Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible rootkit?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Possible rootkit?

Unread postby poksao » June 16th, 2008, 11:25 am

I have AVG AntiRootKit Free version on my computer. Every time that I run it it finds a rootkit in the following path c:\WINDOWS\System32\Drivers\xxxxxxx.sys (with the x's as random characters) and asks me if i want to remove it and reboot. I do so and it finds another with a different random name. I posted here once before and it was suggested that it might be Daemon tools doing this and that I should remove it and try again (I am creating a new post because I took too long to reply to the old post). I am still getting the same behavior.

Thanks in advance for any help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:06 PM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.mizrahi-tefahot.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IBM Warranty Notification] "C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe /nointro"
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: CCC.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/acce ... /AcpIR.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 13520 bytes
poksao
Active Member
 
Posts: 13
Joined: May 3rd, 2008, 8:25 pm
Location: Ma'aleh Adumim
Advertisement
Register to Remove

Re: Possible rootkit?

Unread postby Elrond » June 16th, 2008, 12:23 pm

Hi poksao

I'm Elrond and I'll be glad to help you with your computer problems.

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please only use this topic for your replies on this problem. Do not start another thread.
Please note that the fixes we will use are specific to your problems on this computer and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.

Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note that you should have Administrator rights to perform the fixes. (XP accounts are Administrator by default) Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Please note that all instructions given are customized for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.



Please note that I will be off line for about 26 hours (sundown Friday until nightfall Saturday my local time) every week.


End of preliminaries. What follows is related to analyzing what is on your computer and cleaning it up.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Nothing showing that is not minor.


Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 6.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 6 and click on Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u6-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer


OK now we need to start looking deeper.


Open "HijackThis". Click on "Open Misc.Tool Section".
Use the scroll bar on the right and scroll down to "Open Uninstall Manager". Click it.
On the right you will find "Save List". Click it.
The log that you just saved will appear.
Use "Copy" and "Paste" to add it to your next post.


Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with the Uninstall Manager log[/b[ and a [b]new HijackThis log so we may try to find out what is going on with your system.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: Possible rootkit?

Unread postby poksao » June 16th, 2008, 4:17 pm

I will post the rest shortly
UNINSTALL MANAGER LOG
7-Zip 4.57
Adobe Flash Player Plugin
Adobe Reader 8.1.2
A-Ray Scanner 2.0.2.3
Aspell English Dictionary-0.50-2
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
AVG Anti-Rootkit Free
AVG Free 8.0
Catalyst Control Center - Branding
ccc-Branding
CCleaner (remove only)
Client Security Solution
Crimson Editor (remove only)
Diablo II
Diskeeper Lite
DivX Content Uploader
DivX Web Player
ffdshow [rev 1579] [2007-10-26]
GNU Aspell 0.50-3
GTK+ Runtime 2.10.13 rev a (remove only)
Help Center
Hero Editor V0.96
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB917332)
Hotfix for Windows XP (KB923293)
Hotfix for Windows XP (KB934205)
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
InterVideo WinDVD
InterVideo WinDVD Creator 3
Java(TM) 6 Update 6
mCore
mDriver
MediaMonkey 2.5
Message Center
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office 2003 Web Components
Microsoft SQL Server 2005
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Analysis Services
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Integration Services
Microsoft SQL Server 2005 Notification Services
Microsoft SQL Server 2005 Reporting Services
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
mMHouse
Mozilla Firefox (2.0.0.14)
mPfMgr
mProSafe
MSVC80_x86
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
mWlsSafe
Nokia Connectivity Cable Driver
On Screen Display
PC Connectivity Solution
PC-Doctor 5 for Windows
PeerGuardian 2.0
Picasa 2
Pidgin
Presentation Director
Productivity Center Supplement for ThinkPad
Real Alternative 1.8.0 Lite
RecordNow Audio
RecordNow Copy
RecordNow Data
Remove Multimedia Center
Rescue and Recovery
Rescue and Recovery Critical Patch for Windows Update (KB917422)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939373)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942830)
Security Update for Windows XP (KB942831)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Sonic DLA
Sonic Express Labeler
Sonic Icons for Lenovo
Sonic Update Manager
SoundMAX
SQLXML4
System Migration Assistant
System Update
ThinkPad Bluetooth with Enhanced Data Rate Software
ThinkPad Configuration
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Keyboard Customizer Utility
ThinkPad Modem
ThinkPad PC Card Power Policy
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad UltraNav Driver
ThinkPad UltraNav Wizard
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Away Manager
ThinkVantage Fingerprint Software 5.6
ThinkVantage Productivity Center
ThinkVantage Technologies Welcome Message
TrackPoint Accessibility Features
UBCD4Win 3.13
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VideoLAN VLC media player 0.8.6c
Wallpapers
Windows Driver Package - Nokia Modem (10/12/2007 3.6)
Windows Internet Explorer 7
Windows Live Toolbar
Windows Live Toolbar
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB890859
XP Themes
poksao
Active Member
 
Posts: 13
Joined: May 3rd, 2008, 8:25 pm
Location: Ma'aleh Adumim

Re: Possible rootkit?

Unread postby poksao » June 16th, 2008, 4:51 pm

ComboFix Logfile
ComboFix 08-06-15.4 - Laizer 2008-06-16 23:20:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1305 [GMT 3:00]
Running from: C:\Documents and Settings\Laizer\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Cache

.
((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-16 23:13 . 2008-06-16 23:13 <DIR> d-------- C:\Program Files\Java
2008-06-16 23:13 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-16 23:01 . 2008-06-16 23:07 <DIR> d-------- C:\Documents and Settings\Laizer\.SunDownloadManager
2008-06-16 17:33 . 2008-06-16 17:33 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-06-11 22:15 . 2007-01-18 15:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-06-11 15:38 . 2008-04-14 14:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 15:38 . 2008-04-14 14:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 21:32 . 2008-06-02 21:32 <DIR> d-------- C:\Program Files\A-Ray Scanner
2008-05-27 20:58 . 2008-05-27 21:03 <DIR> d-------- C:\Documents and Settings\Laizer\Application Data\yoclient
2008-05-26 08:11 . 2008-06-12 09:19 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-25 14:16 . 2008-06-16 08:50 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-25 14:16 . 2008-05-25 14:16 <DIR> d-------- C:\Program Files\AVG
2008-05-25 14:16 . 2008-05-26 09:04 <DIR> d-------- C:\Documents and Settings\Laizer\Application Data\AVGTOOLBAR
2008-05-25 14:16 . 2008-05-25 14:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-25 14:16 . 2008-05-25 14:16 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-25 14:16 . 2008-05-25 14:16 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-25 14:16 . 2008-05-25 14:16 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-16 04:55 . 2008-06-11 19:49 1,374 --a------ C:\WINDOWS\imsins.BAK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 20:21 --------- d-----w C:\Program Files\PeerGuardian2
2008-06-16 15:05 --------- d-----w C:\Program Files\SlySoft
2008-06-16 14:17 --------- d-----w C:\Documents and Settings\Laizer\Application Data\uTorrent
2008-05-25 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-17 20:52 --------- d-----w C:\Documents and Settings\Laizer\Application Data\.purple
2008-05-14 19:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lenovo
2008-05-14 19:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-05-14 19:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ATI
2008-05-11 09:38 --------- d-----w C:\Documents and Settings\Laizer\Application Data\U3
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-06 19:33 --------- d-----w C:\Program Files\Real Alternative
2008-05-05 14:07 --------- d-----w C:\Program Files\ThinkVantage Fingerprint Software
2008-05-05 13:57 --------- d-----w C:\Program Files\Common Files\ThinkVantage Fingerprint Software
2008-05-05 13:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\UIB
2008-05-05 13:54 --------- d-----w C:\Program Files\NetWaiting
2008-05-05 13:54 --------- d-----w C:\Program Files\Digital Line Detect
2008-05-05 13:54 --------- d-----w C:\Documents and Settings\Laizer\Application Data\InstallShield
2008-05-05 13:53 --------- d-----w C:\Program Files\PCDR5
2008-05-05 13:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC-Doctor
2008-05-05 13:51 21,361 ------w C:\WINDOWS\system32\drivers\AegisP.sys
2008-05-05 13:51 21,361 ------w C:\WINDOWS\AegisP.sys
2008-05-05 13:51 --------- d-----w C:\Program Files\Lenovo
2008-05-05 13:51 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-05-05 13:51 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Intel
2008-05-05 13:51 --------- d-----w C:\Documents and Settings\Laizer\Application Data\Intel
2008-05-05 13:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-05-05 13:38 534,920 ------w C:\WINDOWS\qfe149.tmp
2008-05-05 13:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-05 13:34 539,448 ------w C:\WINDOWS\qfeBB.tmp
2008-05-05 13:09 --------- d-----w C:\Program Files\ThinkPad
2008-05-03 22:47 --------- d-----w C:\Program Files\Trend Micro
2008-05-01 11:11 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Media Player Classic
2007-08-03 14:47 32,768 --sh--w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007080320070804\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-11-06 16:27 487424]
"TpShocks"="TpShocks.exe" [2007-11-22 15:09 181536 C:\WINDOWS\system32\TpShocks.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 08:00 856064]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-01-24 10:21 66928]
"TP4EX"="tp4ex.exe" [2005-10-17 11:11 65536 C:\WINDOWS\system32\TP4EX.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 19:30 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 19:30 512000]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 10:11 925696]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-01-11 01:30 294912]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-03-16 02:07 421888]
"PDService.exe"="C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe" [2006-03-14 02:38 41472]
"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [2008-01-11 03:21 144728]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 02:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 02:50 221184]
"IBM Warranty Notification"="C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe" [2004-03-12 19:24 106496]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 03:33 243248]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-02-02 15:20 122940]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-19 02:24 196696]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 04:13 2341632]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-01-11 01:30 208896]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-08-16 20:07 69632]
"AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 09:23 487424]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-02-20 02:02 110592]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-02-20 02:10 409600]
"LPMailChecker"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2008-01-11 03:21 124248]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-03-26 03:06 59680]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-25 14:16 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\Laizer\Start Menu\Programs\Startup\
CCC.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-07-17 12:13:34 49152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-11-26 15:58:10 576104]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-05-05 16:54:51 50688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll 2007-02-20 02:03 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
C:\Program Files\Lenovo\AwayTask\AwayNotify.dll 2006-08-16 20:07 49152 C:\Program Files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\WINDOWS\system32\psqlpwd.dll 2007-08-14 15:54 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 17:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2007-12-14 16:36 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-10-16 18:33]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-10-16 18:32]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 19:27]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-25 14:16]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2006-01-13 10:33]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2008-01-11 01:30]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-25 14:16]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-25 14:16]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-25 14:16]
R2 MsDtsServer;SQL Server Integration Services;"C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 04:45]
R2 PrivateDisk;PrivateDisk;C:\Program Files\Lenovo\SafeGuard PrivateDisk\PrivateDiskM.sys [2006-03-14 02:05]
R2 smi2;smi2;C:\Program Files\SMI2\smi2.sys [2006-07-15 01:55]
R2 smihlp2;SMI Helper Driver (smihlp2);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 15:46]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2007-08-14 15:25]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);"C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [2005-10-14 04:44]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{117d8906-033c-11dd-908a-00197ef9d08d}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1acb4bc-d7d6-11dc-a96e-001b7795abb3}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-16 20:22:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-06-16 20:26:09 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 23:25:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\Laizer\LOCALS~1\Temp\tzk6.tmp

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\AcSvcStub.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\AcLocSettings.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\ACHelper.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
.
**************************************************************************
.
Completion time: 2008-06-16 23:28:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-16 20:28:48

Pre-Run: 24,255,029,248 bytes free
Post-Run: 24,489,365,504 bytes free

231 --- E O F --- 2008-06-11 16:49:58
poksao
Active Member
 
Posts: 13
Joined: May 3rd, 2008, 8:25 pm
Location: Ma'aleh Adumim

Re: Possible rootkit?

Unread postby poksao » June 16th, 2008, 4:52 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:12 PM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.mizrahi-tefahot.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IBM Warranty Notification] "C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe /nointro"
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: CCC.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/acce ... /AcpIR.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 13283 bytes
poksao
Active Member
 
Posts: 13
Joined: May 3rd, 2008, 8:25 pm
Location: Ma'aleh Adumim

Re: Possible rootkit?

Unread postby Elrond » June 18th, 2008, 2:27 am

Hi poksao

Sorry for the delay. :( I had to check certain things.

  1. I'd like you to check (a file/some files) for Viruses.
    C:\WINDOWS\qfe149.tmp
    C:\WINDOWS\qfeBB.tmp

    • Copy/Paste the first file on the list into the white Upload a file box.
    • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
    • After a while, a window will open, with details of what the scans found.
    • Note details of any viruses found.
    • Repeat for all files on the list, and post me the details please


    1. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code: Select all
      Folder::
      C:\Documents and Settings\Laizer\Application Data\uTorrent
      
      DirLook::
      C:\Documents and Settings\Laizer\Application Data\.purple
      C:\Documents and Settings\All Users\Application Data\UIB
      
      Registry::
      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "C:\\Program Files\\uTorrent\\uTorrent.exe"=-
      
      

    2. Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


      Image


    3. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    4. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    5. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

  2. Please download Rootkit Revealer from Sysinternals and save it to your desktop.

    1. Right click on RootkitRevealer.zip and select Extract All....
    2. Click Next on seeing the Welcome screen.
    3. You will see a screen asking you to select where you want the files to be extracted to. By default, this will be desktop.
    4. Click Next again.
    5. Check (tick) Show extracted files box and click Finish.
    6. Double click on RootkitRevealer.exe to run it.
    7. A license agreement will be shown to you. Read through it and click on Agree.
    8. Click on Scan at the bottom right hand corner.
    9. When the scan is done, Rootkit Revealer will say Scan complete: X discrepancies found (X are numbers; message at the bottom left hand corner).
    10. Click on File > Save.
    11. By default, it would save to C:\Windows\System32 folder.
    12. Click on Desktop on the left, then click on the Save button.
    13. A RootkitRevealer.txt will be on your desktop.
    14. Open it, select all the contents, copy and paste the contents in your next reply.

  3. As I do not have AVG AntiRootKit Free version I can not give you the instructions but if possible I would like to see the log from AVG AntiRootKit Free version.

  4. Run a new HijackThis scan and post the log together with the results from Virus Total or Jotti , the Rootkit revealer log, the AVG AntiRootKit Free version, and the latest Combofix log in this thread. Post as many posts as you need.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: Possible rootkit?

Unread postby poksao » June 18th, 2008, 8:10 am

File qfe149.tmp received on 06.18.2008 14:05:23 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.6.18.2 2008.06.18 -
AntiVir 7.8.0.55 2008.06.18 -
Authentium 5.1.0.4 2008.06.18 -
Avast 4.8.1195.0 2008.06.17 -
AVG 7.5.0.516 2008.06.18 -
BitDefender 7.2 2008.06.18 -
CAT-QuickHeal 9.50 2008.06.17 -
ClamAV 0.93.1 2008.06.18 -
DrWeb 4.44.0.09170 2008.06.18 -
eSafe 7.0.15.0 2008.06.17 -
eTrust-Vet 31.6.5884 2008.06.18 -
Ewido 4.0 2008.06.18 -
F-Prot 4.4.4.56 2008.06.18 -
F-Secure 6.70.13260.0 2008.06.18 -
Fortinet 3.14.0.0 2008.06.18 -
GData 2.0.7306.1023 2008.06.18 -
Ikarus T3.1.1.26.0 2008.06.18 -
Kaspersky 7.0.0.125 2008.06.18 -
McAfee 5319 2008.06.17 -
Microsoft 1.3604 2008.06.18 -
NOD32v2 3196 2008.06.18 -
Norman 5.80.02 2008.06.17 -
Panda 9.0.0.4 2008.06.18 -
Prevx1 V2 2008.06.18 -
Rising 20.49.22.00 2008.06.18 -
Sophos 4.30.0 2008.06.18 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.18 -
TheHacker 6.2.92.354 2008.06.18 -
TrendMicro 8.700.0.1004 2008.06.18 -
VBA32 3.12.6.7 2008.06.17 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.18 -
Additional information
File size: 534920 bytes
MD5...: 438812fd303b17aadbdcc868591ef14a
SHA1..: 2e049ddcd170455a13ebc3b44f67f832b3fb1e4d
SHA256: 8c7c1f45c1d757778f4a864c0509a3375903ed4a0c9bfbc98e49804eae01ec29
SHA512: d8f13a6c6ed4360ece861ba9a2195cc3426a917933356e4c7ecbe63e125d1a4b<br>cfa7166470f9265ddcf1a53d8db3adddddf617dcf5d4bde8b5b2d90023cd07e1
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x1005a45<br>timedatestamp.....: 0x42c180e5 (Tue Jun 28 16:55:01 2005)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x2000 0x7982 0x7a00 6.61 45b56aaa26cf5d751c5b57f5878d362c<br>.data 0xa000 0x110d4 0x200 0.51 c8771d98406001582ad5088573570ac1<br>.rsrc 0x1c000 0xd0c 0x78400 8.00 e0fa9babad72f3a161307c4281c3a162<br><br>( 7 imports ) <br>&gt; KERNEL32.dll: CreateFileA, GetDriveTypeA, HeapFree, FormatMessageA, LeaveCriticalSection, DeleteFileA, EnterCriticalSection, TerminateProcess, WaitForMultipleObjects, CreateEventW, SetEvent, Sleep, SetEnvironmentVariableA, GetEnvironmentVariableA, WideCharToMultiByte, HeapAlloc, SetLastError, WriteFile, MoveFileA, ExitProcess, DeleteCriticalSection, FlushFileBuffers, WaitForSingleObject, OpenEventA, GetCurrentProcess, GetFileAttributesA, GetCommandLineA, GetModuleFileNameA, DeviceIoControl, FindNextFileA, FindFirstFileA, CopyFileA, SetFileAttributesA, SystemTimeToFileTime, GetSystemTime, GetDiskFreeSpaceA, QueryDosDeviceA, GetCurrentDirectoryA, SetEndOfFile, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, GetExitCodeProcess, CreateProcessA, ExpandEnvironmentStringsA, GetFileSize, CreateThread, CreateEventA, GetProcessHeap, InitializeCriticalSectionAndSpinCount, GetModuleHandleA, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, SetUnhandledExceptionFilter, GetSystemDirectoryA, CloseHandle, LoadLibraryA, GetProcAddress, FreeLibrary, SetErrorMode, GetTickCount, CreateDirectoryA, GetLastError, RemoveDirectoryA, MoveFileExA, SetFilePointer, ReadFile, FindClose, GetVersionExA<br>&gt; msvcrt.dll: sprintf, strchr, _strnicmp, _stricmp, strrchr, _strlwr, strncpy, strstr, _vsnprintf, _snprintf<br>&gt; ADVAPI32.dll: OpenProcessToken, GetLengthSid, InitiateSystemShutdownA, AllocateAndInitializeSid, CryptReleaseContext, CryptGenRandom, CryptAcquireContextA, SetSecurityDescriptorDacl, AddAccessAllowedAce, InitializeAcl, InitializeSecurityDescriptor, GetTokenInformation<br>&gt; USER32.dll: ShowWindow, SendDlgItemMessageA, SendMessageA, DialogBoxParamA, MessageBoxA, LoadStringA, EndDialog, SetParent<br>&gt; ntdll.dll: NtShutdownSystem, NtAdjustPrivilegesToken, NtClose, NtOpenProcessToken<br>&gt; COMCTL32.dll: -<br>&gt; SHELL32.dll: SHBrowseForFolderA, SHGetPathFromIDListA<br><br>( 0 exports ) <br>
packers (Kaspersky): PE_Patch
packers (F-Prot): CAB
poksao
Active Member
 
Posts: 13
Joined: May 3rd, 2008, 8:25 pm
Location: Ma'aleh Adumim

Re: Possible rootkit?

Unread postby poksao » June 18th, 2008, 8:19 am

File qfeBB.tmp received on 06.18.2008 14:11:26 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.6.18.2 2008.06.18 -
AntiVir 7.8.0.55 2008.06.18 -
Authentium 5.1.0.4 2008.06.18 -
Avast 4.8.1195.0 2008.06.17 -
AVG 7.5.0.516 2008.06.18 -
BitDefender 7.2 2008.06.18 -
CAT-QuickHeal 9.50 2008.06.17 -
ClamAV 0.93.1 2008.06.18 -
DrWeb 4.44.0.09170 2008.06.18 -
eSafe 7.0.15.0 2008.06.17 -
eTrust-Vet 31.6.5884 2008.06.18 -
Ewido 4.0 2008.06.18 -
F-Prot 4.4.4.56 2008.06.18 -
F-Secure 6.70.13260.0 2008.06.18 -
Fortinet 3.14.0.0 2008.06.18 -
GData 2.0.7306.1023 2008.06.18 -
Ikarus T3.1.1.26.0 2008.06.18 -
Kaspersky 7.0.0.125 2008.06.18 -
McAfee 5319 2008.06.17 -
Microsoft 1.3604 2008.06.18 -
NOD32v2 3196 2008.06.18 -
Norman 5.80.02 2008.06.17 -
Panda 9.0.0.4 2008.06.18 -
Prevx1 V2 2008.06.18 -
Rising 20.49.22.00 2008.06.18 -
Sophos 4.30.0 2008.06.18 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.18 -
TheHacker 6.2.92.354 2008.06.18 -
TrendMicro 8.700.0.1004 2008.06.18 -
VBA32 3.12.6.7 2008.06.17 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.18 -
Additional information
File size: 539448 bytes
MD5...: 9a78fff0c7e32d3596d13f9288897d77
SHA1..: 9f47965e92a2d10732f95d4112eccbd4ea19e259
SHA256: ae31c3cdbe602aefe4e0c70bf89f2a442e5a2f2af710522800aade31c161dc08
SHA512: 86786f65da3a873677a28d443074129dcb957afab8e1fe802318deddf43c6f80<br>71fd2fcd3ea9f9e7dfd6dd25e69ced761c669c21071b3e6a010d6cd1a5cbf2b8
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x1005a45<br>timedatestamp.....: 0x42c180e5 (Tue Jun 28 16:55:01 2005)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x2000 0x7982 0x7a00 6.61 45b56aaa26cf5d751c5b57f5878d362c<br>.data 0xa000 0x110d4 0x200 0.51 853082e9f8f367c5814f23ee54031073<br>.rsrc 0x1c000 0xd0c 0x7a000 8.00 445f064e8043c4b758b3778880b578b7<br><br>( 7 imports ) <br>&gt; KERNEL32.dll: CreateFileA, GetDriveTypeA, HeapFree, FormatMessageA, LeaveCriticalSection, DeleteFileA, EnterCriticalSection, TerminateProcess, WaitForMultipleObjects, CreateEventW, SetEvent, Sleep, SetEnvironmentVariableA, GetEnvironmentVariableA, WideCharToMultiByte, HeapAlloc, SetLastError, WriteFile, MoveFileA, ExitProcess, DeleteCriticalSection, FlushFileBuffers, WaitForSingleObject, OpenEventA, GetCurrentProcess, GetFileAttributesA, GetCommandLineA, GetModuleFileNameA, DeviceIoControl, FindNextFileA, FindFirstFileA, CopyFileA, SetFileAttributesA, SystemTimeToFileTime, GetSystemTime, GetDiskFreeSpaceA, QueryDosDeviceA, GetCurrentDirectoryA, SetEndOfFile, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, GetExitCodeProcess, CreateProcessA, ExpandEnvironmentStringsA, GetFileSize, CreateThread, CreateEventA, GetProcessHeap, InitializeCriticalSectionAndSpinCount, GetModuleHandleA, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, SetUnhandledExceptionFilter, GetSystemDirectoryA, CloseHandle, LoadLibraryA, GetProcAddress, FreeLibrary, SetErrorMode, GetTickCount, CreateDirectoryA, GetLastError, RemoveDirectoryA, MoveFileExA, SetFilePointer, ReadFile, FindClose, GetVersionExA<br>&gt; msvcrt.dll: sprintf, strchr, _strnicmp, _stricmp, strrchr, _strlwr, strncpy, strstr, _vsnprintf, _snprintf<br>&gt; ADVAPI32.dll: OpenProcessToken, GetLengthSid, InitiateSystemShutdownA, AllocateAndInitializeSid, CryptReleaseContext, CryptGenRandom, CryptAcquireContextA, SetSecurityDescriptorDacl, AddAccessAllowedAce, InitializeAcl, InitializeSecurityDescriptor, GetTokenInformation<br>&gt; USER32.dll: ShowWindow, SendDlgItemMessageA, SendMessageA, DialogBoxParamA, MessageBoxA, LoadStringA, EndDialog, SetParent<br>&gt; ntdll.dll: NtShutdownSystem, NtAdjustPrivilegesToken, NtClose, NtOpenProcessToken<br>&gt; COMCTL32.dll: -<br>&gt; SHELL32.dll: SHBrowseForFolderA, SHGetPathFromIDListA<br><br>( 0 exports ) <br>
packers (Kaspersky): PE_Patch
packers (F-Prot): CAB
poksao
Active Member
 
Posts: 13
Joined: May 3rd, 2008, 8:25 pm
Location: Ma'aleh Adumim

Re: Possible rootkit?

Unread postby poksao » June 18th, 2008, 3:42 pm

ComboFix 08-06-15.4 - Laizer 2008-06-18 22:28:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1294 [GMT 3:00]
Running from: C:\Documents and Settings\Laizer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Laizer\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Laizer\Application Data\uTorrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\[DB]_Bleach_168_[7804D19E].avi.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\[DB]_Bleach_169_[441E1525].avi.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\[DB]_Naruto_191_[E7923CB9].avi.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\[DB]_Naruto_192_[B41EC78F].avi.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\[DB]_Naruto_193_[8BBD60BF].avi.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\[DB]_Naruto_194_[05D99A25].avi.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\[DB]_Naruto_195_[BFFE78CB].avi.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\[DB]_Naruto_Movie_3_[C688AE50].avi.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\Alcohol 120% 1.9.7.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\AnyDVD&AnyDVD HD 6.4.0.4 FINAL (NEW).torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\Bizet - Sinfonia n.1.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\Constantine[2005]DvDRip[Eng]-BoBo.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\dht.dat
C:\Documents and Settings\Laizer\Application Data\uTorrent\Eragon[2006]DvDrip[Eng]-aXXo.avi.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\Lady.In.The.Water[2006]DvDrip[Eng]-aXXo.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\Melanie C - This Time (2007) - Pop [www.torrentazos.com].rar.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\NightWatch.avi.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\Philharmonic Orc.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\resume.dat
C:\Documents and Settings\Laizer\Application Data\uTorrent\resume.dat.old
C:\Documents and Settings\Laizer\Application Data\uTorrent\Robert Plant & Alison Krauss - Raising Sand (256Kbps).torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\Ryan Adams - Follow The Lights EP [2007].torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\settings.dat
C:\Documents and Settings\Laizer\Application Data\uTorrent\settings.dat.old
C:\Documents and Settings\Laizer\Application Data\uTorrent\Simpsons.Season.18.Complete.PDTV-XViD.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\South.Park.S12E03.DSR.XviD-0TV.avi.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\The Simpsons, the complete 19th season.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\The Venture Bros Brothers Season 1,2 extras [Geophage].torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\Tom Lehrer - Evening Wasted with Tom Lehrer.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\Tom Lehrer - That Was The Year That Was (1965).torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\Tom Lehrer - That Was the Year That Was.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\Top 100 Masterpieces of Classical Music 1685-1928.torrent
C:\Documents and Settings\Laizer\Application Data\uTorrent\utorrent.lng

.
((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-17 22:04 . 2008-06-17 22:05 <DIR> d-------- C:\DotNetNuke_2
2008-06-16 23:13 . 2008-06-16 23:13 <DIR> d-------- C:\Program Files\Java
2008-06-16 23:13 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-16 23:01 . 2008-06-16 23:07 <DIR> d-------- C:\Documents and Settings\Laizer\.SunDownloadManager
2008-06-16 17:33 . 2008-06-16 17:33 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-06-11 22:15 . 2007-01-18 15:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-06-11 15:38 . 2008-04-14 14:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 15:38 . 2008-04-14 14:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 21:32 . 2008-06-02 21:32 <DIR> d-------- C:\Program Files\A-Ray Scanner
2008-05-27 20:58 . 2008-05-27 21:03 <DIR> d-------- C:\Documents and Settings\Laizer\Application Data\yoclient
2008-05-26 08:11 . 2008-06-12 09:19 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-25 14:16 . 2008-06-18 09:25 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-25 14:16 . 2008-05-25 14:16 <DIR> d-------- C:\Program Files\AVG
2008-05-25 14:16 . 2008-05-26 09:04 <DIR> d-------- C:\Documents and Settings\Laizer\Application Data\AVGTOOLBAR
2008-05-25 14:16 . 2008-05-25 14:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-25 14:16 . 2008-05-25 14:16 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-25 14:16 . 2008-05-25 14:16 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-25 14:16 . 2008-05-25 14:16 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 20:21 --------- d-----w C:\Program Files\PeerGuardian2
2008-06-16 15:05 --------- d-----w C:\Program Files\SlySoft
2008-05-25 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-17 20:52 --------- d-----w C:\Documents and Settings\Laizer\Application Data\.purple
2008-05-14 19:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lenovo
2008-05-14 19:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-05-14 19:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ATI
2008-05-11 09:38 --------- d-----w C:\Documents and Settings\Laizer\Application Data\U3
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-06 19:33 --------- d-----w C:\Program Files\Real Alternative
2008-05-05 14:07 --------- d-----w C:\Program Files\ThinkVantage Fingerprint Software
2008-05-05 13:57 --------- d-----w C:\Program Files\Common Files\ThinkVantage Fingerprint Software
2008-05-05 13:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\UIB
2008-05-05 13:54 --------- d-----w C:\Program Files\NetWaiting
2008-05-05 13:54 --------- d-----w C:\Program Files\Digital Line Detect
2008-05-05 13:54 --------- d-----w C:\Documents and Settings\Laizer\Application Data\InstallShield
2008-05-05 13:53 --------- d-----w C:\Program Files\PCDR5
2008-05-05 13:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC-Doctor
2008-05-05 13:51 21,361 ------w C:\WINDOWS\system32\drivers\AegisP.sys
2008-05-05 13:51 21,361 ------w C:\WINDOWS\AegisP.sys
2008-05-05 13:51 --------- d-----w C:\Program Files\Lenovo
2008-05-05 13:51 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-05-05 13:51 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Intel
2008-05-05 13:51 --------- d-----w C:\Documents and Settings\Laizer\Application Data\Intel
2008-05-05 13:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-05-05 13:38 534,920 ------w C:\WINDOWS\qfe149.tmp
2008-05-05 13:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-05 13:34 539,448 ------w C:\WINDOWS\qfeBB.tmp
2008-05-05 13:09 --------- d-----w C:\Program Files\ThinkPad
2008-05-03 22:47 --------- d-----w C:\Program Files\Trend Micro
2008-05-01 11:11 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Media Player Classic
2007-08-03 14:47 32,768 --sh--w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007080320070804\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\All Users\Application Data\UIB ----

2007-08-14 17:02 9322496 --------- C:\Documents and Settings\All Users\Application Data\UIB\{A2289997-10A3-48F2-AA03-99180D761661}\pshome.msi

---- Directory of C:\Documents and Settings\Laizer\Application Data\.purple ----

2008-05-17 23:52 767 --a------ C:\Documents and Settings\Laizer\Application Data\.purple\status.xml
2008-05-17 23:52 4207 --a------ C:\Documents and Settings\Laizer\Application Data\.purple\accounts.xml
2008-05-17 23:52 16377 --a------ C:\Documents and Settings\Laizer\Application Data\.purple\prefs.xml
2008-05-17 23:52 11873 --a------ C:\Documents and Settings\Laizer\Application Data\.purple\blist.xml
2008-03-31 01:30 1346 --------- C:\Documents and Settings\Laizer\Application Data\.purple\icons\434a4ebdec51e2b10ef097197d9ea16a22e1ef09.jpg
2008-03-31 01:27 8355 --------- C:\Documents and Settings\Laizer\Application Data\.purple\icons\b3fde5d1b04b432359df0316a2c627a77585c06e.png
2007-09-24 15:55 5232 --------- C:\Documents and Settings\Laizer\Application Data\.purple\accels
2007-09-11 16:00 2776 --------- C:\Documents and Settings\Laizer\Application Data\.purple\icons\799a252c2f2e13537f601050642b3bc53f4fe107.jpg
2007-09-11 15:59 3479 --------- C:\Documents and Settings\Laizer\Application Data\.purple\icons\9ef3241166c6d8b0507f3f2a5bb6b4bd3b7f943d.jpg
2007-09-06 11:46 8187 --------- C:\Documents and Settings\Laizer\Application Data\.purple\icons\6b7eeae5dc6ad4b44f0e24c1fa3de2f2d11f62f7.jpg
2007-09-06 11:46 4724 --------- C:\Documents and Settings\Laizer\Application Data\.purple\icons\5822bddd73107ed7f804b77499012fcf0a3e0057.gif
2007-09-06 11:46 2820 --------- C:\Documents and Settings\Laizer\Application Data\.purple\icons\55847dfa5db3e2aa52884f110b44e7c7d188a133.jpg
2007-09-06 11:46 1145 --------- C:\Documents and Settings\Laizer\Application Data\.purple\icons\8457407f46366fbb80d0ce2cdc492f07129f7323.jpg


((((((((((((((((((((((((((((( snapshot@2008-06-16_23.28.36.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-16 20:24:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-18 19:31:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-17 18:19:54 7,168 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\App_Code.eb6civ2v.dll
+ 2008-06-17 18:19:55 6,144 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\App_global.asax.xdvcnhrr.dll
+ 2008-06-17 18:19:50 122,880 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\17795215\00e5f383_9269c801\SharpZipLib.DLL
+ 2008-06-17 18:19:49 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\1a5bc144\003ed307_2584c801\DotNetNuke.Provider.AspNetProvider.DLL
+ 2008-06-17 18:19:48 45,056 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\1b7bae3e\006b0409_2584c801\DotNetNuke.DNNScheduler.DLL
+ 2008-06-17 18:19:49 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\1c781da1\006b0409_2584c801\DotNetNuke.Search.DataStore.DLL
+ 2008-06-17 18:19:49 126,976 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\21a31b27\003f5686_9269c801\DotNetNuke.FckHtmlEditorProvider.DLL
+ 2008-06-17 18:19:47 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\37707ce6\0098350a_2584c801\DotNetNuke.Caching.BroadcastPollingCachingProvider.DLL
+ 2008-06-17 18:19:49 53,248 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\455feb4c\0011a206_2584c801\DotNetNuke.HttpModules.DLL
+ 2008-06-17 18:19:47 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\457b5720\0098350a_2584c801\DotNetNuke.ASP2MenuNavigationProvider.DLL
+ 2008-06-17 18:19:50 40,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\50cdd2b5\006b0409_2584c801\DotNetNuke.SolpartMenuNavigationProvider.DLL
+ 2008-06-17 18:19:50 40,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\596dcc9b\00a918fd_2484c801\DotNetNuke.WebUtility.DLL
+ 2008-06-17 18:19:49 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\647b9c42\003ed307_2584c801\DotNetNuke.Provider.DNNProvider.DLL
+ 2008-06-17 18:19:50 40,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\673df61c\0098350a_2584c801\DotNetNuke.XMLLoggingProvider.DLL
+ 2008-06-17 18:19:48 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\74a8b3ce\0098350a_2584c801\DotNetNuke.DNNMenuNavigationProvider.DLL
+ 2008-06-17 18:19:49 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\74d47147\0098350a_2584c801\DotNetNuke.Provider.DBLoggingProvider.DLL
+ 2008-06-17 18:19:50 20,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\8175ad38\006b0409_2584c801\DotNetNuke.Search.Index.DLL
+ 2008-06-17 18:19:48 1,024,000 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\8d64f14f\008a0e03_2584c801\DotNetNuke.DLL
+ 2008-06-17 18:19:49 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\95d46f1c\008a0e03_2584c801\DotNetNuke.Membership.Dataprovider.DLL
+ 2008-06-17 18:19:50 229,376 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\974d967a\00204c8c_9269c801\SolpartWebControls.DLL
+ 2008-06-17 18:19:50 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\b8434cc6\00f6d676_9269c801\Microsoft.ApplicationBlocks.Data.DLL
+ 2008-06-17 18:19:50 701,816 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\bfe736e3\00204c8c_9269c801\System.Web.Extensions.DLL
+ 2008-06-17 18:19:49 24,576 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\c24cc206\006b0409_2584c801\DotNetNuke.DNNTreeNavigationProvider.DLL
+ 2008-06-17 18:19:47 24,576 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\cbea4cfa\0098350a_2584c801\DotNetNuke.Caching.FileBasedCachingProvider.DLL
+ 2008-06-17 18:19:50 40,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\ce8e9975\007ce7fb_2484c801\DotNetNuke.Services.Syndication.DLL
+ 2008-06-17 18:19:47 36,864 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\d7d56dab\00f553f8_2484c801\CountryListBox.DLL
+ 2008-06-17 18:19:48 20,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\e0d15911\0098350a_2584c801\DotNetNuke.DNNDropDownNavigationProvider.DLL
+ 2008-06-17 18:19:50 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\e3fd0f59\0011a206_2584c801\DotNetNuke.SqlDataProvider.DLL
+ 2008-06-17 18:19:50 126,976 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\dotnetnuke website1\f960bb13\324461b8\assembly\dl3\e4d10466\00204c8c_9269c801\DotNetNuke.WebControls.DLL
- 2008-06-16 20:25:30 234,361 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-06-18 19:32:22 243,703 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-06-18 19:31:32 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5f0.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-11-06 16:27 487424]
"TpShocks"="TpShocks.exe" [2007-11-22 15:09 181536 C:\WINDOWS\system32\TpShocks.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 08:00 856064]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-01-24 10:21 66928]
"TP4EX"="tp4ex.exe" [2005-10-17 11:11 65536 C:\WINDOWS\system32\TP4EX.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 19:30 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 19:30 512000]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 10:11 925696]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-01-11 01:30 294912]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-03-16 02:07 421888]
"PDService.exe"="C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe" [2006-03-14 02:38 41472]
"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [2008-01-11 03:21 144728]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 02:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 02:50 221184]
"IBM Warranty Notification"="C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe" [2004-03-12 19:24 106496]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 03:33 243248]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-02-02 15:20 122940]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-19 02:24 196696]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 04:13 2341632]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-01-11 01:30 208896]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-08-16 20:07 69632]
"AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 09:23 487424]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-02-20 02:02 110592]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-02-20 02:10 409600]
"LPMailChecker"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2008-01-11 03:21 124248]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-03-26 03:06 59680]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-25 14:16 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\Laizer\Start Menu\Programs\Startup\
CCC.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-07-17 12:13:34 49152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-11-26 15:58:10 576104]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-05-05 16:54:51 50688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll 2007-02-20 02:03 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
C:\Program Files\Lenovo\AwayTask\AwayNotify.dll 2006-08-16 20:07 49152 C:\Program Files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\WINDOWS\system32\psqlpwd.dll 2007-08-14 15:54 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 17:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2007-12-14 16:36 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-10-16 18:33]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-10-16 18:32]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 19:27]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-25 14:16]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2006-01-13 10:33]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2008-01-11 01:30]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-25 14:16]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-25 14:16]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-25 14:16]
R2 MsDtsServer;SQL Server Integration Services;"C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 04:45]
R2 PrivateDisk;PrivateDisk;C:\Program Files\Lenovo\SafeGuard PrivateDisk\PrivateDiskM.sys [2006-03-14 02:05]
R2 smi2;smi2;C:\Program Files\SMI2\smi2.sys [2006-07-15 01:55]
R2 smihlp2;SMI Helper Driver (smihlp2);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 15:46]
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2007-08-14 15:25]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);"C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [2005-10-14 04:44]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{117d8906-033c-11dd-908a-00197ef9d08d}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1acb4bc-d7d6-11dc-a96e-001b7795abb3}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 19:22:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-06-18 19:34:13 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 22:33:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\AcSvcStub.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\AcLocSettings.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\ACHelper.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2008-06-18 22:37:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-18 19:37:02
ComboFix2.txt 2008-06-16 20:28:55

Pre-Run: 24,424,046,592 bytes free
Post-Run: 24,410,210,304 bytes free

321 --- E O F --- 2008-06-11 16:49:58
poksao
Active Member
 
Posts: 13
Joined: May 3rd, 2008, 8:25 pm
Location: Ma'aleh Adumim

Re: Possible rootkit?

Unread postby poksao » June 18th, 2008, 4:10 pm

HKU\.DEFAULT\Control Panel\International 6/18/2008 10:37 PM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 6/18/2008 10:37 PM 0 bytes Security mismatch.
HKU\S-1-5-21-2366108668-2698812899-4126909892-1008\Control Panel\International 6/18/2008 10:37 PM 0 bytes Security mismatch.
HKU\S-1-5-21-2366108668-2698812899-4126909892-1008\Control Panel\International\Geo 6/18/2008 10:37 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 6/18/2008 10:37 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 6/18/2008 10:37 PM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 4/30/2006 10:30 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 4/30/2006 10:30 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}* 3/13/2008 12:14 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 6/16/2008 5:39 PM 0 bytes Access is denied.
C:\RRbackups\C 2/6/2008 6:33 PM 0 bytes Hidden from Windows API.
C:\RRbackups\common 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\common\backups.dat 6/18/2008 10:32 PM 8.00 KB Hidden from Windows API.
C:\RRbackups\common\hints.dat 6/18/2008 10:32 PM 8.00 KB Hidden from Windows API.
C:\RRbackups\common\mnd.dat 6/18/2008 10:32 PM 8.00 KB Hidden from Windows API.
C:\RRbackups\common\regcerts.dat 6/18/2008 10:32 PM 8.00 KB Hidden from Windows API.
C:\RRbackups\common\rr.log 6/18/2008 1:34 PM 38.60 KB Hidden from Windows API.
C:\RRbackups\common\SAM 6/18/2008 10:32 PM 40.00 KB Hidden from Windows API.
C:\RRbackups\common\seccache.dat 6/18/2008 10:32 PM 8.00 KB Hidden from Windows API.
C:\RRbackups\common\secpolicy.dat 6/18/2008 10:32 PM 60.00 KB Hidden from Windows API.
C:\RRbackups\common\settings.dat 6/18/2008 10:32 PM 28.00 KB Hidden from Windows API.
C:\RRbackups\common\system.dat 6/18/2008 10:32 PM 12.00 KB Hidden from Windows API.
C:\RRbackups\common\tvtns.bin 6/18/2008 10:31 PM 23 bytes Hidden from Windows API.
C:\RRbackups\common\usersids.dat 6/18/2008 10:32 PM 27.42 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings 7/28/2007 10:47 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator 7/28/2007 10:47 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data 7/28/2007 10:51 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution\config.ini 6/18/2008 10:32 PM 61 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution\cspContainer.dat 6/18/2008 10:32 PM 332 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution\cssversion.dat 6/18/2008 10:32 PM 1.86 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution\encobject.dat 6/18/2008 10:32 PM 15.70 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution\hibernation.dat 6/18/2008 10:32 PM 4 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution\hwkeys.dat 6/18/2008 10:32 PM 8.30 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution\pwdrecovery.dat 6/18/2008 10:32 PM 1.08 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution\symkeys.dat 6/18/2008 10:32 PM 2.24 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2366108668-2698812899-4126909892-500 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2366108668-2698812899-4126909892-500\533145ef011ddf5ca3983e2545a902b4_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 2.03 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2366108668-2698812899-4126909892-500\a077ead69703e3bf1fd373a3c9376faa_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 77 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2366108668-2698812899-4126909892-500\a18ca4003deb042bbee7a40f15e1970b_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 54 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST 6/18/2008 10:32 PM 160 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2366108668-2698812899-4126909892-500 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2366108668-2698812899-4126909892-500\beca70d8-19d5-4ac9-83bb-99cca0be62c0 6/18/2008 10:32 PM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2366108668-2698812899-4126909892-500\Preferred 6/18/2008 10:32 PM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2430057740-2654540680-4122366965-500 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2430057740-2654540680-4122366965-500\94f7f3db-1dff-46cf-ae4b-e42ef6b0b34f 6/18/2008 10:32 PM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2430057740-2654540680-4122366965-500\Preferred 6/18/2008 10:32 PM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3977825914-750790669-869045047-500 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3977825914-750790669-869045047-500\5e68baf3-3b4d-445f-a180-e3244979da26 6/18/2008 10:32 PM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3977825914-750790669-869045047-500\Preferred 6/18/2008 10:32 PM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-502673566-3566273203-2205971996-500 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-502673566-3566273203-2205971996-500\60cdd550-9831-4790-b287-ca3073a07c5c 6/18/2008 10:32 PM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-502673566-3566273203-2205971996-500\Preferred 6/18/2008 10:32 PM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users 7/28/2007 10:47 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data 8/3/2007 5:56 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution\cspContainer.dat 6/18/2008 10:32 PM 332 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution\encobject.dat 6/18/2008 10:32 PM 1.57 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution\hwkeys.dat 6/18/2008 10:32 PM 4.15 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution\symkeys.dat 6/18/2008 10:32 PM 656 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft 7/28/2007 10:47 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a436fe806e483969f48a894af2fe9a1_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 1.69 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a077ead69703e3bf1fd373a3c9376faa_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 901 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c2319c42033a5ca7f44e731bfd3fa2b5_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 1.71 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\42e7e898003fbdeb9585806ee1664b51_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 57 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\533145ef011ddf5ca3983e2545a902b4_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 2.03 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\69aa310063315b7d103813995661d082_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 2.46 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 47 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\83aa4cc77f591dfc2374580bbd95f6ba_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 45 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 54 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 893 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User 7/28/2007 10:47 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data 8/3/2007 5:56 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo 8/3/2007 6:01 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto\RSA 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 6/18/2008 10:32 PM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2430057740-2654540680-4122366965-500 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2430057740-2654540680-4122366965-500\94f7f3db-1dff-46cf-ae4b-e42ef6b0b34f 6/18/2008 10:32 PM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2430057740-2654540680-4122366965-500\Preferred 6/18/2008 10:32 PM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3977825914-750790669-869045047-500 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3977825914-750790669-869045047-500\5e68baf3-3b4d-445f-a180-e3244979da26 6/18/2008 10:32 PM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3977825914-750790669-869045047-500\Preferred 6/18/2008 10:32 PM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-502673566-3566273203-2205971996-500 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-502673566-3566273203-2205971996-500\60cdd550-9831-4790-b287-ca3073a07c5c 6/18/2008 10:32 PM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-502673566-3566273203-2205971996-500\Preferred 6/18/2008 10:32 PM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer 8/3/2007 5:56 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data 8/3/2007 5:56 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Lenovo 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Lenovo\Client Security Solution 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Lenovo\Client Security Solution\config.ini 6/18/2008 10:32 PM 61 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Lenovo\Client Security Solution\cspContainer.dat 6/18/2008 10:32 PM 332 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Lenovo\Client Security Solution\cssversion.dat 6/18/2008 10:32 PM 1.86 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Lenovo\Client Security Solution\encobject.dat 6/18/2008 10:32 PM 18.84 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Lenovo\Client Security Solution\hibernation.dat 6/18/2008 10:32 PM 4 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Lenovo\Client Security Solution\hwkeys.dat 6/18/2008 10:32 PM 10.37 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Lenovo\Client Security Solution\Laizer.pwm 6/18/2008 10:32 PM 4.11 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Lenovo\Client Security Solution\pwdrecovery.dat 6/18/2008 10:32 PM 1.08 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Lenovo\Client Security Solution\pwmaction.dat 6/18/2008 10:32 PM 448 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Lenovo\Client Security Solution\symkeys.dat 6/18/2008 10:32 PM 2.24 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Crypto 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Crypto\RSA 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2366108668-2698812899-4126909892-1008 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2366108668-2698812899-4126909892-1008\533145ef011ddf5ca3983e2545a902b4_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 2.03 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2366108668-2698812899-4126909892-1008\6b29ae44e85efac3c72ff4d1865d73f1_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 53 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2366108668-2698812899-4126909892-1008\83aa4cc77f591dfc2374580bbd95f6ba_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 45 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2366108668-2698812899-4126909892-1008\8f71098770f72c7a67cd8f1151619865_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 54 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2366108668-2698812899-4126909892-1008\a077ead69703e3bf1fd373a3c9376faa_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 77 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2366108668-2698812899-4126909892-1008\a47f847bbd5baca0219358035854f0ae_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 47 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect\CREDHIST 6/18/2008 10:32 PM 160 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect\S-1-5-21-2366108668-2698812899-4126909892-1008 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect\S-1-5-21-2366108668-2698812899-4126909892-1008\2adc4fc6-0672-482c-8edd-38369dd50a30 6/18/2008 10:32 PM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect\S-1-5-21-2366108668-2698812899-4126909892-1008\5fffa42e-ec50-40a3-aa3f-8f02f10b4719 6/18/2008 10:32 PM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect\S-1-5-21-2366108668-2698812899-4126909892-1008\7185d6df-b018-4f60-b5ef-27032eb6e3fb 6/18/2008 10:32 PM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect\S-1-5-21-2366108668-2698812899-4126909892-1008\a73b7da4-d59f-47d9-ad79-b53c3f5e4fb5 6/18/2008 10:32 PM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect\S-1-5-21-2366108668-2698812899-4126909892-1008\Preferred 6/18/2008 10:32 PM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect\S-1-5-21-2430057740-2654540680-4122366965-500 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect\S-1-5-21-2430057740-2654540680-4122366965-500\94f7f3db-1dff-46cf-ae4b-e42ef6b0b34f 6/18/2008 10:32 PM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect\S-1-5-21-2430057740-2654540680-4122366965-500\Preferred 6/18/2008 10:32 PM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect\S-1-5-21-3977825914-750790669-869045047-500 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect\S-1-5-21-3977825914-750790669-869045047-500\5e68baf3-3b4d-445f-a180-e3244979da26 6/18/2008 10:32 PM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect\S-1-5-21-3977825914-750790669-869045047-500\Preferred 6/18/2008 10:32 PM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect\S-1-5-21-502673566-3566273203-2205971996-500 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect\S-1-5-21-502673566-3566273203-2205971996-500\60cdd550-9831-4790-b287-ca3073a07c5c 6/18/2008 10:32 PM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\Protect\S-1-5-21-502673566-3566273203-2205971996-500\Preferred 6/18/2008 10:32 PM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\SystemCertificates 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\SystemCertificates\My 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\SystemCertificates\My\Certificates 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\SystemCertificates\My\CRLs 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Laizer\Application Data\Microsoft\SystemCertificates\My\CTLs 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\LocalService 7/28/2007 10:47 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\LocalService\Application Data 7/28/2007 10:47 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService 7/28/2007 10:47 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data 7/28/2007 10:47 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA\S-1-5-20 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA\S-1-5-20\94498385663a229a93d423c6d144ae0b_eeaf0d55-e266-438f-b7d4-49ce6c74b769 6/18/2008 10:32 PM 2.46 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\CREDHIST 6/18/2008 10:32 PM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\5e681113-4443-427f-befc-6363c49fb800 6/18/2008 10:32 PM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\Preferred 6/18/2008 10:32 PM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs 6/18/2008 10:32 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat 8/3/2007 7:37 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data 8/3/2007 7:37 PM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Lenovo 10/8/2007 11:06 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Lenovo\Client Security Solution 10/8/2007 11:06 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Lenovo\Client Security Solution\config.ini 10/8/2007 11:06 AM 61 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Lenovo\Client Security Solution\cspContainer.dat 10/8/2007 11:06 AM 332 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Lenovo\Client Security Solution\cssversion.dat 10/8/2007 11:06 AM 1.86 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Lenovo\Client Security Solution\encobject.dat 10/8/2007 11:06 AM 18.84 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Lenovo\Client Security Solution\hibernation.dat 10/8/2007 11:06 AM 4 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Lenovo\Client Security Solution\hwkeys.dat 10/8/2007 11:06 AM 10.37 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Lenovo\Client Security Solution\pwdrecovery.dat 10/8/2007 11:06 AM 1.08 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Lenovo\Client Security Solution\symkeys.dat 10/8/2007 11:06 AM 2.24 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft 10/8/2007 11:06 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Crypto 10/8/2007 11:06 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Crypto\RSA 10/8/2007 11:06 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2366108668-2698812899-4126909892-1009 10/8/2007 11:06 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2366108668-2698812899-4126909892-1009\533145ef011ddf5ca3983e2545a902b4_eeaf0d55-e266-438f-b7d4-49ce6c74b769 10/8/2007 11:06 AM 2.03 KB Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2366108668-2698812899-4126909892-1009\aac64aa2408e7971ee2cbe72de01c9d9_eeaf0d55-e266-438f-b7d4-49ce6c74b769 10/8/2007 11:06 AM 46 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Protect 10/8/2007 11:06 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Protect\CREDHIST 10/8/2007 11:06 AM 160 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Protect\S-1-5-21-2366108668-2698812899-4126909892-1009 10/8/2007 11:06 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Protect\S-1-5-21-2366108668-2698812899-4126909892-1009\b52a9c0d-8c1f-41a6-970c-447dfa482c3e 10/8/2007 11:06 AM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Protect\S-1-5-21-2366108668-2698812899-4126909892-1009\Preferred 10/8/2007 11:06 AM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Protect\S-1-5-21-2430057740-2654540680-4122366965-500 10/8/2007 11:06 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Protect\S-1-5-21-2430057740-2654540680-4122366965-500\94f7f3db-1dff-46cf-ae4b-e42ef6b0b34f 10/8/2007 11:06 AM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Protect\S-1-5-21-2430057740-2654540680-4122366965-500\Preferred 10/8/2007 11:06 AM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Protect\S-1-5-21-3977825914-750790669-869045047-500 10/8/2007 11:06 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Protect\S-1-5-21-3977825914-750790669-869045047-500\5e68baf3-3b4d-445f-a180-e3244979da26 10/8/2007 11:06 AM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Protect\S-1-5-21-3977825914-750790669-869045047-500\Preferred 10/8/2007 11:06 AM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Protect\S-1-5-21-502673566-3566273203-2205971996-500 10/8/2007 11:06 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Protect\S-1-5-21-502673566-3566273203-2205971996-500\60cdd550-9831-4790-b287-ca3073a07c5c 10/8/2007 11:06 AM 388 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\Protect\S-1-5-21-502673566-3566273203-2205971996-500\Preferred 10/8/2007 11:06 AM 24 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\SystemCertificates 10/8/2007 11:06 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\SystemCertificates\My 10/8/2007 11:06 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\SystemCertificates\My\Certificates 10/8/2007 11:06 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\SystemCertificates\My\CRLs 10/8/2007 11:06 AM 0 bytes Hidden from Windows API.
C:\RRbackups\Documents and Settings\Yonat\Application Data\Microsoft\SystemCertificates\My\CTLs 10/8/2007 11:06 AM 0 bytes Hidden from Windows API.
C:\RRbackups\SIS 8/27/2007 1:15 PM 0 bytes Hidden from Windows API.
C:\RRbackups\SIS\C 2/6/2008 6:33 PM 0 bytes Hidden from Windows API.
poksao
Active Member
 
Posts: 13
Joined: May 3rd, 2008, 8:25 pm
Location: Ma'aleh Adumim

Re: Possible rootkit?

Unread postby poksao » June 18th, 2008, 4:14 pm

AVGAntiRootKitFree output
C:\WINDOWS\System32\Drivers\appc1ybt.SYS,Hidden driver file
poksao
Active Member
 
Posts: 13
Joined: May 3rd, 2008, 8:25 pm
Location: Ma'aleh Adumim

Re: Possible rootkit?

Unread postby poksao » June 18th, 2008, 4:16 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:18 PM, on 6/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\7-Zip\7zFM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.mizrahi-tefahot.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IBM Warranty Notification] "C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe /nointro"
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: CCC.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/acce ... /AcpIR.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 13198 bytes
poksao
Active Member
 
Posts: 13
Joined: May 3rd, 2008, 8:25 pm
Location: Ma'aleh Adumim

Re: Possible rootkit?

Unread postby Elrond » June 19th, 2008, 8:37 am

I see that you have Alcohol 120 installed. That is known to have this effect as does Deamon Tools. See both pages of this thread. http://www.techspot.com/vb/topic103349.html
There is nothing else that is suspicious in your logs from what I can see.

Please reply if you think that Deamontools/Alcohol is the reason for what AVG finds.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: Possible rootkit?

Unread postby poksao » June 19th, 2008, 9:19 am

That clears everything up. Toda Raba!
poksao
Active Member
 
Posts: 13
Joined: May 3rd, 2008, 8:25 pm
Location: Ma'aleh Adumim

Re: Possible rootkit?

Unread postby Elrond » June 19th, 2008, 9:30 am

Al ein b'ad ma v'shalom. :D
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 26 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware