[Not curable - Ramnit] Another (!) win32/zbot.g infection with AVG, Win XP Pro

By ali
Aug 5, 2011
Topic Status:
Not open for further replies.
  1. Dear techspot gurus,

    A few days ago my laptop, running XP pro, became infected with Win32/Zbot.g, according to AVG 8.5 free.

    As per a few other similar threads I have seen on here, I had (and have) multiple (hundreds) of infections flashing up in AVG, and more than it seems to be able to handle. Running a scan in AVG produced hundreds more results along these lines

    The machine is fully backed up, so I was going to just reformat. However, I don't have an XP disk, and so far have been completely unsuccessful in using i386 files on the Cdrive to reinstall. I don't know whether the infection has hindered this, or whether there are other issues causing this, but either way WINNT32 won't run, and nor will WINNT from DOS boot using win98 boot disk.

    So, meantime, it looks like a clean up could be the way forward, and any help with this very much appreciated.

    I've taken the 7/5 step process, and logs will follow.

    Given the advice in other threads, I also tried to access ESET online scanner, but it seems this site is being blocked by the virus, alongside things like support.microsoft.com etc.

    I had never come across a site like this before these recent issues, and I have to say I'm amazed and heartened to see that folk like you are willing to put in the time to help people!

    Thanks again in advance if anyone has a chance to give advice
  2. ali

    ali Newcomer, in training Topic Starter Posts: 23

    MBAM log

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7035

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    05/08/2011 22:17:11
    mbam-log-2011-08-05 (22-17-11).txt

    Scan type: Quick scan
    Objects scanned: 161093
    Time elapsed: 11 minute(s), 42 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 7
    Registry Values Infected: 2
    Registry Data Items Infected: 1
    Folders Infected: 2
    Files Infected: 6

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA} (Trojan.Banker) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{684EE1DB-CD52-4CA9-9CCF-93D5F6B419BA} (Trojan.Banker) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{684EE1DB-CD52-4CA9-9CCF-93D5F6B419BA} (Trojan.Banker) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OsjHvplc (Spyware.Passwords.XGen) -> Value: OsjHvplc -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Value: UID -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,,C:\Documents and Settings\IBM USER\Local Settings\Application Data\fbptfayy\osjhvplc.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\documents and settings\networkservice\application data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

    Files Infected:
    c:\documents and settings\ibm user\local settings\application data\fbptfayy\osjhvplc.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
    c:\documents and settings\ibm user\start menu\programs\startup\osjhvplc.exe (Spyware.Passwords.XGen) -> Delete on reboot.
    c:\WINDOWS\system32\inform.dat (Malware.Trace) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\application data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.
  3. ali

    ali Newcomer, in training Topic Starter Posts: 23

    GMER log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-08-05 23:50:11
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS548040M9AT00 rev.MG2OA5BA
    Running: h1dqlr36.exe; Driver: C:\DOCUME~1\IBMUSE~1\LOCALS~1\Temp\pfrdrpod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    ---- EOF - GMER 1.0.15 ----
  4. ali

    ali Newcomer, in training Topic Starter Posts: 23

    DDS log

    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
    Run by IBM USER at 23:52:54 on 2011-08-05
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.408 [GMT 1:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    C:\WINDOWS\System32\svchost.exe -k LocalService
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Kontiki\KService.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\TpScrLk.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\PixArt\PAC207\Monitor.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/
    mWinlogon: Userinit=Userinit.exe,c:\documents and settings\ibm user\local settings\application data\fbptfayy\osjhvplc.exe,
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [Aim6]
    uRun: [kdx] c:\program files\kontiki\KHost.exe -all
    uRun: [OsjHvplc] c:\documents and settings\ibm user\local settings\application data\fbptfayy\osjhvplc.exe
    mRun: [S3TRAY2] S3Tray2.exe
    mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
    mRun: [TPKMAPMN] c:\program files\thinkpad\utilities\TpKmapMn.exe
    mRun: [TP4EX] tp4ex.exe
    mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [UC_SMB]
    mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
    mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
    mRun: [TPKBDLED] c:\windows\system32\TpScrLk.exe
    mRun: [TpShocks] TpShocks.exe
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe
    mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\thinkpad\pkgmgr\PkgMgr.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: ACNotify - ACNotify.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: tpfnf2 - notifyf2.dll
    Notify: tphotkey - tphklock.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\ibm user\application data\mozilla\firefox\profiles\knmxpk39.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-20 335240]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-4-21 27784]
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2006-10-15 16384]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2010-1-20 297752]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-4 366640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-4 22712]
    S3 MADFU;MADFU;c:\windows\system32\drivers\MADFU.sys [2009-5-26 16512]
    S3 MAUSBCV;Service for M-Audio Conectiv (WDM);c:\windows\system32\drivers\mausbcv.sys [2009-5-26 131712]
    S3 PAC207;Trust 100K Series Webcam;c:\windows\system32\drivers\PFC027.SYS [2010-12-19 618112]
    S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-08-04 21:51:13 -------- d-----w- c:\documents and settings\ibm user\application data\Malwarebytes
    2011-08-04 21:50:48 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-04 21:50:47 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-08-04 21:50:44 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-04 21:50:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-04 21:49:05 418708 ----a-w- C:\h1dqlr36.exe
    2011-08-03 18:40:33 -------- d-----w- c:\documents and settings\ibm user\local settings\application data\Help
    2011-08-01 09:52:52 -------- d--h--w- C:\$AVG8.VAULT$
    2011-08-01 08:48:48 -------- d-----w- c:\documents and settings\ibm user\local settings\application data\fbptfayy
    .
    ==================== Find3M ====================
    .
    .
    ============= FINISH: 23:54:26.38 ===============
  5. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==================================================================

    I still need Attach.txt part of DDS.
    After posting that....

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  6. ali

    ali Newcomer, in training Topic Starter Posts: 23

    Attach log

    Hi mate, many thanks for your reply! Will follow those steps later today, and post back logs

    In the meantime, the Attach log is as follows...
    ======================
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 02/06/2007 01:42:01
    System Uptime: 05/08/2011 22:18:46 (1 hours ago)
    .
    Motherboard: IBM | | 2373SG1
    Processor: Intel(R) Pentium(R) M processor 1600MHz | None | 1594/400mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 34 GiB total, 2.124 GiB free.
    D: is CDROM (CDFS)
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    µTorrent
    Access IBM
    Access IBM Message Center
    Access IBM Tools
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Agere Systems AC'97 Modem
    AIM 6
    alm
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    Audacity 1.2.6
    AutoUpdate
    AVG Free 8.5
    blinkbox Download Manager
    Conectiv
    DivX Codec
    DivX Converter
    DivX Player
    DivX Web Player
    FileZilla Client 3.4.0
    Foxit Reader
    Hotfix for Windows Media Format SDK (KB902344)
    Hotfix for Windows XP (KB896344)
    Hotfix for Windows XP (KB926239)
    IBM Access Support - Local Content Pack
    IBM Rapid Restore PC Setup
    IBM Themes
    IBM ThinkPad Battery MaxiMiser and Power Management Features
    IBM ThinkPad Keyboard Customizer Utility
    IBM ThinkPad Presentation Director
    IBM ThinkPad UltraNav Driver
    IBM ThinkPad UltraNav Wizard
    IBM TrackPoint Accessibility Features
    Intel(R) PRO Network Connections Drivers
    Intel(R) PROSet for Wired Connections
    Intel(R) Sebring API
    InterVideo WinDVD
    IZArc 4.1
    Java Auto Updater
    Java(TM) 6 Update 20
    LAME v3.98.3 for Audacity
    Live 8.0.1
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Media Player Codec Pack 3.1.0
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB886903)
    Microsoft .NET Framework 2.0
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Morgan Stream Switcher
    Mozilla Firefox (3.6.18)
    Native Instruments - Traktor 1.06
    OpenOffice.org 3.2
    PSP VintageWarmer v1.5d
    Real Alternative 2.0.1
    Reason
    Scratch LIVE 1.8 (18048)
    Scroll Lock Indicator Utility
    Security Update for Microsoft .NET Framework 2.0 (KB917283)
    Security Update for Microsoft .NET Framework 2.0 (KB922770)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899589)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913433)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB925486)
    Skype Toolbars
    Skype™ 5.0
    Software Installer
    Sony Sound Forge 8.0b
    SoundMAX
    System Migration Assistant
    ThinkPad Configuration
    ThinkPad EasyEject Utility
    ThinkPad Power Management Driver
    ThinkPad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
    ThinkVantage Access Connections
    ThinkVantage Active Protection System
    Torq 1.0.2 (build 002 -- Tue Dec 05 2006)
    TPNala Wallpaper
    Trust 100K Series Webcam
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB900930)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    VideoLAN VLC media player 0.8.6c
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer 3.1 (KB893803)
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 11
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Service Pack 2
    .
    ==== Event Viewer Messages From Past Week ========
    .
    05/08/2011 23:50:50, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    05/08/2011 22:20:19, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
    02/08/2011 19:33:28, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IBMTPCHK
    02/08/2011 19:23:34, error: Service Control Manager [7000] - The Ac Profile Manager Service service failed to start due to the following error: Access is denied.
    01/08/2011 11:09:19, error: Service Control Manager [7034] - The Ac Profile Manager Service service terminated unexpectedly. It has done this 1 time(s).
    .
    ==== End Of File ===========================
  7. ali

    ali Newcomer, in training Topic Starter Posts: 23

    aswMBR log

    aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
    Run date: 2011-08-06 22:02:14
    -----------------------------
    22:02:14.127 OS Version: Windows 5.1.2600 Service Pack 2
    22:02:14.127 Number of processors: 1 586 0x905
    22:02:14.127 ComputerName: IBM-C25AFBDEC71 UserName: IBM USER
    22:02:15.739 Initialize success
    22:02:40.325 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    22:02:40.325 Disk 0 Vendor: HTS548040M9AT00 MG2OA5BA Size: 34682MB BusType: 3
    22:02:42.347 Disk 0 MBR read successfully
    22:02:42.347 Disk 0 MBR scan
    22:02:42.347 Disk 0 unknown MBR code
    22:02:42.357 Disk 0 scanning sectors +71018640
    22:02:42.428 Disk 0 scanning C:\WINDOWS\system32\drivers
    22:02:59.793 Service scanning
    22:03:01.846 Modules scanning
    22:03:11.429 Disk 0 trace - called modules:
    22:03:11.449 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    22:03:11.459 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x872fbab8]
    22:03:11.469 3 CLASSPNP.SYS[f77e105b] -> nt!IofCallDriver -> \Device\000000ac[0x873219e8]
    22:03:11.469 5 ACPI.sys[f76d7620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87359940]
    22:03:11.830 Scan finished successfully
    22:04:03.344 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\IBM USER\Desktop\MBR.dat"
    22:04:03.354 The log file has been saved successfully to "C:\Documents and Settings\IBM USER\Desktop\aswMBR.txt"
  8. ali

    ali Newcomer, in training Topic Starter Posts: 23

    ComboFix log

    ComboFix 11-08-03.03 - IBM USER 06/08/2011 22:38:40.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.603 [GMT 1:00]
    Running from: c:\documents and settings\IBM USER\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\WINDOWS
    c:\documents and settings\Default User\WINDOWS
    c:\documents and settings\IBM USER\Local Settings\Application Data\.#
    c:\documents and settings\IBM USER\WINDOWS
    c:\program files\messenger\msmsgsin.exe
    c:\windows\system32\config\systemprofile\WINDOWS
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-06 to 2011-08-06 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-06 21:14 . 2011-08-06 21:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
    2011-08-05 23:00 . 2011-08-05 23:00 -------- d-s---w- c:\documents and settings\IBM USER\UserData
    2011-08-04 21:51 . 2011-08-04 21:51 -------- d-----w- c:\documents and settings\IBM USER\Application Data\Malwarebytes
    2011-08-04 21:50 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-04 21:50 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-04 21:49 . 2011-08-04 21:41 418708 ------w- C:\h1dqlr36.exe
    2011-08-03 18:40 . 2011-08-04 21:55 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\Help
    2011-08-01 08:48 . 2011-08-05 22:45 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
    "BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 380416]
    "TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 213360]
    "TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2005-10-29 45056]
    "TP4EX"="tp4ex.exe" [2005-10-17 65536]
    "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 356839]
    "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1507864]
    "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 217506]
    "AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
    "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 983579]
    "TPKBDLED"="c:\windows\System32\TpScrLk.exe" [2002-10-09 40960]
    "TpShocks"="TpShocks.exe" [2005-11-07 106496]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
    "Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll
    .
    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
    2008-05-15 16:45 356864 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WebClient"=2 (0x2)
    "Spooler"=3 (0x3)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    .
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [15/10/2006 23:45 16384]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/08/2011 22:50 366640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/08/2011 22:50 22712]
    R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\windows\TEMP\uvinpabc.sys --> c:\windows\TEMP\uvinpabc.sys [?]
    S3 MADFU;MADFU;c:\windows\system32\drivers\MADFU.sys [26/05/2009 18:43 16512]
    S3 MAUSBCV;Service for M-Audio Conectiv (WDM);c:\windows\system32\drivers\mausbcv.sys [26/05/2009 18:43 131712]
    S3 PAC207;Trust 100K Series Webcam;c:\windows\system32\drivers\PFC027.SYS [19/12/2010 13:19 618112]
    S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2006-10-16 c:\windows\Tasks\BMMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-10-15 08:38]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    TCP: DhcpNameServer = 192.168.1.254
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\IBM USER\Application Data\Mozilla\Firefox\Profiles\knmxpk39.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-Aim6 - (no file)
    HKCU-Run-OsjHvplc - c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy\osjhvplc.exe
    HKLM-Run-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    HKLM-Run-UC_SMB - (no file)
    HKU-Default-Run-OsjHvplc - c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe
    Notify-ACNotify - ACNotify.dll
    MSConfigStartUp-ibmmessages - c:\program files\IBM\Messages By IBM\ibmmessages.exe
    AddRemove-Access IBM Tools - c:\program files\IBM\Access IBM\IBMUINST.EXE
    AddRemove-All ATI Software - c:\program files\ATI Technologies\UninstallAll\AtiCimUn.exe
    AddRemove-KB913433 - c:\windows\System32\MacroMed\Flash\genuinst.exe
    AddRemove-Live 8.0.1 - c:\progra~1\Ableton\LIVE80~1.1\Install\UNWISE.EXE
    AddRemove-Native Instruments - Traktor 1.06 - c:\audio\NATIVE~1\Traktor\UNINST~1\106\UNWISE.EXE
    AddRemove-{98E8A2EF-4EAE-43B8-A172-74842B764777} - c:\program files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-06 22:47
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    detected NTDLL code modification:
    ZwQueryDirectoryFile
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe 113152 bytes executable
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(780)
    c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
    c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
    c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
    c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\tphklock.dll
    .
    Completion time: 2011-08-06 22:51:38
    ComboFix-quarantined-files.txt 2011-08-06 21:51
    .
    Pre-Run: 2,914,373,632 bytes free
    Post-Run: 3,257,602,048 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    .
    - - End Of File - - EC2DAABD618F2AA1D5776CAB79595631
  9. ali

    ali Newcomer, in training Topic Starter Posts: 23

    Update

    Hi there,

    have run the scans/programmes you suggested, and the logs are above.

    I uninstalled AVG before running ComboFix, and unfortunately it now won't reinstall.

    Should I try and instll avast or something instead? Concerned about leaving myself open again!
  10. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Yes, you can install one of these:
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
    - Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
    You don't have to uninstall them in order to run Combofix.
    Just disabling them will be fine.

    ==================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe
    
    Folder::
    c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
    c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe"
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  11. ali

    ali Newcomer, in training Topic Starter Posts: 23

    ComboFix log 2

    Thanks - here's the log from running that script in combofix:

    ComboFix 11-08-07.03 - IBM USER 07/08/2011 21:38:59.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.561 [GMT 1:00]
    Running from: c:\documents and settings\IBM USER\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\IBM USER\Desktop\CFScript.txt
    .
    FILE ::
    "c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe
    c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy . . . . Failed to delete
    c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy . . . . Failed to delete
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-07 to 2011-08-07 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-06 21:56 . 2011-08-06 21:56 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-08-06 21:56 . 2011-08-06 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-08-06 21:14 . 2011-08-07 20:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
    2011-08-04 21:51 . 2011-08-04 21:51 -------- d-----w- c:\documents and settings\IBM USER\Application Data\Malwarebytes
    2011-08-04 21:50 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-04 21:50 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-04 21:49 . 2011-08-04 21:41 418708 ------w- C:\h1dqlr36.exe
    2011-08-03 18:40 . 2011-08-04 21:55 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\Help
    2011-08-01 08:48 . 2011-08-05 22:45 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-06_21.47.19 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-08-07 20:46 . 2011-08-07 20:46 16384 c:\windows\Temp\Perflib_Perfdata_7c0.dat
    + 2011-08-07 20:46 . 2011-08-07 20:46 16384 c:\windows\Temp\Perflib_Perfdata_7b0.dat
    + 2011-08-07 20:46 . 2011-08-07 20:46 113152 c:\windows\Temp\gxecxrnicomgkqdv.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
    "BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 380416]
    "TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 213360]
    "TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2005-10-29 45056]
    "TP4EX"="tp4ex.exe" [2005-10-17 65536]
    "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 356839]
    "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1507864]
    "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 217506]
    "AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
    "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 983579]
    "TPKBDLED"="c:\windows\System32\TpScrLk.exe" [2002-10-09 40960]
    "TpShocks"="TpShocks.exe" [2005-11-07 106496]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
    "Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
    "OsjHvplc"="c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe" [BU]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll
    .
    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
    2008-05-15 16:45 356864 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WebClient"=2 (0x2)
    "Spooler"=3 (0x3)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    .
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [15/10/2006 23:45 16384]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/08/2011 22:50 366640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/08/2011 22:50 22712]
    R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\windows\TEMP\uvinpabc.sys --> c:\windows\TEMP\uvinpabc.sys [?]
    S3 MADFU;MADFU;c:\windows\system32\drivers\MADFU.sys [26/05/2009 18:43 16512]
    S3 MAUSBCV;Service for M-Audio Conectiv (WDM);c:\windows\system32\drivers\mausbcv.sys [26/05/2009 18:43 131712]
    S3 PAC207;Trust 100K Series Webcam;c:\windows\system32\drivers\PFC027.SYS [19/12/2010 13:19 618112]
    S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2006-10-16 c:\windows\Tasks\BMMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-10-15 08:38]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    TCP: DhcpNameServer = 192.168.1.254
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\IBM USER\Application Data\Mozilla\Firefox\Profiles\knmxpk39.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-07 21:47
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    detected NTDLL code modification:
    ZwQueryDirectoryFile
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(780)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\tphklock.dll
    .
    - - - - - - - > 'explorer.exe'(3692)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\ibmpmsvc.exe
    c:\windows\System32\Ati2evxx.exe
    c:\windows\System32\S24EvMon.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Kontiki\KService.exe
    c:\windows\System32\RegSrvc.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\windows\System32\TPHDEXLG.EXE
    c:\windows\system32\TpKmpSVC.exe
    c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\acs.exe
    c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    c:\windows\AGRSMMSG.exe
    c:\windows\system32\TpShocks.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-07 21:53:10 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-07 20:53
    ComboFix2.txt 2011-08-06 21:51
    .
    Pre-Run: 3,259,744,256 bytes free
    Post-Run: 3,242,749,952 bytes free
    .
    - - End Of File - - CF80E7ECBB78D17E5863B0608FC71724
     
  12. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\TEMP\uvinpabc.sys
    
    Folder::
    c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
    c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy
    .
    
    Driver::
    Micorsoft Windows Service
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe"
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "OsjHvplc"=-
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  13. ali

    ali Newcomer, in training Topic Starter Posts: 23

    ComboFix log 3

    Hi again, another log!

    ComboFix 11-08-08.01 - IBM USER 08/08/2011 20:09:41.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.563 [GMT 1:00]
    Running from: c:\documents and settings\IBM USER\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\IBM USER\Desktop\CFScript.txt
    * Created a new restore point
    .
    FILE ::
    "c:\windows\TEMP\uvinpabc.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy . . . . Failed to delete
    c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy . . . . Failed to delete
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_MICORSOFT_WINDOWS_SERVICE
    -------\Service_Micorsoft Windows Service
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-08 to 2011-08-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-06 21:56 . 2011-08-06 21:56 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-08-06 21:56 . 2011-08-07 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-08-06 21:14 . 2011-08-08 19:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
    2011-08-04 21:51 . 2011-08-04 21:51 -------- d-----w- c:\documents and settings\IBM USER\Application Data\Malwarebytes
    2011-08-04 21:50 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-04 21:50 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-04 21:49 . 2011-08-04 21:41 418708 ------w- C:\h1dqlr36.exe
    2011-08-03 18:40 . 2011-08-04 21:55 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\Help
    2011-08-01 08:48 . 2011-08-05 22:45 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-06_21.47.19 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-08-08 19:17 . 2011-08-08 19:17 16384 c:\windows\Temp\Perflib_Perfdata_7c0.dat
    + 2011-08-08 19:17 . 2011-08-08 19:17 16384 c:\windows\Temp\Perflib_Perfdata_7b4.dat
    + 2011-08-08 19:17 . 2011-08-08 19:17 113152 c:\windows\Temp\gxecxrnicomgkqdv.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
    "BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 380416]
    "TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 213360]
    "TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2005-10-29 45056]
    "TP4EX"="tp4ex.exe" [2005-10-17 65536]
    "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 356839]
    "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1507864]
    "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 217506]
    "AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
    "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 983579]
    "TPKBDLED"="c:\windows\System32\TpScrLk.exe" [2002-10-09 40960]
    "TpShocks"="TpShocks.exe" [2005-11-07 106496]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
    "Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
    "OsjHvplc"="c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe" [BU]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll
    .
    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
    2008-05-15 16:45 356864 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WebClient"=2 (0x2)
    "Spooler"=3 (0x3)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    .
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [15/10/2006 23:45 16384]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/08/2011 22:50 366640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/08/2011 22:50 22712]
    S3 MADFU;MADFU;c:\windows\system32\drivers\MADFU.sys [26/05/2009 18:43 16512]
    S3 MAUSBCV;Service for M-Audio Conectiv (WDM);c:\windows\system32\drivers\mausbcv.sys [26/05/2009 18:43 131712]
    S3 PAC207;Trust 100K Series Webcam;c:\windows\system32\drivers\PFC027.SYS [19/12/2010 13:19 618112]
    S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2006-10-16 c:\windows\Tasks\BMMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-10-15 08:38]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    TCP: DhcpNameServer = 192.168.1.254
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\IBM USER\Application Data\Mozilla\Firefox\Profiles\knmxpk39.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-08 20:18
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    detected NTDLL code modification:
    ZwQueryDirectoryFile
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe 113152 bytes executable
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(780)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\tphklock.dll
    .
    - - - - - - - > 'explorer.exe'(3816)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\ibmpmsvc.exe
    c:\windows\System32\Ati2evxx.exe
    c:\windows\System32\S24EvMon.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Kontiki\KService.exe
    c:\windows\System32\RegSrvc.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\windows\System32\TPHDEXLG.EXE
    c:\windows\system32\TpKmpSVC.exe
    c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\acs.exe
    c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    c:\windows\AGRSMMSG.exe
    c:\windows\system32\TpShocks.exe
    c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-08 20:24:07 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-08 19:24
    ComboFix2.txt 2011-08-07 20:53
    ComboFix3.txt 2011-08-06 21:51
    .
    Pre-Run: 3,232,051,200 bytes free
    Post-Run: 3,150,057,472 bytes free
    .
    - - End Of File - - BD1E650F1A131986BC7BED6DE5BB057F
  14. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Folder::
    c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
    c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe"
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "OsjHvplc"=-
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  15. ali

    ali Newcomer, in training Topic Starter Posts: 23

    ComboFix log

    ComboFix 11-08-09.02 - IBM USER 09/08/2011 21:02:30.4.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.453 [GMT 1:00]
    Running from: c:\documents and settings\IBM USER\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\IBM USER\Desktop\CFScript.txt
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-06 21:56 . 2011-08-06 21:56 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-08-06 21:56 . 2011-08-08 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-08-06 21:14 . 2011-08-08 19:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
    2011-08-04 21:51 . 2011-08-04 21:51 -------- d-----w- c:\documents and settings\IBM USER\Application Data\Malwarebytes
    2011-08-04 21:50 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-04 21:50 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-04 21:49 . 2011-08-04 21:41 418708 ------w- C:\h1dqlr36.exe
    2011-08-03 18:40 . 2011-08-04 21:55 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\Help
    2011-08-01 08:48 . 2011-08-05 22:45 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-06_21.47.19 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-08-09 19:53 . 2011-08-09 19:53 16384 c:\windows\Temp\Perflib_Perfdata_ec.dat
    + 2011-08-09 19:53 . 2011-08-09 19:53 16384 c:\windows\Temp\Perflib_Perfdata_dc.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
    "BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 380416]
    "TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 213360]
    "TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2005-10-29 45056]
    "TP4EX"="tp4ex.exe" [2005-10-17 65536]
    "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 356839]
    "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1507864]
    "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 217506]
    "AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
    "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 983579]
    "TPKBDLED"="c:\windows\System32\TpScrLk.exe" [2002-10-09 40960]
    "TpShocks"="TpShocks.exe" [2005-11-07 106496]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
    "Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
    2008-05-15 16:45 356864 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WebClient"=2 (0x2)
    "Spooler"=3 (0x3)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    .
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [15/10/2006 23:45 16384]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/08/2011 22:50 366640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/08/2011 22:50 22712]
    R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\IBMUSE~1\LOCALS~1\Temp\uvinpabc.sys --> c:\docume~1\IBMUSE~1\LOCALS~1\Temp\uvinpabc.sys [?]
    S3 MADFU;MADFU;c:\windows\system32\drivers\MADFU.sys [26/05/2009 18:43 16512]
    S3 MAUSBCV;Service for M-Audio Conectiv (WDM);c:\windows\system32\drivers\mausbcv.sys [26/05/2009 18:43 131712]
    S3 PAC207;Trust 100K Series Webcam;c:\windows\system32\drivers\PFC027.SYS [19/12/2010 13:19 618112]
    S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2006-10-16 c:\windows\Tasks\BMMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-10-15 08:38]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    TCP: DhcpNameServer = 192.168.1.254
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\IBM USER\Application Data\Mozilla\Firefox\Profiles\knmxpk39.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-09 21:08
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    detected NTDLL code modification:
    ZwQueryDirectoryFile
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe 113152 bytes executable
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(784)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\tphklock.dll
    .
    - - - - - - - > 'explorer.exe'(1880)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-08-09 21:10:44
    ComboFix-quarantined-files.txt 2011-08-09 20:10
    ComboFix2.txt 2011-08-08 19:24
    ComboFix3.txt 2011-08-07 20:53
    ComboFix4.txt 2011-08-06 21:51
    .
    Pre-Run: 3,165,790,208 bytes free
    Post-Run: 3,148,668,928 bytes free
    .
    - - End Of File - - 3C72BDCFE0A78AA051AE4EC45D1DD640
  16. ali

    ali Newcomer, in training Topic Starter Posts: 23

    Just to give you an update on computer behaviour - links to Avast, AVG and MS support sites are no longer being blocked. AVG installation was getting blocked, and is now ok.

    Still lots of threats popping up, but fewer than before!
  17. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    We're not out of the woods yet, but Combofix log looks better.

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    C:\h1dqlr36.exe
    c:\docume~1\IBMUSE~1\LOCALS~1\Temp\uvinpabc.sys
    c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe
    
    Folder::
    c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
    c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy
    
    
    Driver::
    "Micorsoft Windows Service"
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  18. ali

    ali Newcomer, in training Topic Starter Posts: 23

    ComboFix 11-08-09.03 - IBM USER 10/08/2011 9:03.5.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.584 [GMT 1:00]
    Running from: c:\documents and settings\IBM USER\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\IBM USER\Desktop\CFScript.txt
    .
    FILE ::
    "c:\docume~1\IBMUSE~1\LOCALS~1\Temp\uvinpabc.sys"
    "c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe"
    "C:\h1dqlr36.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy
    c:\documents and settings\IBM USER\Local Settings\Application Data\fbptfayy\osjhvplc.exe
    c:\documents and settings\IBM USER\Start Menu\Programs\Startup\osjhvplc.exe
    c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
    c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe
    C:\h1dqlr36.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_MICORSOFT_WINDOWS_SERVICE
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-10 to 2011-08-10 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-10 08:12 . 2011-08-10 08:12 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy
    2011-08-09 20:42 . 2011-08-09 20:42 -------- d-----w- c:\documents and settings\IBM USER\Application Data\AVG10
    2011-08-09 20:37 . 2011-08-10 08:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2011-08-09 20:37 . 2011-08-10 07:53 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-08-06 21:56 . 2011-08-06 21:56 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-08-06 21:56 . 2011-08-10 07:54 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-08-04 21:51 . 2011-08-04 21:51 -------- d-----w- c:\documents and settings\IBM USER\Application Data\Malwarebytes
    2011-08-04 21:50 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-08-04 21:50 . 2011-08-04 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-04 21:50 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-03 18:40 . 2011-08-04 21:55 -------- d-----w- c:\documents and settings\IBM USER\Local Settings\Application Data\Help
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-06_21.47.19 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-07-11 23:02 . 2009-07-11 23:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
    + 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
    + 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
    + 2011-08-10 08:11 . 2011-08-10 08:11 16384 c:\windows\Temp\Perflib_Perfdata_7dc.dat
    + 2011-08-10 08:11 . 2011-08-10 08:11 16384 c:\windows\Temp\Perflib_Perfdata_7ac.dat
    + 2009-07-11 23:02 . 2009-07-11 23:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
    + 2011-08-10 08:11 . 2011-08-10 08:11 113152 c:\windows\Temp\gxecxrnicomgkqdv.exe
    + 1980-01-01 07:00 . 2004-08-04 07:56 640000 c:\windows\system32\dllcache\dbghelp.dll
    + 2011-08-09 20:36 . 2011-08-09 20:36 219648 c:\windows\Installer\27b9d7.msi
    + 2009-07-11 23:02 . 2009-07-11 23:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
    + 2011-08-09 20:40 . 2011-08-09 20:40 3489280 c:\windows\Installer\27b9df.msi
    + 2011-08-09 20:36 . 2011-08-09 20:36 1611776 c:\windows\Installer\27b9db.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
    "BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 380416]
    "TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 213360]
    "TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2005-10-29 45056]
    "TP4EX"="tp4ex.exe" [2005-10-17 65536]
    "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 356839]
    "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1507864]
    "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 217506]
    "AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
    "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 983579]
    "TPKBDLED"="c:\windows\System32\TpScrLk.exe" [2002-10-09 40960]
    "TpShocks"="TpShocks.exe" [2005-11-07 106496]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
    "Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNjkxNTE4MzI4LVQxLVVDQUxMKzEtVUNBTEwyKzItVEI4KzItRkwrOC1GOE04QSszLUY4TTlBKzMtRjhNMTFDKzEtVVBHKzIwMTEtRjhNMTFFKzEtWE84KzEtRERUKzAtRkwxMCsxLUZPSSsx&prod=90&ver=10.0.1392" [?]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
    "OsjHvplc"="c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe" [BU]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\fbptfayy\osjhvplc.exe"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll
    .
    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
    2008-05-15 16:45 356864 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WebClient"=2 (0x2)
    "Spooler"=3 (0x3)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    .
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [15/10/2006 23:45 16384]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/08/2011 22:50 366640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/08/2011 22:50 22712]
    R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\windows\TEMP\uvinpabc.sys --> c:\windows\TEMP\uvinpabc.sys [?]
    S3 MADFU;MADFU;c:\windows\system32\drivers\MADFU.sys [26/05/2009 18:43 16512]
    S3 MAUSBCV;Service for M-Audio Conectiv (WDM);c:\windows\system32\drivers\mausbcv.sys [26/05/2009 18:43 131712]
    S3 PAC207;Trust 100K Series Webcam;c:\windows\system32\drivers\PFC027.SYS [19/12/2010 13:19 618112]
    S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2006-10-16 c:\windows\Tasks\BMMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-10-15 08:38]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    TCP: DhcpNameServer = 192.168.1.254
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\IBM USER\Application Data\Mozilla\Firefox\Profiles\knmxpk39.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-10 09:12
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    detected NTDLL code modification:
    ZwQueryDirectoryFile
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(780)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\tphklock.dll
    .
    - - - - - - - > 'explorer.exe'(2212)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\ibmpmsvc.exe
    c:\windows\System32\Ati2evxx.exe
    c:\windows\System32\S24EvMon.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Kontiki\KService.exe
    c:\windows\System32\RegSrvc.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\windows\System32\TPHDEXLG.EXE
    c:\windows\system32\TpKmpSVC.exe
    c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\windows\AGRSMMSG.exe
    c:\windows\system32\TpShocks.exe
    c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\acs.exe
    c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-10 09:18:04 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-10 08:17
    ComboFix2.txt 2011-08-09 20:10
    ComboFix3.txt 2011-08-08 19:24
    ComboFix4.txt 2011-08-07 20:53
    ComboFix5.txt 2011-08-10 08:02
    .
    Pre-Run: 2,846,900,224 bytes free
    Post-Run: 2,816,983,040 bytes free
    .
    - - End Of File - - 067A93BF2A55454C1E90F601AAE248EF
  19. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  20. ali

    ali Newcomer, in training Topic Starter Posts: 23

    Hi there,

    Unfortunately the website won't work. It seems that whatever part of the virus that was blocking particular websites is back. Can no longer get onto avast.com, microsoft.com again either...
  21. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Download following tool.
    Disconnect from the internet (VERY IMPORTANT!)

    Please click HERE to download Kaspersky Virus Removal Tool.

    • Double click on the file you just downloaded and let it install.
    • It will install to your desktop (be patient; it may take a while).
    • Accept license agreement and click "Start" button.
    • Click on Settings button [​IMG]
      • In Scan scope leave pre-checked items as they're and also checkmark My Computer
      • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
    • Click on Automatic Scan tab and then click on Start scanning button.
    • Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
    • When the scan is done NO log will be produced.
    • Click on Report button [​IMG] then on Automatic Scan report tab.
    • Right click anywhere within right pane, click Select All then right click again and click Copy.
    • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
    • You can save this on the desktop.
    • Post the contents of the document in your next reply.
  22. ali

    ali Newcomer, in training Topic Starter Posts: 23

    Hi - thanks for that. Was away at the weekend, but have started running Kaspersky tonight.

    Will let you know the results!
  23. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    OK.................
  24. ali

    ali Newcomer, in training Topic Starter Posts: 23

    I ran the scan last night, and it cleared out lots of stuff from the machine. Unfortunately, the log seems to be blank. Kaspersky shutdown my computer several times, and I had had to restart the scan each time. Upon restarting the final time, the log appeared to be blank.

    It was getting late though, so I probably screwed it up myself to be honest!

    I'll run it again tomorrow at a more civilised hour, and get back to you...
  25. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    OK. That would be important to me to see that log.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.