOannek\Application Data\SUPERAntiSpyware.com
    2008-10-31 15:43 . 2008-10-31 17:01 <DIR> d-------- c:\documents and settings\JOannek\Application Data\HouseCall 6.6
    2008-10-31 13:14 . 2008-11-03 09:10 <DIR> d-------- c:\documents and settings\JOannek\.housecall6.6
    2008-10-31 12:55 . 2008-10-31 12:55 <DIR> d-------- c:\program files\Sophos
    2008-10-31 12:49 . 2008-10-31 12:49 1,181,383 --a------ c:\temp\SophosAntiRootKit_sarsfx.exe
    2008-10-31 12:49 . 2008-10-31 12:49 1,181,383 --a------ c:\documents and settings\JOannek\SophosAntiRootKit_sarsfx.exe
    2008-10-31 12:27 . 2008-10-31 12:27 <DIR> d-------- c:\windows\ERUNT
    2008-10-31 12:23 . 2008-11-03 16:03 <DIR> d-------- C:\SDFix
    2008-10-31 10:55 . 2008-10-31 10:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2008-10-31 10:55 . 2008-10-31 10:55 <DIR> d-------- c:\documents and settings\JOannek\Application Data\Malwarebytes
    2008-10-31 10:55 . 2008-10-31 10:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2008-10-31 10:55 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2008-10-31 10:55 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2008-10-30 17:03 . 2008-11-04 09:42 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
    2008-10-30 17:03 . 2008-10-30 17:08 <DIR> d-------- C:\fixwareout
    2008-10-30 16:13 . 2001-08-23 05:00 4,224 --a------ c:\windows\system32\drivers\beep.sys
    2008-10-29 15:19 . 2008-10-29 15:19 <DIR> d---s---- c:\documents and settings\LocalService\UserData
    2008-10-22 14:04 . 2008-10-30 16:12 <DIR> d-------- c:\windows\system32\inf
    2008-10-14 11:03 . 2004-08-04 00:56 221,184 --a------ c:\windows\system32\wmpns.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-11-11 03:27 --------- d-----w c:\program files\Symantec AntiVirus
    2008-11-10 07:11 --------- d-----w c:\program files\LogMeIn
    2008-11-05 21:52 --------- d-----w c:\documents and settings\JOannek\Application Data\CoreFTP
    2008-10-31 19:22 --------- d-----w c:\program files\ZipCentral
    2008-10-30 23:06 --------- d-----w c:\documents and settings\JOannek\Application Data\U3
    2008-10-29 17:17 --------- d-----w c:\program files\SalesLogix
    2008-10-17 15:07 47,640 ----a-w c:\windows\system32\drivers\LMIRfsDriver.sys
    2008-10-14 14:17 --------- d-----w c:\program files\Google
    2008-10-08 15:45 --------- d-----w c:\program files\Java
    2008-10-08 15:43 --------- d-----w c:\program files\Common Files\Java
    .

    ((((((((((((((((((((((((((((( snapshot@2008-11-05_22.48.16.84 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-11-11 03:27:00 16,384 ----atw c:\windows\temp\Perflib_Perfdata_484.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]
    "Synchronization Manager "= "c:\windows\system32\mobsync.exe" [2004-08-04 143360]
    "Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
    "ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
    "vptray "= "c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
    "TVT Scheduler Proxy "= "c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-12-10 536576]
    "ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 344064]
    "ACTray "= "c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-05-17 413696]
    "ACWLIcon "= "c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 126976]
    "SoundMAXPnP "= "c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
    "BMMGAG "= "c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
    "BMMLREF "= "c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
    "BMMMONWND "= "c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
    "BLOG "= "c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
    "LogMeIn GUI "= "c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
    "MSConfig "= "c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2005-09-26 169984]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "FdsT "= "%systemroot%\system32\knlzem.dll" [BU]
    "Setup "= "MSIEXEC.EXE" [2005-05-04 c:\windows\system32\msiexec.exe]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
    Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen "= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
    2007-05-17 11:41 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2008-10-17 08:06 87352 c:\windows\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli ACGina

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\1\0]
    "Script "=inventory.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\2\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\1\0]
    "Script "=inventory.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\2\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1319\Scripts\Logon\0\0]
    "Script "=login.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1319\Scripts\Logon\1\0]
    "Script "=mapdrv.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    --a------ 2003-06-27 08:53 88363 c:\windows\AGRSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "= "0x00000000 "
    "UpdatesDisableNotify "= "0x00000000 "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=

    R0 zntbv;zntb;c:\windows\system32\drivers\zntbv.sys [2004-08-04 25312]
    R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2005-11-08 11520]
    R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\Drivers\IBMBLDID.sys [2007-04-02 4224]
    R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\Drivers\RCFOX.sys [2007-09-27 101528]
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\Tppwr.sys [2005-04-20 16384]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-17 47640]
    R2 SalesLogix Server Service;SalesLogix Server;c:\program files\SalesLogix\SLXServer.exe [2006-10-16 536576]
    R2 SlxSearch;SalesLogix SpeedSearch;c:\program files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe [2007-01-05 940544]
    R2 vnccom;vnccom;c:\windows\system32\Drivers\vnccom.SYS [2004-06-26 6016]
    R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys [2005-11-08 24876]
    S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;c:\windows\system32\DRIVERS\kwusb2k.sys [2004-11-29 29952]
    S3 NAL;Nal Service ;c:\windows\system32\Drivers\iqvw32.sys [2005-12-13 20480]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a
    .
    Contents of the 'Scheduled Tasks' folder

    2008-07-17 c:\windows\Tasks\BMMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 01:38]
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-11-10 20:29:08
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ibmpmsvc.exe
    c:\windows\system32\ati2evxx.exe
    c:\windows\system32\S24EvMon.exe
    c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    c:\program files\Symantec AntiVirus\DefWatch.exe
    c:\program files\LogMeIn\x86\ramaint.exe
    c:\program files\LogMeIn\x86\LogMeIn.exe
    c:\program files\LogMeIn\x86\LMIGuardian.exe
    c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    c:\windows\system32\RegSrvc.exe
    c:\program files\Symantec AntiVirus\SavRoam.exe
    c:\program files\SalesLogix\SLXLoggingServer.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\program files\SalesLogix\SLXSystem.exe
    c:\program files\Lenovo\System Update\SUService.exe
    c:\program files\Symantec AntiVirus\Rtvscan.exe
    c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
    c:\program files\Verizon Wireless\venturi\Client\VentC.exe
    c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    c:\windows\system32\1XConfig.exe
    c:\windows\system32\ati2evxx.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Adobe\Acrobat 7.0\Distillr\acrodist.exe
    c:\program files\LogMeIn\x86\LMIGuardian.exe
    c:\program files\HP\Digital Imaging\bin\hpqste08.exe
    c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    c:\windows\system32\imapi.exe
    .
    **************************************************************************
    .
    Completion time: 2008-11-10 20:38:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-11-11 03:38:27
    ComboFix2.txt 2008-11-11 03:18:12
    ComboFix3.txt 2008-11-06 05:48:53
    ComboFix4.txt 2008-10-31 00:00:26

    Pre-Run: 6,160,519,168 bytes free
    Post-Run: 6,147,850,240 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    232 --- E O F --- 2007-06-13 00:02:09
     
  18. 2008/11/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks much better! Please check the properties on the following file for information about Company, Version, etc

    c:\windows\system32\drivers\zntbv.sys
     
  19. 2008/11/11
    DianeR

    DianeR Inactive Thread Starter

    Joined:
    2008/11/04
    Messages:
    17
    Likes Received:
    0
    Hi. That's good news. I'm hoping to get this resolved today if at all possible. I'll stay as late as necessary. :)

    There is no info for the file c:\windows\system32\drivers\zntbv.sys. All it says when I look at it's properties is that it was created 2001-08-23, 05:00, modified 2004-08-04, 00:56 and accessed 2008-11-11, 08:16... Nothing about who created it (what company), what version it is, or anything like that when I scroll over it and get the pop-up that usually lists that sort of thing. :-(
     
  20. 2008/11/11
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Please upload the zntbv.sys file to Virus Total for analysis.
    Once the results are populated, please copy and post those results here.
     
  21. 2008/11/11
    DianeR

    DianeR Inactive Thread Starter

    Joined:
    2008/11/04
    Messages:
    17
    Likes Received:
    0
    Here you go. :) Very cool tool, btw!


    Antivirus Version Last Update Result
    AhnLab-V3 2008.11.11.2 2008.11.11 -
    AntiVir 7.9.0.31 2008.11.11 TR/Rootkit.Gen
    Authentium 5.1.0.4 2008.11.11 -
    Avast 4.8.1248.0 2008.11.11 -
    AVG 8.0.0.161 2008.11.11 Agent.AHGR
    BitDefender 7.2 2008.11.11 Trojan.Generic.859559
    CAT-QuickHeal 9.50 2008.11.11 -
    ClamAV 0.94.1 2008.11.11 Trojan.Downloader-58340
    DrWeb 4.44.0.09170 2008.11.12 -
    eSafe 7.0.17.0 2008.11.11 -
    eTrust-Vet 31.6.6204 2008.11.11 -
    Ewido 4.0 2008.11.11 -
    F-Prot 4.4.4.56 2008.11.11 -
    F-Secure 8.0.14332.0 2008.11.11 -
    Fortinet 3.117.0.0 2008.11.11 -
    GData 19 2008.11.11 Trojan.Generic.859559
    Ikarus T3.1.1.45.0 2008.11.11 Trojan.Rootkit
    K7AntiVirus 7.10.522 2008.11.11 -
    Kaspersky 7.0.0.125 2008.11.12 -
    McAfee 5430 2008.11.10 -
    Microsoft 1.4104 2008.11.12 -
    NOD32 3604 2008.11.11 probably a variant of Win32/Agent.ODM
    Norman 5.80.02 2008.11.11 -
    Panda 9.0.0.4 2008.11.11 -
    PCTools 4.4.2.0 2008.11.11 -
    Prevx1 V2 2008.11.12 -
    Rising 21.03.12.00 2008.11.11 -
    SecureWeb-Gateway 6.7.6 2008.11.11 Trojan.Rootkit.Gen
    Sophos 4.35.0 2008.11.11 -
    Sunbelt 3.1.1785.2 2008.11.11 -
    Symantec 10 2008.11.11 -
    TheHacker 6.3.1.1.149 2008.11.12 -
    TrendMicro 8.700.0.1004 2008.11.11 -
    VBA32 3.12.8.9 2008.11.11 Trojan-Downloader.Win32.Agent.akys
    ViRobot 2008.11.11.1461 2008.11.11 -
    VirusBuster 4.5.11.0 2008.11.11 -
    Additional information
    File size: 25312 bytes
    MD5...: e42109bebc1a5db41ff2464d32fa422b
    SHA1..: 552d8bd9d6f09814895ac039c00c46d748990a2f
    SHA256: e446906d374dfa152633ac301b53aceb5a6cf2bf9b0b57d3e9cde2e7e05a234c
    SHA512: 403d5950a1a3fe22a893acac7e3d2ed280ee6b1716bbe9f04a828831281fd345
    2bad9d44b6a5d6a9a44f70f9da50b9162308ad04ccb39287bd45fddca193a9c4
    PEiD..: -
    TrID..: File type identification
    Generic Win/DOS Executable (49.9%)
    DOS Executable Generic (49.8%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x1086e
    timedatestamp.....: 0x48fde18f (Tue Oct 21 14:05:03 2008)
    machinetype.......: 0x14c (I386)

    ( 4 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x260 0x4d12 0x4d20 6.90 90ca281e04a59aaeab5895b3962ace8a
    .data 0x4f80 0xc65 0xc80 6.59 60abeec92fd408a9dba2389001165358
    INIT 0x5c00 0x2d0 0x2e0 5.09 138685bf4834b39a233f4a727858736a
    .reloc 0x5ee0 0x3ea 0x400 6.18 5405d0d7baa5e896e95b257de81c7a53

    ( 1 imports )
    > ntoskrnl.exe: ExFreePool, ExAllocatePoolWithTag, RtlInitUnicodeString, MmGetSystemRoutineAddress, ZwClose, RtlCopyUnicodeString, swprintf, wcscpy, wcscat, MmIsAddressValid, _except_handler3, _wcsnicmp, wcslen, RtlCompareUnicodeString, PsGetVersion, ZwMapViewOfSection, ZwCreateSection, ZwOpenFile, ObfDereferenceObject, ObQueryNameString, _snprintf, ZwQuerySystemInformation, _strnicmp, _stricmp, IofCompleteRequest, strncpy, IoGetCurrentProcess, strncmp, ZwUnmapViewOfSection, RtlAnsiStringToUnicodeString

    ( 0 exports )
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.