ComboFix 07-06-13.7
"u242593" - 2007-06-18 15:38:17 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\mljgddd.dll
C:\WINDOWS\ddabba.dll
C:\WINDOWS\hggebb.dll
C:\WINDOWS\jkjkkk.dll
C:\WINDOWS\mliigh.dll
C:\WINDOWS\vtusts.dll
C:\WINDOWS\wvvsqr.dll
C:\WINDOWS\xxyaxu.dll
C:\WINDOWS\uwyxbc.ini
C:\WINDOWS\abbadd.ini
C:\WINDOWS\ttwadd.ini
C:\WINDOWS\ruwycf.ini
C:\WINDOWS\bbeggh.ini
C:\WINDOWS\gghhkj.ini
C:\WINDOWS\hihjkj.ini
C:\WINDOWS\kkkjkj.ini
C:\WINDOWS\adeghk.ini
C:\WINDOWS\hgiilm.ini
C:\WINDOWS\nmlmnn.ini
C:\WINDOWS\nmoopo.ini
C:\WINDOWS\stsutv.ini
C:\WINDOWS\vuvutv.ini
C:\WINDOWS\rqsvvw.ini
C:\WINDOWS\uxayxx.ini
C:\WINDOWS\system32\imsula.dll
C:\WINDOWS\cbxywu.dll
C:\WINDOWS\ddawtt.dll
C:\WINDOWS\fcywur.dll
C:\WINDOWS\jkhhgg.dll
C:\WINDOWS\jkjhih.dll
C:\WINDOWS\khgeda.dll
C:\WINDOWS\nnmlmn.dll
C:\WINDOWS\opoomn.dll
C:\WINDOWS\vtuvuv.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\u242593\APPLIC~1\tmp11.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp12.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp13.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp14.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp15.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp16.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp1D.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp1E.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp1F.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp22.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp23.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp25.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp27.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp28.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp2A.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp2B.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp2BE.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp2C.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp2D.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp30.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp31.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp333.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp334.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp335.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp338.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp33C.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp33D.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp340.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp349.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp35.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp356.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp36A.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp3BE.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp3C.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp3C8.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp3D0.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp3D1.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp3DE.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp3DF.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp3E6.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp3ED.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp3EE.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp3EF.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp41.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp44.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp4A.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp4B.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp4C.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp4D.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp507.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp508.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp518.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp519.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp529.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp545.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp547.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp55.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp557.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp55B.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp55C.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp55F.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp56.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp560.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp564.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp569.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp56A.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp576.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp590.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp593.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp595.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp5AB.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp5AD.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp5B8.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp5E.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp61.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp70.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp744.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp745.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp74E.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp74F.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp750.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp752.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp753.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp78.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp7E7.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp8.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp835.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp839.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp856.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp85D.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp868.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp86C.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp870.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp874.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp88.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp9.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmp94.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmpA2.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmpA3.tmp.exe
C:\DOCUME~1\u242593\APPLIC~1\tmpA5.tmp.exe
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\tmp35.tmp.dll
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\nm
((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))
2007-06-18 15:36 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-18 15:26 46,336 --a------ C:\WINDOWS\system32\tmp3EE.tmp.dll
2007-06-18 15:16 46,336 --a------ C:\WINDOWS\system32\tmp3DE.tmp.dll
2007-06-18 15:09 46,336 --a------ C:\WINDOWS\system32\tmp349.tmp.dll
2007-06-18 15:04 46,336 --a------ C:\WINDOWS\system32\tmp94.tmp.dll
2007-06-18 06:41 <DIR> d-------- C:\WINDOWS\DowScanFiles
2007-06-17 20:10 46,336 --a------ C:\WINDOWS\system32\tmp3C8.tmp.dll
2007-06-17 20:04 46,336 --a------ C:\WINDOWS\system32\tmp334.tmp.dll
2007-06-17 08:39 46,336 --a------ C:\WINDOWS\system32\tmp15.tmp.dll
2007-06-17 06:57 46,336 --a------ C:\WINDOWS\system32\tmpA.tmp.dll
2007-06-16 17:23 46,336 --a------ C:\WINDOWS\system32\tmp336.tmp.dll
2007-06-16 16:29 46,336 --a------ C:\WINDOWS\system32\tmp2C.tmp.dll
2007-06-16 08:31 46,336 --a------ C:\WINDOWS\system32\tmp1F.tmp.dll
2007-06-16 08:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-16 03:30 46,336 --a------ C:\WINDOWS\system32\tmp752.tmp.dll
2007-06-16 03:08 46,336 --a------ C:\WINDOWS\system32\tmp74E.tmp.dll
2007-06-16 02:42 46,336 --a------ C:\WINDOWS\system32\tmp744.tmp.dll
2007-06-16 02:32 10,027 --a------ C:\WINDOWS\system32\mspriv32.dll
2007-06-16 02:29 <DIR> d---s---- C:\DOCUME~1\LOCALS~1\UserData
2007-06-15 22:16 46,336 --a------ C:\WINDOWS\system32\tmp5AD.tmp.dll
2007-06-15 22:04 46,336 --a------ C:\WINDOWS\system32\tmp593.tmp.dll
2007-06-15 16:16 46,336 --a------ C:\WINDOWS\system32\tmp56A.tmp.dll
2007-06-15 16:00 46,336 --a------ C:\WINDOWS\system32\tmp560.tmp.dll
2007-06-15 15:52 46,336 --a------ C:\WINDOWS\system32\tmp55C.tmp.dll
2007-06-15 15:38 46,336 --a------ C:\WINDOWS\system32\tmp545.tmp.dll
2007-06-15 15:35 60,288 --a------ C:\WINDOWS\system32\drivers\CDAVFS.sys
2007-06-15 09:44 46,336 --a------ C:\WINDOWS\system32\tmp519.tmp.dll
2007-06-15 08:43 46,336 --a------ C:\WINDOWS\system32\tmp508.tmp.dll
2007-06-15 07:28 46,336 --a------ C:\WINDOWS\system32\tmp2BE.tmp.dll
2007-06-15 06:12 46,336 --a------ C:\WINDOWS\system32\tmp8.tmp.dll
2007-06-14 16:47 46,336 --a------ C:\WINDOWS\system32\tmp33D.tmp.dll
2007-06-14 16:37 46,336 --a------ C:\WINDOWS\system32\tmp333.tmp.dll
2007-06-14 16:27 46,336 --a------ C:\WINDOWS\system32\tmp56.tmp.dll
2007-06-14 16:09 46,336 --a------ C:\WINDOWS\system32\tmp44.tmp.dll
2007-06-14 15:55 46,336 --a------ C:\WINDOWS\system32\tmp31.tmp.dll
2007-06-14 15:39 46,336 --a------ C:\WINDOWS\system32\tmp28.tmp.dll
2007-06-14 08:06 <DIR> d-------- C:\DOCUME~1\u242593\.housecall6.6
2007-06-14 07:41 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-13 16:52 <DIR> d-------- C:\WINDOWS\system32\win
2007-06-13 16:52 <DIR> d-------- C:\WINDOWS\system32\S7
2007-06-13 16:52 <DIR> d-------- C:\WINDOWS\system32\S6
2007-06-13 16:52 <DIR> d-------- C:\WINDOWS\system32\S2
2007-06-13 16:52 <DIR> d-------- C:\WINDOWS\system32\S1
2007-06-13 16:52 <DIR> d-------- C:\WINDOWS\system32\o02PrEz
2007-06-13 16:52 <DIR> d-------- C:\Temp\iee
2007-06-12 09:42 23 --ahs---- C:\WINDOWS\system32\afedcbcffccf_r.dll
2007-06-12 09:30 46,336 --a------ C:\WINDOWS\system32\tmp4D.tmp.dll
2007-06-05 17:09 46,336 --a------ C:\WINDOWS\system32\tmp13.tmp.dll
2007-06-05 07:57 <DIR> d-------- C:\DOCUME~1\u242593\APPLIC~1\Leadertech
2007-06-05 07:57 <DIR> d-------- C:\DOCUME~1\u242593\APPLIC~1\AdobeAUM
2007-06-05 06:51 1,310,720 --ah----- C:\DOCUME~1\ffrupdw\ntuser.dat
2007-06-05 06:51 <DIR> d---s---- C:\DOCUME~1\ffrupdw\UserData
2007-06-02 09:48 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-06-02 07:40 <DIR> d-------- C:\DOCUME~1\u242593\APPLIC~1\Lavasoft
2007-06-01 10:04 <DIR> d-------- C:\Program Files\LimeWire Turbo Accelerator
2007-06-01 10:04 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-05-19 12:40 <DIR> d-------- C:\Program Files\Maxis
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-18 17:29:47 -------- d-----w C:\Program Files\MIP
2007-06-17 05:00:00 5,427 ----a-w C:\WINDOWS\system32\EGATHDRV.SYS
2007-06-16 12:52:25 -------- d-----w C:\Program Files\LimeWire
2007-06-15 21:10:36 -------- d-----w C:\DOCUME~1\u242593\APPLIC~1\LimeWire
2007-06-13 21:16:30 -------- d-----w C:\DOCUME~1\u242593\APPLIC~1\PSM
2007-06-13 13:46:03 -------- d-----w C:\Program Files\mtl
2007-06-12 13:37:25 -------- d-----w C:\Program Files\Logbook
2007-06-08 16:35:19 -------- d-----w C:\Program Files\TMG
2007-06-06 20:50:33 -------- d-----w C:\Program Files\Lavasoft
2007-06-02 21:41:35 -------- d-----w C:\Program Files\Google
2007-06-02 14:51:45 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-02 14:50:58 -------- d-----w C:\DOCUME~1\u242593\APPLIC~1\yahoo!
2007-06-02 14:47:27 -------- d-----w C:\DOCUME~1\u242593\APPLIC~1\Google
2007-05-08 00:08:58 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-08 00:08:57 -------- d-----w C:\Program Files\Timbuktu Pro
2007-05-08 00:08:57 -------- d-----w C:\Program Files\ThinkVantage Fingerprint Software
2007-05-08 00:08:56 -------- d-----w C:\Program Files\Sierra On-Line
2007-05-08 00:08:55 -------- d-----w C:\Program Files\Messenger
2007-05-08 00:08:55 -------- d-----w C:\Program Files\Mattel Vidster
2007-05-08 00:08:53 -------- d-----w C:\Program Files\eTime
2007-05-08 00:08:53 -------- d-----w C:\Program Files\CTT
2007-05-08 00:08:53 -------- d-----w C:\Program Files\ce_logbook
2007-05-08 00:08:53 -------- d-----w C:\Program Files\BBPTool
2007-05-03 19:44:24 -------- d-----w C:\Program Files\DssEvolution.com
2007-05-03 14:17:15 -------- d-----w C:\Program Files\Virtual Earth 3D
2007-04-26 12:41:22 -------- d-----w C:\Program Files\Deer Drive
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll [2006-05-03 02:14]
{7e3c240c-fdce-453e-8033-108131b60733}=C:\WINDOWS\system32\cvelddf.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 07:11]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 13:17]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 13:16]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 16:14]
"vptray"="C:\Progra~1\Symantec\Symant~1\VPTray.exe" [2006-06-15 00:40]
"TPTRAY"="C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE" [2006-04-24 00:53]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-01-24 12:03]
"RunWCW"="C:\dowwapps\login\dwalogin.vbs" []
"DIRECT!"="C:\Program Files\Courion Corporation\Identity Management Suite DIRECT!\direct.exe" [2004-04-27 11:09]
"TLogonPath"="C:\Program Files\Timbuktu Pro\Tb2Logon.exe" [2005-11-16 12:10]
"WDS"="C:\Program Files\Windows Desktop Search\WindowsSearch.exe" [2006-03-26 23:44]
"PSQLLauncher"="C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" [2006-03-24 11:27]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2006-05-12 21:15]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-05-12 21:09]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 00:12]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 00:12]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-24 01:22]
"TpShocks"="TpShocks.exe" [2005-11-07 12:14 C:\WINDOWS\system32\TpShocks.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-13 15:19]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-14 19:40]
"Synchronization Configuration"="C:\Dowwapps\scripts\Config_Mobsync_Run.vbs" [2003-04-24 14:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CyberDefender Early Detection Center"="C:\Program Files\CyberDefender\AntiSpyware\cdas53d.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Synchronization Configuration"=C:\dowwapps\scripts\config_mobsync_runonce.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservicesonce]
"DBKey2"=C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\DBKey2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"HideShutdownScripts"=0 (0x0)
"disablecad"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=1 (0x1)
"NoRemoteChangeNotify"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)
"MemCheckBoxInRunDlg"=1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 14:11]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
C:\Program Files\Timbuktu Pro\Hook32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\mljgddd.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli psqlpwd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1060284298-861567501-682003330-77277\Scripts\Logoff\0\0]
"Script"=C:\Program Files\MIP\DWSBACKUP.vbs
Contents of the 'Scheduled Tasks' folder
2007-01-03 04:22:55 C:\WINDOWS\tasks\DWS Disk Cleanup.job
2007-02-22 02:20:45 C:\WINDOWS\tasks\DWS Disk Defrag.job
2007-06-18 20:53:43 C:\WINDOWS\tasks\PMTask.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer,
http://www.gmer.net
Rootkit scan 2007-06-18 15:53:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-18 15:54:59 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-18 15:54
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 15:57, on 2007-06-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MIP\AgentSrv.EXE
C:\Progra~1\Symantec\Symant~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Progra~1\Symantec\Symant~1\Rtvscan.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
c:\dowwapps\dwsservice\dwsservice.exe
C:\Program Files\Timbuktu Pro\tb2pro.exe
C:\Program Files\Timbuktu Pro\TNOTIFY.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Progra~1\Symantec\Symant~1\VPTray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Timbuktu Pro\Tb2Logon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\WINDOWS\wscript.exe
C:\Program Files\MIP\CBSysTray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://lahome.intranet.dow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://dowhome.intranet.dow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://search.intranet.dow.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=inet3.nam.dow.com:80;gopher=inet3.nam.dow.com:80;http=inet3.nam.dow.com:80;https=inet3.nam.dow.com:443
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7e3c240c-fdce-453e-8033-108131b60733} - C:\WINDOWS\system32\cvelddf.dll (file missing)
O3 - Toolbar: (no name) - {F35CE83E-9EBF-40d5-AE87-53F982389740} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\Progra~1\Symantec\Symant~1\VPTray.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [RunWCW] C:\dowwapps\login\dwalogin.vbs
O4 - HKLM\..\Run: [DIRECT!] C:\Program Files\Courion Corporation\Identity Management Suite DIRECT!\direct.exe
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\Tb2Logon.exe"
O4 - HKLM\..\Run: [WDS] "C:\Program Files\Windows Desktop Search\WindowsSearch.exe" /startup
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Configuration] C:\Dowwapps\scripts\Config_Mobsync_Run.vbs
O4 - HKLM\..\RunOnce: [Synchronization Configuration] C:\dowwapps\scripts\config_mobsync_runonce.vbs
O4 - HKLM\..\RunServicesOnce: [DBKey2] C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\DBKey2.dll
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas53d.exe" /minimize
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone:
http://www.dow.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
http://eu-housecall.trendmicro-europe.c ... hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupda ... 5327803480
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dow.com
O17 - HKLM\Software\..\Telephony: DomainName = dow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dow.com,intranet.dow.com,nam.dow.com,eur.dow.com,lam.dow.com,asa.dow.com,aus.dow.com,afr.dow.com,sct.ucarb.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = dow.com,intranet.dow.com,nam.dow.com,eur.dow.com,lam.dow.com,asa.dow.com,aus.dow.com,afr.dow.com,sct.ucarb.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = dow.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = dow.com,intranet.dow.com,nam.dow.com,eur.dow.com,lam.dow.com,asa.dow.com,aus.dow.com,afr.dow.com,sct.ucarb.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dow.com,intranet.dow.com,nam.dow.com,eur.dow.com,lam.dow.com,asa.dow.com,aus.dow.com,afr.dow.com,sct.ucarb.com
O20 - AppInit_DLLs: c:\windows\system32\mljgddd.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\psqlpwd.dll
O20 - Winlogon Notify: Timbuktu Pro - C:\Program Files\Timbuktu Pro\Hook32.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\MIP\AgentSrv.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Progra~1\Symantec\Symant~1\DefWatch.exe
O23 - Service: DomainService - Unknown owner - C:\Documents and Settings\u242593\Application Data\tmp8.tmp.exe (file missing)
O23 - Service: DWSService - The Dow Chemical Company - c:\dowwapps\dwsservice\dwsservice.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OracleORAHOME90ClientCache - Unknown owner - C:\ORACLE\ORA90\BIN\ONRSD.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Progra~1\Symantec\Symant~1\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Progra~1\Symantec\Symant~1\Rtvscan.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
Thanks...