TechSpot

Laptop infected with PC perf & stability report; logs posted

By nytechguy
Oct 17, 2011
  1. When I boot my pc I instantly receive the warnings from the PC Performance & Stability Report. I am unable to see my desktop icons, and my C drive appears blank, although I'm pretty sure the data is still there just looking at total drive size. I've pasted several logs for assistance, thanks in advance for your help.

    Malwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.org

    Database version: 7962

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    10/16/2011 11:35:50 PM
    mbam-log-2011-10-16 (23-35-50).txt

    Scan type: Quick scan
    Objects scanned: 196279
    Time elapsed: 3 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 2
    Registry Data Items Infected: 10
    Folders Infected: 0
    Files Infected: 8

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpqlemcfMxPg.exe (Trojan.FakeAlert) -> Value: UpqlemcfMxPg.exe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\2600 (Trojan.Agent) -> Value: 2600 -> Delete on reboot.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\all users\application data\upqlemcfmxpg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\local settings\Temp\7102fb5e.com (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\6dss92c31apgjk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\local settings\Temp\0006fb65.com (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\local settings\Temp\04adfb61.com (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\local settings\Temp\0d4efb63.com (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\local settings\Temp\54acfb62.com (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\local settings\Temp\5501fb64.com (Trojan.Agent) -> Quarantined and deleted successfully.

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-10-17 04:55:02
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST910082 rev.3.CM
    Running: rt60ln90.exe; Driver: C:\DOCUME~1\qu439141\LOCALS~1\Temp\kgliqfob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwAllocateVirtualMemory [0xF7810750]
    SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF7810880]
    SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwWriteVirtualMemory [0xF78109B0]

    ---- Kernel code sections - GMER 1.0.15 ----

    ? cmeb.sys The system cannot find the file specified. !

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
    Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
    Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
    Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    .
    DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
    Internet Explorer: 8.0.6001.18702
    Run by qu439141 at 4:58:14 on 2011-10-17
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.635 [GMT -4:00]
    .
    AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://yahoo.com/
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
    BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    BHO: 1 (0x1) - No File
    BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
    TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
    mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
    mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
    mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
    mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
    mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Memeo Instant Backup] c:\program files\memeo\autobackup\MemeoLauncher2.exe --silent --no_ui
    mRun: [Memeo AutoSync] c:\program files\memeo\autosync\MemeoLauncher2.exe --silent
    mRun: [Memeo Send] c:\program files\memeo\memeo send\MemeoLauncher.exe --silent
    mRun: [Seagate Dashboard] c:\program files\seagate\seagate dashboard\MemeoLauncher.exe --silent --no_ui
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\docume~1\qu439141\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
    IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
    IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://169.226.53.130/CACHE/stc/1/binaries/vpnweb.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 169.226.194.115
    TCP: Interfaces\{B106C060-3271-4A3F-84B0-7E4453E644DE} : DhcpNameServer = 169.226.194.115
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Notify: igfxcui - igfxdev.dll
    Notify: psfus - c:\windows\system32\psqlpwd.dll
    Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
    Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
    LSA: Notification Packages = scecli psqlpwd
    Hosts: 10.10.2.20 dcs.cnse.albany.edu
    Hosts: 10.10.2.30 hasd.cnse.albany.edu
    Hosts: 10.10.2.33 sms.cnse.albany.edu
    Hosts: 10.10.2.181 rmedb.cnse.albany.edu
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-12-1 108392]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-12-1 108392]
    R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-12-1 2477304]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-2 136176]
    S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2010-4-22 25824]
    S2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2010-4-30 14088]
    S2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-3-15 11152]
    S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-2-8 569344]
    S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2010-5-5 583360]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-12-1 23888]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-16 105592]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-2 136176]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
    S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111015.005\NAVENG.SYS [2011-10-16 86136]
    S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111015.005\NAVEX15.SYS [2011-10-16 1576312]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-10 4640000]
    S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-4-30 14336]
    .
    =============== Created Last 30 ================
    .
    2011-10-17 03:28:49 -------- d-----w- c:\documents and settings\qu439141\application data\Malwarebytes
    2011-10-17 03:19:44 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-10-17 03:19:41 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-17 03:19:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-17 02:41:25 528224 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2011-10-16 05:24:36 -------- d--h--w- c:\program files\KLayout
    2011-10-09 21:02:31 -------- d--h--w- c:\documents and settings\qu439141\local settings\application data\Help
    2011-09-23 06:34:35 -------- d--h--w- c:\documents and settings\all users\application data\MemeoCommon
    2011-09-23 05:44:49 -------- d--h--w- c:\documents and settings\qu439141\application data\Memeo
    2011-09-23 05:44:35 -------- d--h--w- c:\documents and settings\qu439141\application data\Seagate
    2011-09-23 05:43:11 -------- d--h--w- c:\program files\common files\Memeo
    2011-09-23 05:43:04 -------- d--h--w- c:\program files\Memeo
    2011-09-23 05:42:00 -------- d--h--w- c:\program files\Seagate
    .
    ==================== Find3M ====================
    .
    2011-10-15 21:04:56 167936 ---ha-w- c:\windows\system32\drivers\wpshelper.sys
    2011-09-29 21:58:27 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-26 15:41:20 611328 ---ha-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 15:41:20 220160 ---ha-w- c:\windows\system32\oleacc.dll
    2011-09-26 15:41:14 20480 ---ha-w- c:\windows\system32\oleaccrc.dll
    2011-09-09 09:12:13 599040 ---ha-w- c:\windows\system32\crypt32.dll
    2011-09-06 13:20:51 1858944 ---ha-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48:55 916480 ---ha-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48:54 43520 ---h--w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48:54 1469440 ---h--w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56:39 385024 ---h--w- c:\windows\system32\html.iec
    2011-08-17 13:49:54 138496 ---ha-w- c:\windows\system32\drivers\afd.sys
    2011-07-20 20:21:26 60808 ---ha-w- c:\windows\system32\S32EVNT1.DLL
    2011-07-20 20:21:26 124976 ---ha-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-07-20 17:19:08 33536 ---ha-w- c:\windows\system32\drivers\tvtfilter.sys
    2011-07-20 17:18:58 129784 ---ha-w- c:\windows\system32\pxafs.dll
    2011-07-20 17:18:58 118520 ---ha-w- c:\windows\system32\pxinsi64.exe
    2011-07-20 17:18:57 36624 ---ha-w- c:\windows\system32\drivers\pxhelp20.sys
    2011-07-20 17:18:57 115960 ---ha-w- c:\windows\system32\pxcpyi64.exe
    2011-07-20 17:18:17 7012 ---ha-w- c:\windows\system32\drivers\pmemnt.sys
    2011-07-20 17:01:18 21393 ---ha-w- c:\windows\system32\drivers\AegisP.sys
    2011-07-20 17:01:18 21393 ---ha-w- c:\windows\AegisP.sys
    .
    ============= FINISH: 5:04:00.14 ===============
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===================================================================

    All logs have to be pasted including Attach.txt log.

    Any particular reason why all scans were run from safe mode?
     
  3. nytechguy

    nytechguy TS Rookie Topic Starter

    Scans were run in safe mode bc the machine was unresponsive in protective mode. Do you suggest I re-run them in protected mode if possible. I can paste the attach.txt log as well, just read that it should be zipped, no problem.
    Thanks for replying back so quickly

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/20/2011 3:58:50 PM
    System Uptime: 10/16/2011 11:36:49 PM (6 hours ago)
    .
    Motherboard: LENOVO | | 7658RVU
    Processor: Intel Pentium III Xeon processor | None | 2094/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 88 GiB total, 38.594 GiB free.
    D: is CDROM ()
    V: is NetworkDisk (NTFS) - 604 GiB total, 361.903 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
    PNP Device ID: ROOT\NET\0000
    Service: vpnva
    .
    ==== System Restore Points ===================
    .
    RP1: 7/20/2011 3:58:55 PM - System Checkpoint
    RP2: 7/20/2011 4:07:10 PM - Removed Access Help
    RP3: 7/20/2011 4:07:35 PM - Removed Help Center
    RP4: 7/20/2011 4:08:12 PM - Removed Message Center
    RP5: 7/20/2011 4:08:57 PM - Removed Productivity Center Supplement
    RP6: 7/20/2011 4:11:34 PM - Removed System Migration Assistant
    RP7: 7/20/2011 4:12:12 PM - Removed ThinkVantage Access Connections
    RP8: 7/20/2011 4:12:40 PM - Removed ThinkVantage Active Protection System.
    RP9: 7/20/2011 4:13:02 PM - Removed Productivity Center
    RP10: 7/20/2011 4:20:18 PM - Installed Symantec Endpoint Protection.
    RP11: 7/20/2011 4:34:39 PM - Installed Windows XP Service Pack 3.
    RP12: 7/20/2011 4:52:10 PM - Installed Microsoft Office Professional Plus 2010
    RP13: 7/20/2011 2:35:51 PM - Software Distribution Service 3.0
    RP14: 7/20/2011 3:01:11 PM - Software Distribution Service 3.0
    RP15: 7/20/2011 5:00:54 PM - Installed Windows XP WgaNotify.
    RP16: 7/20/2011 5:03:18 PM - Software Distribution Service 3.0
    RP17: 7/20/2011 5:50:02 PM - Software Distribution Service 3.0
    RP18: 7/26/2011 9:32:36 PM - Software Distribution Service 3.0
    RP19: 7/29/2011 1:09:42 AM - System Checkpoint
    RP20: 8/2/2011 12:04:30 AM - System Checkpoint
    RP21: 8/2/2011 2:11:01 AM - Installed Cisco AnyConnect VPN Client
    RP22: 8/2/2011 2:42:01 AM - Installed IBM SiView Standard Material Manager R6.0
    RP23: 8/2/2011 2:46:55 AM - Installed IBM SiView Standard Specification Manager R6.0
    RP24: 8/6/2011 7:52:06 PM - System Checkpoint
    RP25: 8/7/2011 11:42:46 PM - System Checkpoint
    RP26: 8/9/2011 2:24:23 AM - System Checkpoint
    RP27: 8/15/2011 1:48:48 AM - System Checkpoint
    RP28: 8/15/2011 3:00:20 AM - Software Distribution Service 3.0
    RP29: 8/16/2011 11:59:06 PM - System Checkpoint
    RP30: 8/22/2011 9:05:23 PM - System Checkpoint
    RP31: 8/25/2011 1:11:44 AM - System Checkpoint
    RP32: 8/29/2011 4:47:59 PM - System Checkpoint
    RP33: 8/31/2011 11:44:43 AM - System Checkpoint
    RP34: 9/4/2011 9:29:21 PM - System Checkpoint
    RP35: 9/7/2011 1:17:36 AM - System Checkpoint
    RP36: 9/8/2011 2:27:35 PM - System Checkpoint
    RP37: 9/10/2011 2:20:04 PM - System Checkpoint
    RP38: 9/12/2011 12:16:57 PM - System Checkpoint
    RP39: 9/13/2011 2:02:59 PM - Software Distribution Service 3.0
    RP40: 9/14/2011 7:34:56 PM - System Checkpoint
    RP41: 9/15/2011 8:52:36 AM - Software Distribution Service 3.0
    RP42: 9/18/2011 12:58:56 AM - System Checkpoint
    RP43: 9/19/2011 1:02:35 AM - System Checkpoint
    RP44: 9/20/2011 2:00:09 AM - System Checkpoint
    RP45: 9/21/2011 3:56:39 AM - System Checkpoint
    RP46: 9/23/2011 12:30:03 AM - System Checkpoint
    RP47: 9/23/2011 1:42:13 AM - Installed Microsoft Visual C++ 2005 Redistributable
    RP48: 9/25/2011 10:23:11 AM - System Checkpoint
    RP49: 9/30/2011 3:00:20 AM - Software Distribution Service 3.0
    RP50: 10/1/2011 8:53:29 PM - System Checkpoint
    RP51: 10/3/2011 4:14:21 PM - System Checkpoint
    RP52: 10/6/2011 3:31:39 AM - System Checkpoint
    RP53: 10/7/2011 4:09:24 AM - System Checkpoint
    RP54: 10/9/2011 12:21:09 AM - System Checkpoint
    RP55: 10/10/2011 12:39:29 AM - System Checkpoint
    RP56: 10/15/2011 2:35:07 PM - System Checkpoint
    RP57: 10/16/2011 3:00:24 AM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    .
    7-Zip 4.57
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.3.1
    Cisco AnyConnect VPN Client
    Client Security Solution
    CNSE Production Application Manager
    CNSE Production Material Manager
    CNSE Production Specification Manager
    Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Diskeeper Lite
    FileZilla Client 3.5.0
    Google Toolbar for Internet Explorer
    Google Update Helper
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB969084)
    IBM SiView Standard Material Manager R6.0
    IBM SiView Standard Specification Manager R6.0
    Integrated Camera
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    Intel(R) PROSet/Wireless Software
    InterVideo Register Manager
    InterVideo WinDVD
    InterVideo WinDVD Creator 3
    J2SE Runtime Environment 5.0 Update 6
    Klayout - Layout Viewer And Editor
    LiveUpdate 3.3 (Symantec Corporation)
    Malwarebytes' Anti-Malware version 1.51.2.1300
    mCore
    mDriver
    Memeo AutoSync
    Memeo Instant Backup
    Memeo Send
    Memeo Share
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2572067)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2010 Service Pack 1 (SP1)
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 14
    Microsoft Visual C++ 2005 Redistributable
    mMHouse
    mPfMgr
    mProSafe
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser
    mWlsSafe
    On Screen Display
    Orbix3.3 for NT
    Presentation Director
    RecordNow Audio
    RecordNow Copy
    RecordNow Data
    Remove Multimedia Center
    Rescue and Recovery
    RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02
    Seagate Dashboard
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Excel 2010 (KB2553070)
    Security Update for Microsoft Office 2010 (KB2553091)
    Security Update for Microsoft Office 2010 (KB2553096)
    Security Update for Microsoft Office 2010 (KB2584066)
    Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB2530548)
    Security Update for Windows Internet Explorer 7 (KB2544521)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2483614)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982665)
    Sonic DLA
    Sonic Express Labeler
    Sonic Icons for Lenovo
    Sonic Update Manager
    SoundMAX
    Symantec Endpoint Protection
    System Update
    ThinkPad Bluetooth with Enhanced Data Rate Software
    ThinkPad EasyEject Utility
    ThinkPad FullScreen Magnifier
    ThinkPad Hotkey Features Setup
    ThinkPad Modem
    ThinkPad PC Card Power Policy
    ThinkPad Power Management Driver
    ThinkPad Power Manager
    ThinkPad UltraNav Driver
    ThinkPad UltraNav Utility
    ThinkVantage Fingerprint Software 5.6
    ThinkVantage Technologies Welcome Message
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2010 (KB2553065)
    Update for Microsoft Office 2010 (KB2553092)
    Update for Microsoft Office 2010 (KB2566458)
    Update for Microsoft Outlook Social Connector (KB2583935)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB943729)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Wallpapers
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Toolbar
    Windows Management Framework Core
    Windows Media Connect
    Windows Media Format Runtime
    Windows XP Service Pack 3
    XP Themes
    .
    ==== Event Viewer Messages From Past Week ========
    .
    10/16/2011 2:59:35 PM, error: Service Control Manager [7022] - The Wireless Zero Configuration service hung on starting.
    10/16/2011 11:38:49 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm ohci1394 SPBBCDrv SRTSP SRTSPX SYMTDI TPHKDRV TPPWRIF TSMAPIP
    10/16/2011 11:37:22 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    10/16/2011 11:15:04 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm SPBBCDrv SRTSP SRTSPX SYMTDI TPHKDRV TPPWRIF TSMAPIP
    10/16/2011 11:14:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    10/16/2011 10:38:31 PM, error: NETLOGON [5776] - Failed to create/open file \system32\config\netlogon.ftl with the following error: Access is denied.
    10/16/2011 10:36:48 PM, error: Dhcp [1002] - The IP address lease 192.168.1.8 for the Network Card with network address 001DE0996B81 has been denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).
    10/15/2011 6:10:18 PM, error: Service Control Manager [7011] - Timeout (120000 milliseconds) waiting for a transaction response from the SharedAccess service.
    10/14/2011 8:12:05 PM, error: Service Control Manager [7011] - Timeout (120000 milliseconds) waiting for a transaction response from the RasMan service.
    10/14/2011 8:10:05 PM, error: Service Control Manager [7011] - Timeout (120000 milliseconds) waiting for a transaction response from the wuauserv service.
    10/14/2011 8:08:05 PM, error: Service Control Manager [7011] - Timeout (120000 milliseconds) waiting for a transaction response from the W32Time service.
    10/14/2011 8:06:05 PM, error: Service Control Manager [7011] - Timeout (120000 milliseconds) waiting for a transaction response from the Schedule service.
    10/14/2011 8:04:05 PM, error: Service Control Manager [7011] - Timeout (120000 milliseconds) waiting for a transaction response from the SENS service.
    10/14/2011 12:10:16 AM, error: Service Control Manager [7011] - Timeout (120000 milliseconds) waiting for a transaction response from the Netman service.
    10/12/2011 12:18:17 AM, error: NETLOGON [5719] - No Domain Controller is available for domain UALBANY due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
    .
    ==== End Of File ===========================
     
  4. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Yes, see if you can re-run DDS and MBAM in normal mode.
     
  5. nytechguy

    nytechguy TS Rookie Topic Starter

    Ok, should I do a full MBAM Scan or quik one?
    Thanks
     
  6. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    "Quick scan" will do.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...