Again a high CPU usage issue

[flying_suser]

My comp is having a high CPU fluctuation from 8 to 63% and apparently when no application is running. I've found a recently created file 'str.sys' (205 kb) in C:\WINDOWS\system32\drivers folder. A google search doesn't return something informative. Moreover I can't submit it for some online file scanner, because its under use.

I use Malwarebyte and PrevxCSI which tells that the system is clean.

I had a crash yesterday, the blue screen error message so far I remember blamed a file 'pxark.sys' for doing some illegal operation. I think that file belongs to the PrevxCSI program.

I'm posting the Hijackthis log, solicit the wisdom of the pros here:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:34 PM, on 2/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\PMSveH.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\PMHandler.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lenovo\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: 195.245.119.131 infected.browser-security.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HttpWatch Basic - {F1F69322-008F-4895-B2BF-AD194219825A} - C:\Program Files\HttpWatch\httpwatchsc.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [PMHandler] C:\WINDOWS\system32\PMHandler.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HttpWatch Basic - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatch.dll
O9 - Extra 'Tools' menuitem: HttpWatch Basic - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatch.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.anandabazar.com/wfplayer/tdserver.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DD8838A-AB94-4622-B706-3E01BD7EB360}: NameServer = 202.144.96.4,202.144.66.6
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL C:\WINDOWS\system32\bohemuko.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: PMSveH - Lenovo - C:\WINDOWS\system32\PMSveH.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: sotpeca Corporation (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8707 bytes

 

[Osiris]

Remove

O1 - Hosts: 195.245.119.131 infected.browser-security.com

If you dont know the IP address below, delete this entry

O17 - HKLM\System\CCS\Services\Tcpip\..\{3DD8838A-AB94-4622-B706-3E01BD7EB360}: NameServer = 202.144.96.4,202.144.66.6

O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL C:\WINDOWS\system32\bohemuko.dll

 

[flying_suser]

Here's my Hijackthis and Combofix log, BUT THE PROBLEM OF CPU FLUCTUATION STILL PERSISTS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:02 PM, on 2/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PMSveH.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\PMHandler.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lenovo\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HttpWatch Basic - {F1F69322-008F-4895-B2BF-AD194219825A} - C:\Program Files\HttpWatch\httpwatchsc.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [PMHandler] C:\WINDOWS\system32\PMHandler.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HttpWatch Basic - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatch.dll
O9 - Extra 'Tools' menuitem: HttpWatch Basic - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatch.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: PMSveH - Lenovo - C:\WINDOWS\system32\PMSveH.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8551 bytes

 

[Osiris]

I dont see the comfix log

 

[flying_suser]

COMBOFIX log

ComboFix 09-02-02.04 - Mns 2009-02-04 21:02:07.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.365 [GMT 5.5:30]
Running from: d:\_utilities_\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\str.sys

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-04 12:20 . 2009-02-04 12:20 <DIR> d-------- c:\program files\MSConfig CleanUp
2009-02-04 10:52 . 2009-02-04 10:52 <DIR> d-------- c:\program files\Trend Micro
2009-02-03 08:41 . 2009-02-03 08:41 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-03 01:43 . 2009-02-03 01:43 31,104 --a------ c:\windows\system32\drivers\khwmcm.sys
2009-01-31 08:39 . 2009-01-31 08:39 <DIR> d-------- C:\Downloads
2009-01-26 11:26 . 2009-01-26 11:26 <DIR> d-------- c:\documents and settings\Mns\Application Data\Apple Computer
2009-01-25 06:10 . 2009-01-25 06:10 <DIR> d-------- c:\program files\HttpWatch
2009-01-25 05:36 . 2008-11-06 04:51 3,833,856 --a------ c:\windows\system32\cdintf300.dll
2009-01-25 05:35 . 1996-01-01 19:08 1,241 --a------ c:\windows\clikbook.ini
2009-01-25 05:01 . 2009-01-25 05:01 <DIR> d-------- c:\program files\Free Download Manager
2009-01-25 05:01 . 2009-02-04 11:03 <DIR> d-------- c:\documents and settings\Mns\Application Data\Free Download Manager
2009-01-06 06:10 . 2009-01-06 06:10 <DIR> d-------- c:\documents and settings\Mns\.cytoscape

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 02:45 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-02-03 01:19 --------- d-----w c:\program files\Common Files\Adobe
2009-02-01 14:53 25,400 ----a-w c:\windows\system32\drivers\pxark.sys
2009-01-26 13:35 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-21 07:34 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 10:41 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 10:41 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-14 05:49 --------- d-----w c:\program files\Paint Shop Pro 5
2009-01-03 04:28 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-03 04:28 --------- d-----w c:\program files\FinePixViewer
2008-12-27 23:54 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-27 23:54 --------- d-----w c:\program files\Java
2008-12-16 22:52 --------- d-----w c:\documents and settings\Administrator\Application Data\Notepad++
2008-12-16 22:39 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 22:05 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-08 05:40 --------- d-----w c:\program files\QuickTime
2008-12-08 05:39 --------- d-----w c:\program files\Common Files\Apple
2008-12-08 05:39 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-08 05:16 603,904 ----a-w c:\windows\system32\TUProgSt.exe
2008-12-08 05:16 362,240 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-12-08 05:16 --------- d-----w c:\documents and settings\Mns\Application Data\TuneUp Software
2008-12-08 05:15 --------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-12-08 05:15 --------- d-----w c:\program files\TuneUp Utilities 2009
2008-12-08 05:15 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-12-08 04:36 --------- d-----w c:\program files\IObit
2008-12-07 02:24 --------- d-----w c:\program files\Perl Code Library
2008-11-12 11:14 27,904 ----a-w c:\windows\system32\uxtuneup.dll
2007-05-21 17:30 37,873,216 ----a-w c:\program files\iTunesSetup.exe
2007-05-04 23:20 4,222,516 ----a-w c:\program files\ABC-win32-v3.1.exe
2007-04-27 20:23 194,560 ----a-w c:\program files\AdbeRdr80_en_US.exe
2007-04-27 20:06 68,166 ----a-w c:\program files\HD_Speed_ENG.zip
2007-04-27 20:02 5,396,172 ----a-w c:\program files\lccwin32.exe
2007-04-27 20:02 459,966 ----a-w c:\program files\cpuspeed.exe
2007-04-23 18:11 5,355,320 ----a-w c:\program files\picasaweb-current-setup.exe
2007-04-19 19:23 92,672 ----a-w c:\program files\KillBox.exe
2007-04-16 20:44 1,494,016 ----a-w c:\program files\gsv48w32.exe
2007-04-16 20:40 6,208,000 ----a-w c:\program files\gs704w32.exe
2007-04-16 19:56 9,548,288 ----a-w c:\program files\gs853w32.exe
2007-04-14 16:12 2,023,736 ----a-w c:\program files\GoogleDesktopSetup.exe
2007-04-14 14:56 1,951,783 ----a-w c:\program files\VbRunDLLv3sp6.exe
2007-04-14 14:52 805,116 ----a-w c:\program files\Yazak_Install.exe
2007-04-13 19:21 16,263,816 ----a-w c:\program files\ActivePerl-5.8.8.820-MSWin32-x86-274739.msi
2007-04-06 18:02 6,910,136 ----a-w c:\program files\DJVUCNTL_61_EN.EXE
2007-04-03 18:14 2,685,104 ----a-w c:\program files\ccsetup138.exe
2007-04-01 17:48 1,450,649 ----a-w c:\program files\npp.4.0.2.Installer.exe
2007-04-01 14:57 9,453,630 ----a-w c:\program files\vlc-0.8.6a-win32.exe
2007-04-01 10:36 194 ----a-w c:\program files\AdbeRdr80_en_US_Nosso_error.log
2007-03-31 18:50 6,006,832 ----a-w c:\program files\Firefox Setup 2.0.0.3.exe
2007-03-31 18:41 1,035,271 ----a-w c:\program files\wrar362.exe
2009-01-14 05:48 0 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleiex.dll
2009-01-14 05:48 0 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\pdgpecelawx.dll
2008-09-05 15:13 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2004-08-04 01:07 4,096 --sha-w c:\windows\system32\botrc.dat
.

((((((((((((((((((((((((((((( snapshot@2009-02-04_13.21.29.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-04 07:49:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-04 09:07:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-04 07:49:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-04 09:07:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-04 07:49:39 81,920 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-04 09:07:58 81,920 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPHKMGR.exe" [2005-12-21 94208]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2005-12-10 24064]
"PMHandler"="c:\windows\system32\PMHandler.exe" [2006-01-06 24576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-29 761945]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-01-31 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-01-31 98304]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 c:\windows\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-21 09:46 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\F:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
--a------ 2005-10-20 14:18 339968 c:\windows\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
--a------ 2006-03-31 19:52 126976 c:\windows\system32\tsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TuneUp.ProgramStatisticsSvc"=2 (0x2)
"matlabserver"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\ZakFromAnotherPlanet\\Yazak Chat\\iexplore.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\ActiveState Komodo IDE 4.1\\lib\\mozilla\\komodo.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Cytoscape_v2.6.0\\Cytoscape.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R0 pxark;pxark;c:\windows\system32\drivers\pxark.sys [2008-11-10 25400]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2005-12-21 10240]
S1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-03-31 11520]
S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-03-31 6016]
S2 grkfikrol;grkfikrol;c:\windows\system32\drivers\khwmcm.sys [2009-02-03 31104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2007-04-01 29744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2007-04-01 729416]
S4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2008-12-08 603904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56f84647-1b34-11dd-9daf-000fb0cdfb7d}]
\Shell\AutoRun\command - mvxm.cmd
\Shell\explore\Command - mvxm.cmd
\Shell\open\Command - mvxm.cmd
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28]

2009-02-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1614895754-725345543-1003.job
- c:\documents and settings\Mns\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-21 20:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Mns\Application Data\Mozilla\Firefox\Profiles\uh9lqryb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 172.16.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\HttpWatch\Firefox\components\httpwatchff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Mns\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 21:04:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(272)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\windows\system32\MSVCR71.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\tphklock.dll
.
Completion time: 2009-02-04 21:07:32
ComboFix-quarantined-files.txt 2009-02-04 15:37:30
ComboFix2.txt 2009-02-04 07:52:30

Pre-Run: 188,182,528 bytes free
Post-Run: 175,935,488 bytes free

Current=2 Default=2 Failed=0 LastKnownGood=4 Sets=1,2,3,4
210

 

[Osiris]

Well Combofix deleted that file you mentioned.

Do you use HttpWatch?

 

[flying_suser]

Thanks Osiris But I was wrong, 'str.sys' came back and Combofix is not able to delete it. It happened that I deleted the file in safe mode, and replaced by an empty file under the same, combofix earlier deleted that. But it's back again now. here's the combofix log and I use httpwatch ocassionally.

ComboFix 09-02-03.01 - Mns 2009-02-04 22:09:48.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.242 [GMT 5.5:30]
Running from: d:\_utilities_\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\str.sys . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-04 22:13 . 2009-02-04 22:14 0 --a------ c:\windows\system32\drivers\str.sys
2009-02-04 21:56 . 2009-02-04 21:56 <DIR> d-------- c:\program files\PrevxCSI
2009-02-04 21:56 . 2009-02-04 21:56 21,512 --a------ c:\windows\system32\drivers\pxscan.sys
2009-02-04 21:56 . 2009-02-04 21:56 63 --a------ c:\windows\wininit.ini
2009-02-04 12:20 . 2009-02-04 12:20 <DIR> d-------- c:\program files\MSConfig CleanUp
2009-02-04 10:52 . 2009-02-04 10:52 <DIR> d-------- c:\program files\Trend Micro
2009-02-03 08:41 . 2009-02-03 08:41 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-31 08:39 . 2009-01-31 08:39 <DIR> d-------- C:\Downloads
2009-01-26 11:26 . 2009-01-26 11:26 <DIR> d-------- c:\documents and settings\Mns\Application Data\Apple Computer
2009-01-25 06:10 . 2009-01-25 06:10 <DIR> d-------- c:\program files\HttpWatch
2009-01-25 05:36 . 2008-11-06 04:51 3,833,856 --a------ c:\windows\system32\cdintf300.dll
2009-01-25 05:35 . 1996-01-01 19:08 1,241 --a------ c:\windows\clikbook.ini
2009-01-25 05:01 . 2009-01-25 05:01 <DIR> d-------- c:\program files\Free Download Manager
2009-01-25 05:01 . 2009-02-04 11:03 <DIR> d-------- c:\documents and settings\Mns\Application Data\Free Download Manager
2009-01-06 06:10 . 2009-01-06 06:10 <DIR> d-------- c:\documents and settings\Mns\.cytoscape

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 16:29 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-02-03 01:19 --------- d-----w c:\program files\Common Files\Adobe
2009-01-26 13:35 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-21 07:34 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 10:41 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 10:41 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-14 05:49 --------- d-----w c:\program files\Paint Shop Pro 5
2009-01-03 04:28 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-03 04:28 --------- d-----w c:\program files\FinePixViewer
2008-12-27 23:54 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-27 23:54 --------- d-----w c:\program files\Java
2008-12-16 22:52 --------- d-----w c:\documents and settings\Administrator\Application Data\Notepad++
2008-12-16 22:39 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 22:05 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-08 05:40 --------- d-----w c:\program files\QuickTime
2008-12-08 05:39 --------- d-----w c:\program files\Common Files\Apple
2008-12-08 05:39 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-08 05:16 603,904 ----a-w c:\windows\system32\TUProgSt.exe
2008-12-08 05:16 362,240 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-12-08 05:16 --------- d-----w c:\documents and settings\Mns\Application Data\TuneUp Software
2008-12-08 05:15 --------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-12-08 05:15 --------- d-----w c:\program files\TuneUp Utilities 2009
2008-12-08 05:15 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-12-08 04:36 --------- d-----w c:\program files\IObit
2008-12-07 02:24 --------- d-----w c:\program files\Perl Code Library
2008-11-12 11:14 27,904 ----a-w c:\windows\system32\uxtuneup.dll
2007-05-21 17:30 37,873,216 ----a-w c:\program files\iTunesSetup.exe
2007-05-04 23:20 4,222,516 ----a-w c:\program files\ABC-win32-v3.1.exe
2007-04-27 20:23 194,560 ----a-w c:\program files\AdbeRdr80_en_US.exe
2007-04-27 20:06 68,166 ----a-w c:\program files\HD_Speed_ENG.zip
2007-04-27 20:02 5,396,172 ----a-w c:\program files\lccwin32.exe
2007-04-27 20:02 459,966 ----a-w c:\program files\cpuspeed.exe
2007-04-23 18:11 5,355,320 ----a-w c:\program files\picasaweb-current-setup.exe
2007-04-19 19:23 92,672 ----a-w c:\program files\KillBox.exe
2007-04-16 20:44 1,494,016 ----a-w c:\program files\gsv48w32.exe
2007-04-16 20:40 6,208,000 ----a-w c:\program files\gs704w32.exe
2007-04-16 19:56 9,548,288 ----a-w c:\program files\gs853w32.exe
2007-04-14 16:12 2,023,736 ----a-w c:\program files\GoogleDesktopSetup.exe
2007-04-14 14:56 1,951,783 ----a-w c:\program files\VbRunDLLv3sp6.exe
2007-04-14 14:52 805,116 ----a-w c:\program files\Yazak_Install.exe
2007-04-13 19:21 16,263,816 ----a-w c:\program files\ActivePerl-5.8.8.820-MSWin32-x86-274739.msi
2007-04-06 18:02 6,910,136 ----a-w c:\program files\DJVUCNTL_61_EN.EXE
2007-04-03 18:14 2,685,104 ----a-w c:\program files\ccsetup138.exe
2007-04-01 17:48 1,450,649 ----a-w c:\program files\npp.4.0.2.Installer.exe
2007-04-01 14:57 9,453,630 ----a-w c:\program files\vlc-0.8.6a-win32.exe
2007-04-01 10:36 194 ----a-w c:\program files\AdbeRdr80_en_US_Nosso_error.log
2007-03-31 18:50 6,006,832 ----a-w c:\program files\Firefox Setup 2.0.0.3.exe
2007-03-31 18:41 1,035,271 ----a-w c:\program files\wrar362.exe
2009-01-14 05:48 0 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleiex.dll
2009-01-14 05:48 0 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\pdgpecelawx.dll
2008-09-05 15:13 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2004-08-04 01:07 4,096 --sha-w c:\windows\system32\botrc.dat
.

((((((((((((((((((((((((((((( snapshot@2009-02-04_13.21.29.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-04 07:49:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-04 16:43:37 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-04 07:49:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-04 16:43:37 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-04 07:49:39 81,920 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-04 16:43:37 81,920 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPHKMGR.exe" [2005-12-21 94208]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2005-12-10 24064]
"PMHandler"="c:\windows\system32\PMHandler.exe" [2006-01-06 24576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-29 761945]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-01-31 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-01-31 98304]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 c:\windows\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-21 09:46 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\F:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
--a------ 2005-10-20 14:18 339968 c:\windows\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
--a------ 2006-03-31 19:52 126976 c:\windows\system32\tsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TuneUp.ProgramStatisticsSvc"=2 (0x2)
"matlabserver"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\ZakFromAnotherPlanet\\Yazak Chat\\iexplore.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\ActiveState Komodo IDE 4.1\\lib\\mozilla\\komodo.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Cytoscape_v2.6.0\\Cytoscape.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-02-04 21512]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-03-31 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-03-31 6016]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2005-12-21 10240]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2007-04-01 29744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2007-04-01 729416]
S4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2008-12-08 603904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56f84647-1b34-11dd-9daf-000fb0cdfb7d}]
\Shell\AutoRun\command - mvxm.cmd
\Shell\explore\Command - mvxm.cmd
\Shell\open\Command - mvxm.cmd
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28]

2009-02-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1614895754-725345543-1003.job
- c:\documents and settings\Mns\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-21 20:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Mns\Application Data\Mozilla\Firefox\Profiles\uh9lqryb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 172.16.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\HttpWatch\Firefox\components\httpwatchff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Mns\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 22:13:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\khwmcm.sys 31104 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\grkfikrol]
"ImagePath"="\??\c:\windows\system32\drivers\khwmcm.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\windows\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\PMSveH.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
.
**************************************************************************
.
Completion time: 2009-02-04 22:16:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-04 16:46:40
ComboFix2.txt 2009-02-04 15:37:33
ComboFix3.txt 2009-02-04 07:52:30

Pre-Run: 145,084,416 bytes free
Post-Run: 195,747,840 bytes free

Current=2 Default=2 Failed=0 LastKnownGood=4 Sets=1,2,3,4
222

 

[Osiris]

Run Sdfix

How To Use Sdfix

then combofix and post its log again

 

[flying_suser]

thanks osiris, can you tell whether I've to run the Combofix from administrator account and under safe mode or under any user and in normal mode?

 

[Osiris]

Run from an Admin accout. If you have the only account on the PC then use that account, should be ok. If you are running SDFIX via Safe Mode then go ahead and run Combofix as well