TechSpot

Browser redirect and other weirdness

By lelias
Nov 8, 2011
  1. Hello,
    I've seen other threads on the redirect issue but you always stress not to follow instructions for another user so I'm posting my issue.

    I got a virus/malware on my work computer but am unable to use our tech support as I am remote for a while. What this really means is I don't have local admin rights. We have McAffee but I've noticed it hasn't updated the signature in a while. i've been meaning to ask them about that.

    I had an image similar to Windows Security Center come up saying I had an infected file and to click to clean. Normally I'm smart enough to ignore these but I was distracted and clicked. From that time I had multiple problems.
    -When I clicked on my search links I'd be sent to a bogus ad window.
    -There was a ping.exe process appearing and using all of my memory.
    -At random times audio plays or a small browser ad image appears on my screen.
    -Most of my files and desktop were gone.

    I ran several programs to clean it up. Malwarebytes cleaned a lot and got rid of the ping issue and unhide.exe returned my files and desktop, but I still have the redirect and random ad issues. When I ran Windows security center it cleaned several items but then added one of them to the "allow" list...? The processes were:
    Trojan:Win32/Alureon.FE (removed)
    Exploit:SWF/Blacole.E (removed)
    Trojan:Win32FakeSysdef (added to allow list)
    Exploit:HTML/IframeRef.Z (removed)
    TrojanDownloader:Win32/Daragany.F (removed)

    Can you help?

    lelias
     
  2. Broni

    Broni Malware Annihilator Posts: 52,903   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. lelias

    lelias TS Rookie Topic Starter

    Hi Broni, Malwarebytes log:
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8111

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/8/2011 9:53:54 PM
    mbam-log-2011-11-08 (21-53-54).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 302454
    Time elapsed: 44 minute(s), 15 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER logs:
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-11-08 22:29:37
    Windows 5.1.2600 Service Pack 3
    Running: tvz54pcb.exe; Driver: C:\DOCUME~1\lelias\LOCALS~1\Temp\kwlyykog.sys


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\78dd08aaeb3b
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\78dd08aaeb3b (not active ControlSet)

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\$NtUninstallKB21449$\2547958807 0 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\2547958807\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\2547958807\bckfg.tmp 814 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\2547958807\cfg.ini 198 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\2547958807\Desktop.ini 4608 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\2547958807\keywords 0 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\2547958807\kwrd.dll 208896 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\2547958807\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\2547958807\L\mrlpoown 62976 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\2547958807\lsflt7.ver 5176 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\2547958807\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\2547958807\U\00000001.@ 1536 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\2547958807\U\00000002.@ 209920 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\2547958807\U\00000004.@ 1024 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\2547958807\U\80000000.@ 1024 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\2547958807\U\80000004.@ 12800 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\2547958807\U\80000032.@ 95744 bytes
    File C:\WINDOWS\$NtUninstallKB21449$\636350626 0 bytes

    ---- EOF - GMER 1.0.15 ----

    Attach.txt coming next
     
  4. lelias

    lelias TS Rookie Topic Starter

    dds

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by lelias at 22:31:48 on 2011-11-08
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2996.1877 [GMT -6:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
    svchost.exe
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
    C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
    C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\LENOVO\HOTKEY\CAMMUTE.exe
    C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
    C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    c:\program files\lenovo\system update\suservice.exe
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
    C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Network Associates\Common Framework\udaterui.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Network Associates\Common Framework\McTray.exe
    C:\Program Files\Integrated Camera Driver\RCIMGDIR.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    C:\Program Files\Lenovo\Zoom\TpScrex.exe
    C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
    C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\Program Files\Real\RealPlayer\update\realsched.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Office Communicator\Communicator.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\tvz54pcb.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://my.netapp.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://my.netapp.com/
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: ViewerHelper Class: {78104a01-8e71-4f30-9a36-3793799615b4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
    BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
    uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
    mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKey
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [IMSS] "c:\program files\intel\intel(r) management engine components\imss\PIconStartup.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
    mRun: [RotateImage] c:\program files\integrated camera driver\RCIMGDIR.exe
    mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
    mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
    mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
    mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup
    mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [<NO NAME>]
    dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - {78104A01-8E71-4F30-9A36-3793799615B4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
    LSP: mswsock.dll
    Trusted Zone: localhost
    Trusted Zone: netapp.com\ce.corp
    Trusted Zone: netapp.com\my.sharepoint.corp
    Trusted Zone: netapp.com\powerond-web.dmz
    Trusted Zone: netapp.com\poweronp-app1.dmz
    Trusted Zone: netapp.com\poweronp.dmz
    Trusted Zone: netapp.com\poweront-web.dmz
    Trusted Zone: netapp.com\rms
    Trusted Zone: netapp.com\sharepoint.corp
    Trusted Zone: sharepoint
    Trusted Zone: localhost
    Trusted Zone: netapp.com\ce.corp
    Trusted Zone: netapp.com\my.sharepoint.corp
    Trusted Zone: netapp.com\neophyte-ext
    Trusted Zone: netapp.com\pe
    Trusted Zone: netapp.com\powerond-web.dmz
    Trusted Zone: netapp.com\poweronp-app1.dmz
    Trusted Zone: netapp.com\poweronp.dmz
    Trusted Zone: netapp.com\poweront-web.dmz
    Trusted Zone: netapp.com\rms
    Trusted Zone: netapp.com\sharepoint.corp
    Trusted Zone: netapp.com\www.pe
    Trusted Zone: sharepoint
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab
    DPF: {29EF91B9-7120-477C-A5CB-2D67F2FD088C} - hxxps://10.26.97.29/wrc.cab
    DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280347065479
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1286490560697
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    TCP: DhcpNameServer = 10.59.1.1
    TCP: Interfaces\{D3D562C6-57B1-46E3-8A78-5B637514A7C4} : DhcpNameServer = 10.59.1.1
    Filter: application/msword - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
    Filter: application/vnd.ms-excel - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
    Filter: application/vnd.ms-powerpoint - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
    Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
    Handler: rmh - {23C585BB-48FF-4865-8934-185F0A7EB84C} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
    Notify: igfxcui - igfxdev.dll
    Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    LSA: Notification Packages = scecli c:\program files\thinkvantage fingerprint software\psqlpwd.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\lelias\application data\mozilla\firefox\profiles\hjzc5sb7.default\
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-6-18 24304]
    R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [2010-6-18 21504]
    R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2010-3-22 13480]
    R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2009-6-8 31848]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
    R1 MpKsl67875363;MpKsl67875363;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{daccb58f-b0d7-4ad7-ac6a-7a6e06f365cb}\MpKsl67875363.sys [2011-11-8 28752]
    R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-6-18 132456]
    R2 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2010-12-15 1085440]
    R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\lenovo\hotkey\cammute.exe [2010-3-22 54632]
    R2 Lenovo.micmute;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2010-3-22 44984]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-11-10 103744]
    R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-6-8 144704]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-6-8 54608]
    R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-6-18 53248]
    R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-6-18 45056]
    R2 smihlp;SMI Helper Driver (smihlp);c:\program files\thinkvantage fingerprint software\smihlp.sys [2009-3-13 12560]
    R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2010-3-22 63928]
    R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\intel\intel(r) management engine components\uns\UNS.exe [2010-6-18 2320920]
    R3 5U877;USB Video Device;c:\windows\system32\drivers\5U877.sys [2010-6-18 127232]
    R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-6-18 167080]
    R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-6-18 125696]
    R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-6-18 215040]
    R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2010-7-15 73512]
    R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2010-7-15 34408]
    R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2010-7-15 177864]
    S1 MpKsl6b9f7c91;MpKsl6b9f7c91;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bf48484a-faec-4637-bd6b-475dec48b5db}\mpksl6b9f7c91.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bf48484a-faec-4637-bd6b-475dec48b5db}\MpKsl6b9f7c91.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-23 135664]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-23 135664]
    S3 SMmonitor;Storage Manager Event Monitor;c:\program files\storagemanager\client\monitor\SMmonitor.exe [2011-9-28 69632]
    S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-5-27 121192]
    S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-5-27 12776]
    S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-5-27 136680]
    S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2009-6-18 15744]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-11-09 04:31:22 607260 ------r- C:\dds.scr
    2011-11-09 04:17:06 302592 ----a-w- C:\tvz54pcb.exe
    2011-11-09 02:47:38 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{daccb58f-b0d7-4ad7-ac6a-7a6e06f365cb}\MpKsl67875363.sys
    2011-11-09 02:47:35 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{daccb58f-b0d7-4ad7-ac6a-7a6e06f365cb}\offreg.dll
    2011-11-09 02:20:46 100604024 ----a-w- C:\setup_11.0.0.1245.x01_2011_11_09_05_52.exe
    2011-11-09 01:56:30 -------- d-----w- C:\tdsskiller
    2011-11-08 17:25:58 -------- d-----w- C:\567bf7aaae28f5051a58c1285d0fb5
    2011-11-08 17:25:07 15293896 ----a-w- C:\windows-kb890830-v4.1.exe
    2011-11-08 04:37:07 -------- d-----w- c:\documents and settings\lelias\application data\Product_RM
    2011-11-08 04:33:53 -------- d-----w- c:\documents and settings\lelias\application data\RegistryCleanerFree
    2011-11-08 04:33:53 -------- d-----w- c:\documents and settings\all users\application data\RegistryCleanerFree
    2011-11-08 04:13:44 -------- d-----w- c:\documents and settings\lelias\application data\Malwarebytes
    2011-11-08 04:13:31 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-11-08 04:13:25 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-08 04:13:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-08 04:05:54 -------- d-----w- c:\documents and settings\lelias\application data\Sammsoft
    2011-11-08 01:34:40 1008092 ----a-w- C:\iExplore.exe
    2011-11-08 01:02:15 1008092 ----a-w- C:\rkill.exe
    2011-11-08 00:56:17 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{daccb58f-b0d7-4ad7-ac6a-7a6e06f365cb}\mpengine.dll
    2011-11-08 00:38:39 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-11-08 00:38:39 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-11-07 23:00:25 -------- d-----w- c:\documents and settings\lelias\application data\GetRightToGo
    2011-11-07 21:20:23 102400 ----a-w- c:\windows\RegBootClean.exe
    2011-11-07 20:46:37 -------- d--h--w- c:\documents and settings\all users\application data\PC Tools
    2011-11-07 20:12:19 577956 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    .
    ==================== Find3M ====================
    .
    2011-10-25 21:09:54 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-03 10:17:37 599040 ---ha-w- c:\windows\system32\crypt32.dll
    2011-08-11 18:04:30 40960 ---ha-w- c:\windows\system32\SMEventLog.dll
    .
    ============= FINISH: 22:38:34.68 ===============
     
  5. lelias

    lelias TS Rookie Topic Starter

    attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/18/2010 9:19:12 PM
    System Uptime: 11/8/2011 8:47:19 PM (2 hours ago)
    .
    Motherboard: LENOVO | | 2537GH6
    Processor: Intel Pentium II processor | None | 2393/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 108 GiB total, 53.946 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) Centrino(R) Advanced-N 6200 AGN
    Device ID: PCI\VEN_8086&DEV_4239&SUBSYS_13118086&REV_35\4&36786977&0&00E1
    Manufacturer: Intel Corporation
    Name: Intel(R) Centrino(R) Advanced-N 6200 AGN
    PNP Device ID: PCI\VEN_8086&DEV_4239&SUBSYS_13118086&REV_35\4&36786977&0&00E1
    Service: NETw5x32
    .
    Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
    Description: CD-ROM Drive
    Device ID: IDE\CDROMHL-DT-ST_DVDRAM_GU10N___________________MX05____\4&1544E580&0&0.1.0
    Manufacturer: (Standard CD-ROM drives)
    Name: HL-DT-ST DVDRAM GU10N
    PNP Device ID: IDE\CDROMHL-DT-ST_DVDRAM_GU10N___________________MX05____\4&1544E580&0&0.1.0
    Service: cdrom
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Cisco Systems VPN Adapter
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco Systems VPN Adapter
    PNP Device ID: ROOT\NET\0000
    Service: CVirtA
    .
    ==== System Restore Points ===================
    .
    RP282: 8/9/2011 5:26:11 PM - System Checkpoint
    RP283: 8/9/2011 9:13:11 PM - Software Distribution Service 3.0
    RP284: 8/11/2011 12:22:56 PM - Software Distribution Service 3.0
    RP285: 8/12/2011 2:23:03 PM - Software Distribution Service 3.0
    RP286: 8/12/2011 3:00:51 PM - Installed Java(TM) 6 Update 26
    RP287: 8/12/2011 3:01:19 PM - Installed Java Runtime Environment
    RP288: 8/15/2011 10:10:19 AM - Software Distribution Service 3.0
    RP289: 8/15/2011 9:34:34 PM - Installed WebEx Productivity Tools
    RP290: 8/16/2011 12:00:52 PM - Software Distribution Service 3.0
    RP291: 8/18/2011 7:35:21 PM - Software Distribution Service 3.0
    RP292: 8/19/2011 8:52:43 PM - Software Distribution Service 3.0
    RP293: 8/21/2011 7:50:54 PM - Software Distribution Service 3.0
    RP294: 8/22/2011 10:37:25 AM - Installed RDC RDC.
    RP295: 8/22/2011 8:50:33 PM - Software Distribution Service 3.0
    RP296: 8/23/2011 9:34:51 PM - System Checkpoint
    RP297: 8/24/2011 12:25:02 AM - Software Distribution Service 3.0
    RP298: 8/25/2011 9:12:14 AM - Software Distribution Service 3.0
    RP299: 8/26/2011 9:36:04 AM - Software Distribution Service 3.0
    RP300: 8/27/2011 11:51:39 AM - Software Distribution Service 3.0
    RP301: 8/29/2011 11:15:22 AM - Software Distribution Service 3.0
    RP302: 8/30/2011 11:20:15 AM - System Checkpoint
    RP303: 8/31/2011 9:28:04 AM - Software Distribution Service 3.0
    RP304: 9/1/2011 12:15:44 PM - Software Distribution Service 3.0
    RP305: 9/2/2011 1:01:09 PM - System Checkpoint
    RP306: 9/6/2011 12:35:03 AM - Software Distribution Service 3.0
    RP307: 9/7/2011 9:17:23 AM - System Checkpoint
    RP308: 9/7/2011 9:25:41 AM - Software Distribution Service 3.0
    RP309: 9/8/2011 10:14:12 AM - System Checkpoint
    RP310: 9/8/2011 10:22:36 AM - Software Distribution Service 3.0
    RP311: 9/9/2011 12:58:35 PM - Software Distribution Service 3.0
    RP312: 9/12/2011 10:56:44 AM - Software Distribution Service 3.0
    RP313: 9/12/2011 4:46:37 PM - Software Distribution Service 3.0
    RP314: 9/14/2011 9:31:55 AM - Software Distribution Service 3.0
    RP315: 9/15/2011 10:41:59 AM - Removed WebEx Productivity Tools
    RP316: 9/15/2011 10:48:46 AM - Software Distribution Service 3.0
    RP317: 9/16/2011 11:09:53 AM - Software Distribution Service 3.0
    RP318: 9/17/2011 10:44:08 AM - Software Distribution Service 3.0
    RP319: 9/18/2011 8:23:27 PM - Software Distribution Service 3.0
    RP320: 9/19/2011 10:06:28 PM - System Checkpoint
    RP321: 9/20/2011 10:22:29 PM - System Checkpoint
    RP322: 9/22/2011 10:55:17 AM - Software Distribution Service 3.0
    RP323: 9/22/2011 12:19:22 PM - Software Distribution Service 3.0
    RP324: 9/23/2011 11:09:17 AM - Software Distribution Service 3.0
    RP325: 9/26/2011 5:12:31 AM - Software Distribution Service 3.0
    RP326: 9/27/2011 9:05:50 AM - Software Distribution Service 3.0
    RP327: 9/28/2011 11:44:05 AM - System Checkpoint
    RP328: 9/28/2011 12:05:57 PM - Software Distribution Service 3.0
    RP329: 9/29/2011 1:01:21 PM - System Checkpoint
    RP330: 9/29/2011 8:46:21 PM - Software Distribution Service 3.0
    RP331: 10/3/2011 9:22:29 AM - Software Distribution Service 3.0
    RP332: 10/4/2011 10:00:00 AM - System Checkpoint
    RP333: 10/5/2011 5:58:11 PM - System Checkpoint
    RP334: 10/5/2011 8:42:59 PM - Software Distribution Service 3.0
    RP335: 10/7/2011 9:53:22 AM - Software Distribution Service 3.0
    RP336: 10/10/2011 10:09:03 AM - Software Distribution Service 3.0
    RP337: 10/11/2011 10:35:42 AM - Software Distribution Service 3.0
    RP338: 10/12/2011 11:22:54 AM - Software Distribution Service 3.0
    RP339: 10/13/2011 2:06:27 PM - Software Distribution Service 3.0
    RP340: 10/14/2011 9:40:59 AM - Software Distribution Service 3.0
    RP341: 10/15/2011 11:45:37 PM - Software Distribution Service 3.0
    RP342: 10/17/2011 12:05:22 PM - Software Distribution Service 3.0
    RP343: 10/18/2011 1:18:57 PM - System Checkpoint
    RP344: 10/18/2011 2:05:50 PM - Software Distribution Service 3.0
    RP345: 10/19/2011 11:28:06 PM - System Checkpoint
    RP346: 10/21/2011 12:03:57 AM - Software Distribution Service 3.0
    RP347: 10/23/2011 7:47:28 PM - Software Distribution Service 3.0
    RP348: 10/25/2011 12:42:00 PM - Software Distribution Service 3.0
    RP349: 10/26/2011 4:06:07 PM - System Checkpoint
    RP350: 10/26/2011 6:07:33 PM - Software Distribution Service 3.0
    RP351: 10/27/2011 8:49:23 PM - Software Distribution Service 3.0
    RP352: 10/31/2011 1:05:17 PM - Software Distribution Service 3.0
    RP353: 11/1/2011 1:54:49 PM - Software Distribution Service 3.0
    RP354: 11/3/2011 4:04:07 PM - System Checkpoint
    RP355: 11/4/2011 3:48:26 PM - Software Distribution Service 3.0
    RP356: 11/5/2011 3:48:31 PM - Software Distribution Service 3.0
    RP357: 11/6/2011 2:23:14 AM - Software Distribution Service 3.0
    RP358: 11/6/2011 3:48:17 PM - Software Distribution Service 3.0
    RP359: 11/7/2011 6:34:03 PM - Restore Operation
    RP360: 11/7/2011 6:50:18 PM - Removed Java(TM) 6 Update 20
    RP361: 11/7/2011 6:52:34 PM - Removed Java(TM) 6 Update 3
    RP362: 11/7/2011 6:55:39 PM - Software Distribution Service 3.0
    RP363: 11/7/2011 10:05:17 PM - ARO 2011 - Before Installation
    RP364: 11/7/2011 10:06:08 PM - ARO 2011 - FIRST RUN
    RP365: 11/7/2011 10:24:26 PM - ARO 2011 Mon, Nov 07, 11 22:24
    .
    ==== Installed Programs ======================
    .
    .
    2007 Microsoft Office Suite Service Pack 2 (SP2)
    32 Bit HP CIO Components Installer
    3ivx MPEG-4 5.0.3 (remove only)
    Abyss Web Server X1 (remove only)
    Active Ports
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Reader 8.3.1
    Alinean EnterpriseROI
    Ask Toolbar
    Bing Bar
    Bing Bar Platform
    Burn.Now 4.5
    Burn.Now Lenovo Edition
    Compatibility Pack for the 2007 Office system
    Conexant 20585 SmartAudio HD
    Configuration Manager Client
    Cribbage 2D
    CutePDF Writer 2.8
    EZSwitchSetup
    FlipShare
    Golden FTP Server
    Google Toolbar for Internet Explorer
    Google Update Helper
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.0 (KB932471)
    Hotfix for Microsoft .NET Framework 4 Client Profile (KB2461678)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB949764)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB979306)
    Impulse®
    Integrated Camera Driver Installer Package Ver.1.1.0.19
    Intel PROSet Wireless
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Management Engine Components
    Intel(R) PROSet/Wireless WiFi Software
    InterVideo Register Manager
    InterVideo WinDVD
    iPassConnect
    Juniper Networks Setup Client
    Juniper Networks Setup Client Activex Control
    Juniper Terminal Services Client
    Lenovo System Interface Driver
    Malwarebytes' Anti-Malware version 1.51.2.1300
    McAfee Agent
    McAfee AntiSpyware Enterprise Module
    McAfee VirusScan Enterprise
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 1
    Microsoft .NET Framework 3.5
    Microsoft .NET Framework 4 Client Profile
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Data Access Components KB870669
    Microsoft Default Manager
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Communicator 2005
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Visio MUI (English) 2007
    Microsoft Office Visio Standard 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    Microsoft Search Enhancement Pack
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft UI Engine
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft WSE 3.0 Runtime
    Mozilla Firefox (3.6.8)
    mRemote
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 6.0 Parser (KB925673)
    NetApp System Manager 1.1
    Network Recording Player
    NX Client for Windows 3.5.0-5
    On Screen Display
    Origin
    PL-2303 USB-to-Serial
    Productivity Center Supplement for ThinkPad
    RDC
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    RICOH R5U230 Media Driver ver.2.02.02.01
    Rights Management Add-on for Internet Explorer
    SAMSUNG USB Driver for Mobile Phones
    SANtricity ES Storage Manager
    Security Update for 2007 Microsoft Office System (KB951550)
    Security Update for 2007 Microsoft Office System (KB951944)
    Security Update for Microsoft Office 2007 System (KB2541012)
    Security Update for Microsoft Office Excel 2007 (KB2541007)
    Security Update for Microsoft Office system 2007 (KB954326)
    Security Update for Microsoft Office Visio 2007 (KB947590)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    STM TPM Driver 1.0.4.15 - 32 bits
    Symantec Enterprise Vault HTTP-only Outlook Add-In
    System Update
    The Sims 3
    The Sims™ 2 Double Deluxe
    The Sims™ 2 University Life Collection
    The Sims™ 3
    ThinkPad Bluetooth with Enhanced Data Rate Software
    ThinkPad FullScreen Magnifier
    ThinkPad Hotkey Features Integration Setup
    ThinkPad Modem Adapter
    ThinkPad PC Card Power Policy
    ThinkPad Power Management Driver
    ThinkPad Power Manager
    ThinkPad UltraNav Driver
    ThinkPad UltraNav Utility
    ThinkVantage Fingerprint Software
    ThinkVantage Productivity Center
    Update for Outlook 2007 Junk Email Filter (kb956080)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB978207)
    ViewMail for Outlook 5.0(1)
    VNC Free Edition 4.1.1
    VPN Client
    WebEx
    WebFldrs XP
    WIMGAPI
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 8
    Windows Live ID Sign-in Assistant
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows Presentation Foundation
    Windows Rights Management Client Backwards Compatibility SP2
    Windows Rights Management Client with Service Pack 2
    Windows Update Modules for ServicePack 2 (US)
    Windows XP Service Pack 3
    WinZip 11.2
    Xming 6.9.0.31
    XML Paper Specification Shared Components Pack 1.0
    XPS Essentials Pack
    XPS Essentials Pack 1.0
    Yahoo! Detect
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/8/2011 6:07:41 PM, error: Dhcp [1002] - The IP address lease 192.168.1.65 for the Network Card with network address 002314A17FB0 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    11/7/2011 5:09:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    11/7/2011 5:04:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    11/7/2011 5:04:46 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.115.1367.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7801.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
    11/7/2011 5:04:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    11/7/2011 4:40:22 PM, error: Service Control Manager [7024] - The FlipShare Server service terminated with service-specific error 1 (0x1).
    11/7/2011 3:39:41 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm lenovo.smi MpFilter TPHKDRV TPPWRIF
    11/7/2011 3:38:28 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/7/2011 2:42:18 PM, error: Service Control Manager [7034] - The iPassPeriodicUpdateApp service terminated unexpectedly. It has done this 1 time(s).
    11/7/2011 2:21:43 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    11/3/2011 4:59:59 PM, error: NETLOGON [5719] - No Domain Controller is available for domain NETAPP due to the following: The RPC server is unavailable. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
    11/3/2011 3:43:52 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
    11/3/2011 3:42:03 PM, error: NETLOGON [5719] - No Domain Controller is available for domain NETAPP due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
    11/3/2011 12:58:12 AM, error: Dhcp [1002] - The IP address lease 10.10.56.213 for the Network Card with network address 002314A17FB0 has been denied by the DHCP server 10.4.128.1 (The DHCP Server sent a DHCPNACK message).
    11/2/2011 4:47:49 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.115.1019.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7801.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    11/2/2011 10:49:31 AM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
    .
    ==== End Of File ===========================
     
  6. lelias

    lelias TS Rookie Topic Starter

    all information sent?

    I believe I sent all you asked for. Please let me know.
     
  7. Broni

    Broni Malware Annihilator Posts: 52,903   +344

    You're running two AV programs, VirusScan Enterprise and Microsoft Security Essentials.
    One of them has to go.
    Your choice.

    Uninstall Ask Toolbar, typical foistware.

    =================================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  8. lelias

    lelias TS Rookie Topic Starter

    Combofix output- aswMBR wouldn't run

    ComboFix 11-11-09.01 - lelias 11/09/2011 14:11:40.1.4 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2996.2642 [GMT -6:00]
    Running from: c:\documents and settings\lelias\My Documents\Downloads\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    C:\iexplore.exe
    c:\windows\system32\muzapp.exe
    .
    c:\windows\system32\drivers\cdrom.sys was missing
    Restored copy from - c:\windows\system32\dllcache\cdrom.sys
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-09 to 2011-11-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-09 20:43 . 2008-04-14 06:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2011-11-09 19:57 . 2011-11-09 20:01 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DACCB58F-B0D7-4AD7-AC6A-7A6E06F365CB}\offreg.dll
    2011-11-09 04:31 . 2011-11-09 04:31 607260 ------r- C:\dds.scr
    2011-11-09 04:17 . 2011-11-09 04:17 302592 ----a-w- C:\tvz54pcb.exe
    2011-11-09 02:20 . 2011-11-09 02:20 100604024 ----a-w- C:\setup_11.0.0.1245.x01_2011_11_09_05_52.exe
    2011-11-09 01:56 . 2011-11-09 02:31 -------- d-----w- C:\tdsskiller
    2011-11-08 17:25 . 2011-11-08 17:25 -------- d-----w- C:\567bf7aaae28f5051a58c1285d0fb5
    2011-11-08 17:25 . 2011-11-08 17:25 15293896 ----a-w- C:\windows-kb890830-v4.1.exe
    2011-11-08 04:37 . 2011-11-08 04:37 -------- d-----w- c:\documents and settings\lelias\Application Data\Product_RM
    2011-11-08 04:33 . 2011-11-08 04:33 -------- d-----w- c:\documents and settings\lelias\Application Data\RegistryCleanerFree
    2011-11-08 04:33 . 2011-11-08 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\RegistryCleanerFree
    2011-11-08 04:13 . 2011-11-08 04:13 -------- d-----w- c:\documents and settings\lelias\Application Data\Malwarebytes
    2011-11-08 04:13 . 2011-11-08 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-11-08 04:13 . 2011-11-08 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-08 04:13 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-08 04:05 . 2011-11-08 04:31 -------- d-----w- c:\documents and settings\lelias\Application Data\Sammsoft
    2011-11-08 01:02 . 2011-11-08 01:02 1008092 ----a-w- C:\rkill.exe
    2011-11-08 00:56 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DACCB58F-B0D7-4AD7-AC6A-7A6E06F365CB}\mpengine.dll
    2011-11-08 00:38 . 2011-11-08 00:38 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-11-07 23:00 . 2011-11-07 23:04 -------- d-----w- c:\documents and settings\lelias\Application Data\GetRightToGo
    2011-11-07 21:20 . 2011-11-07 21:20 102400 ----a-w- c:\windows\RegBootClean.exe
    2011-11-07 20:46 . 2011-11-07 23:33 -------- d--h--w- c:\documents and settings\All Users\Application Data\PC Tools
    2011-11-07 20:28 . 2011-11-07 23:09 -------- d--h--w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-11-07 20:27 . 2011-11-07 20:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-11-07 20:12 . 2011-11-09 20:01 577956 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-09 01:54 . 2011-11-09 01:54 1545191 ----a-w- C:\tdsskiller.zip
    2011-10-25 21:09 . 2011-05-31 16:51 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-07 03:48 . 2011-06-18 02:34 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-09-03 10:17 . 2009-06-18 23:10 599040 ---ha-w- c:\windows\system32\crypt32.dll
    2010-07-15 22:53 . 2010-07-15 22:53 101768 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-23 39408]
    "Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\udaterui.exe" [2008-11-10 136512]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "IMSS"="c:\program files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2009-10-01 111640]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-04 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-04 174104]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-04 144920]
    "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-17 307768]
    "RotateImage"="c:\program files\Integrated Camera Driver\RCIMGDIR.exe" [2008-10-30 31744]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-03 1594664]
    "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
    "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-01-06 513384]
    "LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-07-23 185688]
    "LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-07-23 124248]
    "PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2009-12-01 55048]
    "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
    "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-06-09 111952]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-03-22 273544]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2009-12-01 20:41 100104 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3567637-1906459281-1427260136-1539987\Scripts\Logon\0\0]
    "Script"=SCCMAgentInstall.vbs
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3567637-1906459281-1427260136-1539987\Scripts\Logon\1\0]
    "Script"=regedit.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3567637-1906459281-1427260136-1539987\Scripts\Logon\2\0]
    "Script"=OAM_Patch.vbs
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3567637-1906459281-1427260136-1539987\Scripts\Logon\2\1]
    "Script"=c:\windows\regedit.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3567637-1906459281-1427260136-1539987\Scripts\Logon\2\2]
    "Script"=NetApplegalDisclaimer.vbs
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3567637-1906459281-1427260136-73111\Scripts\Logon\0\0]
    "Script"=regedit.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3567637-1906459281-1427260136-73111\Scripts\Logon\1\0]
    "Script"=OAM_Patch.vbs
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Documents and Settings\\lelias\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
    "c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
    "c:\\Program Files\\Microsoft Office\\OFFICE12\\OUTLOOK.EXE"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "24726:TCP"= 24726:TCP:FlipShareServer
    "24727:TCP"= 24727:TCP:FlipShareServer
    .
    R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [6/18/2010 8:14 PM 24304]
    R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [6/18/2010 8:13 PM 21504]
    R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [6/18/2010 8:10 PM 45056]
    R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [6/18/2010 8:06 PM 167080]
    S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [3/22/2010 7:49 AM 13480]
    S1 MpKsl6b9f7c91;MpKsl6b9f7c91;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BF48484A-FAEC-4637-BD6B-475DEC48B5DB}\MpKsl6b9f7c91.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BF48484A-FAEC-4637-BD6B-475DEC48B5DB}\MpKsl6b9f7c91.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [6/18/2010 8:14 PM 132456]
    S2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 1:22 PM 1085440]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2010 12:38 PM 135664]
    S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\HOTKEY\cammute.exe [3/22/2010 7:49 AM 54632]
    S2 Lenovo.micmute;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [3/22/2010 7:49 AM 44984]
    S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [6/18/2010 8:14 PM 53248]
    S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [3/13/2009 2:47 PM 12560]
    S2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [3/22/2010 7:49 AM 63928]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [6/18/2010 8:11 PM 2320920]
    S3 5U877;USB Video Device;c:\windows\system32\drivers\5U877.sys [6/18/2010 8:13 PM 127232]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2010 12:38 PM 135664]
    S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [6/18/2010 8:12 PM 125696]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [6/18/2010 8:12 PM 215040]
    S3 SMmonitor;Storage Manager Event Monitor;c:\program files\StorageManager\client\monitor\SMmonitor.exe [9/28/2011 1:37 PM 69632]
    S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [5/27/2011 3:53 PM 121192]
    S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [5/27/2011 3:53 PM 12776]
    S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [5/27/2011 3:53 PM 136680]
    S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [6/18/2009 5:10 PM 15744]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MDMXSDK
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 18:38]
    .
    2011-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 18:38]
    .
    2011-11-09 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
    .
    2011-11-09 c:\windows\Tasks\PMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-06-19 06:13]
    .
    2011-11-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3567637-1906459281-1427260136-1539987.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-11-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3567637-1906459281-1427260136-1539987.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://my.netapp.com/
    uInternet Connection Wizard,ShellNext = hxxp://my.netapp.com/
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    Trusted Zone: localhost
    Trusted Zone: netapp.com\ce.corp
    Trusted Zone: netapp.com\my.sharepoint.corp
    Trusted Zone: netapp.com\powerond-web.dmz
    Trusted Zone: netapp.com\poweronp-app1.dmz
    Trusted Zone: netapp.com\poweronp.dmz
    Trusted Zone: netapp.com\poweront-web.dmz
    Trusted Zone: netapp.com\rms
    Trusted Zone: netapp.com\sharepoint.corp
    Trusted Zone: sharepoint
    Trusted Zone: localhost
    Trusted Zone: netapp.com\ce.corp
    Trusted Zone: netapp.com\my.sharepoint.corp
    Trusted Zone: netapp.com\neophyte-ext
    Trusted Zone: netapp.com\pe
    Trusted Zone: netapp.com\powerond-web.dmz
    Trusted Zone: netapp.com\poweronp-app1.dmz
    Trusted Zone: netapp.com\poweronp.dmz
    Trusted Zone: netapp.com\poweront-web.dmz
    Trusted Zone: netapp.com\rms
    Trusted Zone: netapp.com\sharepoint.corp
    Trusted Zone: netapp.com\www.pe
    Trusted Zone: sharepoint
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {29EF91B9-7120-477C-A5CB-2D67F2FD088C} - hxxps://10.26.97.29/wrc.cab
    FF - ProfilePath - c:\documents and settings\lelias\Application Data\Mozilla\Firefox\Profiles\hjzc5sb7.default\
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
    AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
    AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
    AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
    AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
    AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
    AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
    AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
    AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
    AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
    AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
    AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
    AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
    AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
    AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
    AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
    AddRemove-21_Searsburg - c:\program files\Samsung\USB Drivers\21_Searsburg\Uninstall.exe
    AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
    AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
    AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-09 14:46
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3567637-1906459281-1427260136-1539987\Software\SecuROM\License information*]
    "datasecu"=hex:04,94,dc,79,10,3d,b6,69,76,f8,4c,cf,3a,4c,27,53,50,fd,c6,aa,c8,
    96,ab,a7,08,6c,58,c3,45,d7,8b,62,db,4b,d6,b8,46,3b,11,6a,33,f8,45,24,c0,99,\
    "rkeysecu"=hex:4d,53,a4,b8,d2,30,03,f0,6c,e5,a0,2d,bb,1f,bc,b7
    .
    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1288)
    c:\windows\system32\vrlogon.dll
    c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
    c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
    c:\program files\ThinkVantage Fingerprint Software\infql2.dll
    c:\program files\ThinkVantage Fingerprint Software\homepass.dll
    c:\program files\ThinkVantage Fingerprint Software\bio.dll
    c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
    c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
    c:\windows\system32\igfxdev.dll
    .
    - - - - - - - > 'lsass.exe'(1344)
    c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
    c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
    c:\program files\ThinkVantage Fingerprint Software\infql2.dll
    .
    Completion time: 2011-11-09 15:03:43
    ComboFix-quarantined-files.txt 2011-11-09 21:03
    .
    Pre-Run: 61,287,034,880 bytes free
    Post-Run: 63,060,963,328 bytes free
    .
    - - End Of File - - CB2B1796E7A0B7D1ED1AA0E654ED673F
     
  9. Broni

    Broni Malware Annihilator Posts: 52,903   +344

    I still need aswMBR log.
     
  10. lelias

    lelias TS Rookie Topic Starter

    aswMBR

    I've tried running it in safe and normal modes. I double click it, Windows asks me if I want to run this program; I click yes and it just disappears. Any suggestions?
     
  11. Broni

    Broni Malware Annihilator Posts: 52,903   +344

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  12. lelias

    lelias TS Rookie Topic Starter

    bootkit remover data

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00

    Size Device Name MBR Status
    --------------------------------------------
    119 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  13. Broni

    Broni Malware Annihilator Posts: 52,903   +344

    Very well. We have infected MBR there.

    Restart computer
    When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
    You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
    If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

    You should get a black screen with a C:\> prompt. Type with an Enter after each line:

    fixmbr

    (If it asks you if you are sure then say "Y".)

    exit

    Reboot computer.

    Post fresh aswMBR log.
     
  14. lelias

    lelias TS Rookie Topic Starter

    recovery console

    When I did this it just sat there with a black window and an underscore in the top right corner. It did not respond to keyboard input. Is this normal and I just need to wait a while?
     
  15. Broni

    Broni Malware Annihilator Posts: 52,903   +344

    Looking at my instructions you have to tell me how far exactly you're able to go.
     
  16. lelias

    lelias TS Rookie Topic Starter

    console boot

    Oh, sorry. I reboot and select the recovery console. Then it just goes black with the cursor blinking in the top left corner. Nothing more seemed to happen. I tried typing your commands even though no letters appeared but nothing. So I never saw the C:\ prompt.
     
  17. lelias

    lelias TS Rookie Topic Starter

    Tried again

    Now when I select windows recovery console it simply reboots and brings me back to the "select your operating system" screen. I selected recovery console and it just keeps happening.
     
  18. Broni

    Broni Malware Annihilator Posts: 52,903   +344

    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, run aswMBR again and post its log.
     
  19. lelias

    lelias TS Rookie Topic Starter

    I'll have to do that in the morning as I don't have a CD to burn with me. I'll update you then.
     
  20. Broni

    Broni Malware Annihilator Posts: 52,903   +344

    Please read my previous reply.
     
  21. Broni

    Broni Malware Annihilator Posts: 52,903   +344

    No problem :)
     
  22. lelias

    lelias TS Rookie Topic Starter

    OK, I created the CD and reset my computer boot order. when it boots into the program I choose 5 for standard MBR. It asks me 1 for standard and 2 for Windows 7. I tried standard and it asks me to confirm. I hit Y for yes and I end up back at the screen asking me what I want to do. I can not get past that point.
     
  23. Broni

    Broni Malware Annihilator Posts: 52,903   +344

    Do you have Windows XP CD?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...