• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4224
  • Last Modified:

ComboFix and Hijack this log files, please if you have the skill to look at these, Vundo was not present.

ComboFix and Hijack this log files, would any expert step forward and review them please. They are from my personal computer. Its an IBM A31p Laptop running Xp Pro and AVAST antivirus. No know issues at this time except for it may be a bit weighted down with programs in the start menu for which I could also use some support.  Thanks in Advance
Thomas Starich Fitchburg WI

ComboFix 07-07-30.2 - "Thomas Starich" 2007-07-30 21:58:32.1 [GMT -5:00] - NTFS
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.True
 * Created a new restore point

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


(((((((((((((((((((((((((   Files Created from 2007-06-28 to 2007-07-31  )))))))))))))))))))))))))))))))

2007-07-30 21:56      51,200      --a------      C:\WINDOWS\nircmd.exe
2007-06-22 08:54      99,904      ---------      C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-06-20 16:08      93,128      ---------      C:\WINDOWS\system32\ElbyCDIO.dll
2007-06-04 21:32      <DIR>      d--------      C:\DOCUME~1\LOCALS~1\APPLIC~1\Winferno

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-30 22:05      ---------      d--------      C:\DOCUME~1\THOMAS~1\APPLIC~1\Winferno
2007-07-30 20:36      ---------      d--------      C:\Program Files\Palm
2007-07-29 13:26      ---------      d--------      C:\Program Files\Quicken
2007-07-29 00:00      5427      ---------      C:\WINDOWS\system32\EGATHDRV.SYS
2007-07-27 17:07      783224      --a------      C:\WINDOWS\system32\aswBoot.exe
2007-07-27 17:02      94416      --a------      C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 17:02      92848      --a------      C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 17:00      23152      --a------      C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 16:59      42912      --a------      C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 16:58      26624      --a------      C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 16:57      95608      --a------      C:\WINDOWS\system32\AVASTSS.scr
2007-07-24 09:29      27      ---------      C:\WINDOWS\winmail1.dat
2007-07-04 16:27      ---------      d--h-----      C:\Program Files\InstallShield Installation Information
2007-07-04 13:09      ---------      d--------      C:\Program Files\McAfee.com
2007-07-04 13:02      ---------      d--------      C:\Program Files\McAfee
2007-06-16 22:27      ---------      d--------      C:\Program Files\Documents To Go
2007-05-31 14:33      ---------      d--------      C:\DOCUME~1\THOMAS~1\APPLIC~1\DassaultSystemes
2007-05-31 14:32      ---------      d--------      C:\Program Files\Common Files\SolidWorks Shared
2007-05-31 14:31      ---------      d--------      C:\Program Files\Common Files\eDrawings2007
2007-05-28 10:52      ---------      d--------      C:\Program Files\IBM
2007-05-28 07:48      ---------      d--------      C:\DOCUME~1\THOMAS~1\APPLIC~1\TechSmith
2007-05-16 10:12      683520      ---------      C:\WINDOWS\system32\inetcomm.dll
2006-11-12 11:05      92368      ---------      C:\DOCUME~1\THOMAS~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2004-09-11 18:13:42      56      --sh--r      C:\WINDOWS\system32\5A745AB2AD.sys
2006-10-22 04:21:10      5,744      --sh--w      C:\WINDOWS\system32\KGyGaAvL.sys

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"WinfernoUpdate"="C:\Program Files\Common Files\Winferno\WSCUpdtr.exe" [2007-01-09 13:41]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2001-09-10 15:03 C:\WINDOWS\system32\WFXSNT40.EXE]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"WFXSwtch"="C:\PROGRA~1\WinFax\WFXSWTCH.exe" [2001-09-10 15:03]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 03:01]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-12-10 19:36]
"TrackPointSrv"="tp4serv.exe" [2005-07-13 04:55 C:\WINDOWS\system32\tp4serv.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-02 22:00]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 11:19]
"TP4EX"="tp4ex.exe" [2005-10-17 01:11 C:\WINDOWS\system32\TP4EX.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-03-11 12:17]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 10:52]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 08:27]
"SIE2007"="C:\Program Files\Winferno\Secure IE\SIEPulse.exe" [2006-10-12 10:22]
"SIE2004"="" []
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 12:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-09-18 12:43]
"PDF Converter Registry Controller"="C:\Program Files\ScanSoft\PDF Converter 2.0\\RegistryController.exe" [2004-08-18 03:49]
"MISAggregator"="" []
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 04:50 C:\WINDOWS\LOGI_MWX.EXE]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" []
"frymxins"="C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" []
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-29 02:32]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-06-07 12:35]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-14 19:13]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 01:38]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 01:38]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 01:38]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 01:38]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-11-16 21:00]
"AEIWLSTA.EXE"="AEIWLSTA.exe" [2001-12-29 00:33 C:\WINDOWS\system32\AEIWLSTA.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 02:18]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 09:53 C:\WINDOWS\AGRSMMSG.exe]

"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2006-06-02 22:00]
"CommCtr"="C:\PROGRA~1\NET2PH~1\CommCtr.exe" [2004-05-20 18:43]
"ClickYes Pro"="C:\Program Files\ClickYes Pro\ClickYesPro.exe" [2006-03-07 15:21]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-06-23 06:13]

"PixelInstall"=1 (0x1)
"Reboot"=1 (0x1)

"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Thomas Starich\Start Menu\Programs\Startup\
Shortcut to mobmeter.exe.lnk - C:\Program Files\Mobile Meter\mobmeter.exe [2004-12-14 08:40:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2006-07-29 18:13:43]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Wireless-G Notebook Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe [2006-09-04 22:35:40]

"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

"NoActiveDesktopChanges"=0 (0x0)

"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\WinFax\WfxSeh32.Dll [1998-07-27 06:54 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 2005-07-05 23:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2006-02-01 16:09 24576 C:\WINDOWS\system32\tphklock.dll

R0 sbp2port;SBP-2 Transport/Protocol Bus Driver;C:\WINDOWS\system32\DRIVERS\sbp2port.sys
R1 ElbyCDIO;ElbyCDIO Driver;C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
R1 PQNTDrv;PQNTDrv;C:\WINDOWS\system32\drivers\PQNTDrv.sys
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys
R1 vobcom;vobcom;C:\WINDOWS\system32\drivers\vobcom.sys
R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys
R2 AdobeActiveFileMonitor4.0;Adobe Active File Monitor V4;C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
R2 PMEM;PMEM;\??\C:\WINDOWS\System32\drivers\PMEMNT.SYS
R2 smi2;smi2;\??\C:\Program Files\SMI2\smi2.sys
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R2 tvtfilter;tvtfilter;\??\C:\WINDOWS\system32\drivers\tvtfilter.sys
R2 wfxsvc;WinFax PRO;C:\WINDOWS\System32\WFXSVC.EXE
R3 AnyDVD;AnyDVD;C:\WINDOWS\system32\Drivers\AnyDVD.sys
R3 atmeltpm;atmeltpm;C:\WINDOWS\system32\DRIVERS\atmeltpm.sys
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\CBTNDIS5.SYS
R3 cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.sys
R3 DUSBCamera;IBM UltraPort Camera;C:\WINDOWS\system32\Drivers\IBM_501B.SYS
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 hexmagic;hexmagic;\??\C:\WINDOWS\system32\drivers\hexmagic.sys
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys
R3 phildecn;Philips WDM Video Decoder (PHILDECN);C:\WINDOWS\system32\DRIVERS\phildecn.sys
R3 psadd;Lenovo Parties Service Access Device Driver;C:\WINDOWS\system32\DRIVERS\psadd.sys
R3 TNET1130x;Wireless-G Notebook Adapter v.2.0;C:\WINDOWS\system32\DRIVERS\tnet1130x.sys
R3 Tp4Track;PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys
R3 TVTPktFilter;TVT Packet Filter Service;C:\WINDOWS\system32\DRIVERS\tvtpktfilter.sys
S2 KC180;IBM UltraPORT IrDA;C:\WINDOWS\system32\Drivers\kcirusb.sys
S2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
S3 AEIWL;High Rate Wireless LAN MiniPCI Combo Card Driver;C:\WINDOWS\system32\DRIVERS\AEIWLNDS.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BTWDNDIS;Bluetooth LAN Access Server;C:\WINDOWS\system32\DRIVERS\btwdndis.sys
S3 Dot4 HPH11;Dot4 HPH11;C:\WINDOWS\system32\DRIVERS\hphid411.sys
S3 Dot4;MS IEEE-1284.4 Driver;C:\WINDOWS\system32\DRIVERS\Dot4.sys
S3 Dot4Print HPH11;Print Class Driver for IEEE-1284.4 HPH11;C:\WINDOWS\system32\DRIVERS\hphipr11.sys
S3 Dot4Print;Print Class Driver for IEEE-1284.4;C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
S3 Dot4Storage HPH11;Storage Class Driver for IEEE-1284.4 (HPH11);C:\WINDOWS\system32\Drivers\hphs2k11.sys
S3 dot4ufd;HP Dot4USB Filter;C:\WINDOWS\system32\DRIVERS\hppaufd0.sys
S3 Dot4Usb HPH11;Dot4Usb HPH11;C:\WINDOWS\system32\drivers\hphius11.sys
S3 grmnusb;grmnusb;C:\WINDOWS\system32\drivers\grmnusb.sys
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);C:\WINDOWS\system32\Drivers\hpzs2k12.sys
S3 ISLNDIS5;ISLNDIS5 Protocol Driver;\??\C:\PROGRA~1\IBM\Updater\session\6801\RECOGN~1\ISLNDIS5.SYS
S3 KCIRDA;%KCIRDA.ServiceDesc%;C:\WINDOWS\system32\DRIVERS\KCIrNet.sys
S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys
S3 PalmUSBD;PalmUSBD;C:\WINDOWS\system32\drivers\PalmUSBD.sys
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\system32\drivers\PCDRDRV.sys
S3 PcdrNt;PcdrNt;C:\WINDOWS\system32\drivers\PcdrNt.sys
S3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
S3 wltwo48b;2Wire Wireless PC Card Driver;C:\WINDOWS\system32\DRIVERS\wltwo48b.sys

AutoRun\command- F:\setupSNK.exe

AutoRun\command- F:\setupSNK.exe

AutoRun\command- F:\setupSNK.exe

AutoRun\command- F:\setupSNK.exe

AutoRun\command- F:\setupSNK.exe

AutoRun\command- F:\setupSNK.exe

AutoRun\command- F:\setupSNK.exe

*Newly Created Service* - HEXMAGIC

Contents of the 'Scheduled Tasks' folder
2007-07-31 03:13:13 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe


catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 22:12:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

scanning hidden files ...

scan completed successfully
hidden files: 0


Completion time: 2007-07-30 22:17:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-30 22:16

      --- E O F ---
*****************************************HIJACK THIS Log file *********************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:50 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Winferno\Secure IE\SIEPulse.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ClickYes Pro\ClickYesPro.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Mobile Meter\mobmeter.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WinfernoUpdate] "C:\Program Files\Common Files\Winferno\WSCUpdtr.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SIE2007] "C:\Program Files\Winferno\Secure IE\SIEPulse.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 2.0\\RegistryController.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [frymxins] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\RunOnce: [PixelInstall] 
O4 - HKLM\..\RunOnce: [Reboot] 
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - HKCU\..\Run: [ClickYes Pro] C:\Program Files\ClickYes Pro\ClickYesPro.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Shortcut to mobmeter.exe.lnk = C:\Program Files\Mobile Meter\mobmeter.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &Download File - C:\PROGRA~1\Winferno\SECURE~2\Scripts\AddToTransferQueue.htm
O8 - Extra context menu item: &Highlight - C:\PROGRA~1\Winferno\SECURE~2\Scripts\highlight.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open PDF in Word (PDF Converter 2.0) - res://C:\Program Files\ScanSoft\PDF Converter 2.0\IEShellExt.dll /100
O8 - Extra context menu item: Zoom &In - C:\PROGRA~1\Winferno\SECURE~2\Scripts\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\PROGRA~1\Winferno\SECURE~2\Scripts\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kodakgallery.com
O15 - Trusted Zone: *.mcafee.com
O15 - Trusted Zone: www.paypal.com
O15 - Trusted Zone: ptaweb.state.wi.us
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft RemoteControl Class) - http://symantec.atgnow.com/sdccommon/download/ssrc.cab
O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener Control) - http://symantec.atgnow.com/sdccommon/download/sprtctlln.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/19.11/uploader2.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165412271616
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.lenovo.com/support/access/aslibmain/content/IbmEgath.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5086/mcfscan.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Lenovo PSA Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

End of file - 15823 bytes
  • 7
  • 5
  • 3
5 Solutions
Hewre is the short result of www.hijackthis.de

[?] - C:\WINDOWS\system32\AEIWLSTA.EXE
[?] - C:\Program Files\ClickYes Pro\ClickYesPro.exe
[?] - O4 - HKLM\..\Run: [WinfernoUpdate] "C:\Program Files\Common Files\Winferno\WSCUpdtr.exe"
[?] - O4 - HKLM\..\RunOnce: [PixelInstall] 
[?] - O4 - HKLM\..\RunOnce: [Reboot] 
[?] - O4 - HKCU\..\Run: [ClickYes Pro] C:\Program Files\ClickYes Pro\ClickYesPro.exe
[?] - O15 - Trusted Zone: ptaweb.state.wi.us
[?] - O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
TomStarichAuthor Commented:
Thanks for your interest in my logfiles for Hijack this. The www.hijackthis.de analysis tool is very interesting as well.

The first entry the AEIWLSTA.exe is foreign to me.

The Click Yes was was added by me as a tool to circumvent the security pop up in Outlook that has always asked me to verify its ok for my electronic organizer to access the names and addresses in my contacts folder of Microsoft Outlook.  The outlook security gets in the way of an unattended synchronization of my organizer so click yes was purchased to get by the problem.

WinfernoUpdate is for the Secure IE browser I purchased from McAfee its ok.  

I don't know what Pixelinstall is or Run once Reboo is.

The trusted zone ptaweb is where I log in my work hours for my job. Its ok.
The ibm stuff is a good question. It could be for the software / driver updating software that IBM has provided for the laptop. or it could be a rouge program posing as IBM stuff The link when clicked on trys to download a program called acpIR.cab..... I have heard of acp with respect to power management and IR has been used to describe infra red. The laptop indeed has an IR sensor.

Thanks Tolomir for your assistance any additional comments from all are welcome...

Thomas Starich RS
Food and Dairy Specialist
Madison, WI
you could run the free full functional trial prevx 2.0 to check for these files.

PREVX 2.0 is the most powerful security solution in the World.It safeguards your PC and personal information from theft and attack by Spyware, Rootkits, Trojans, Viruses, Bots, Adware and all other forms of Malware and Crimeware.


It will tell you about them like this:

E.g. for Firefox

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Of cause this is a full detailed analysis, in general you see an icon in the taskbar with these possible colors:

green: everything ok
amber: possible unwanted / unclassified programs running
red: alert malware!

 >No know issues at this time except for it may be a bit weighted down with programs in the start menu<
If you wish to reduce the number of unnecessary programs running in your start menu , try this >

Select Start > Run and type MSCONFIG.   From the SCU select the Startup tab.  
You can use the links below to decide which Task List Programs to remove.  
Uncheck(untick) the unwanted items.    Reboot.

These two between them describe the function of each program in the SCU:
Click "Task List" & choose a letter >                   
It'll take a while if you wish to wade through these, but you may find the list useful >
"Processes in Windows NT/2000/XP":
No offense Jonvee, but msconfig is not a proper weapon against malware.

Apart from that it will bug you after each reload if you still want to exclude unticked programs from autostarting.

A better solution for handling autostarts would be to use the microsoft tool: autoruns.


This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more.

Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.


Thanks Tolomir, none taken.  I had incorrectly assumed that you simply wished to reduce the number of Startup items, quite separate from your Malware problem(s).
Yes, Autoruns is already in my 'toolkit', but i'm grateful for the above information.  
Thank you.
you are welcome.
TomStarichAuthor Commented:
Dear Tolomir, I got as far as purchasing a 3 month subscription for $10 and downloading the PREVX 2.0. I did look at the information about dealing with the start up items and found it looked very good. I will have time to implement some more of your ideas tommorrow. Thanks alot Jonvee for joining us with your comments as well  :)
TomStarichAuthor Commented:
For tonight I am leaving you and have the little green dot in my system tray now.
Btw.  actually you didn't had to buy it at all:

It's a fair trial system:

We believe that if you're the sort of person that never gets their PC infected, then you should never have to pay for malware protection. We're also so confident in the protection provided by Prevx 2.0, that we're happy to let you have the product for free until we've saved you from at least one infection and thereby proven our worth to you. With this in mind we created the unique Free Trial Plus system.

But of cause when it's time I would buy it also.

Also from time to time check their blog:


They share quite interesting stories about new ways of possible computer infections, these one would never think about...


Ransomware... Holding Corporate America Ransom!


TomStarichAuthor Commented:

I looked at the auto runs program and was overwhelmed with all the details. I would not know what to uncheck. Its a great program but may take a little skill on my end to understand how to best use it to turn off some of the stuff running and starting.

PS I was glad to support the PrevX folks and take your word for it that they are working hard to help us all with their product.

Yes for sure, not all tools are that enduser friendly, but

just start autoruns, after all it's startphase is finished go to the menu:

Open options -> Hide Microsoft Entries

Press F5 (refresh)

Now click on the "Logon" Tab

There you find your current programs that are autostarting.

That is also more or less the area of msconfig.

TomStarichAuthor Commented:
Thanks for the evaluation of my computer for virus and your support in cleaning up the start up group. Your assistance is very much appreciated. Anyone who answered should find themselves with  a few points althoug Tolomir lead the the discussion and will be awarded the lions share.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 7
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now