also @ TechSpot: Exploit allows command prompt to launch at Windows 7 login screen

TechSpot

TechSpot News Products Downloads Forums

Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

[Solved] Still not clean after XP Security 2012

Discussion in 'Virus and Malware Removal' started by ST Dog, Jun 18, 2011.

Thread Status:: Not open for further replies.

Page 1 of 2

ST Dog Newcomer, in training

My son's computer rebooted after a windows update and then wouldn't boot normally. Got to safe mode and discovers one of the AV trogans that ran anytime you stared an app. Ran through the tools I used last time on mine and cleaned out a bunch of stuff, even a rootkit.

Still don't think it's clean though.

For one, I get a warning about ActiveX when not even runnig a browser (like ejecting a USB drive)

**************
MBAM.txt
**************
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6888

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/18/2011 2:18:05 PM
mbam-log-2011-06-18 (14-18-05).txt

Scan type: Quick scan
Objects scanned: 208678
Time elapsed: 17 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*************
GMER.log
*************
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-06-18 14:21:43
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 HTS54108 rev.MB4I
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kgtdrpod.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

**********
DDS.txt
**********
.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Administrator at 14:21:52 on 2011-06-18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1349 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\PROGRA~1\THINKV~2\AMSG\Amsg.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\TPFanControl\TPFanControl.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe
C:\PROGRA~1\WI3712~1\Datamngr\DATAMN~1.EXE
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://home.jzip.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearchAssistant = hxxp://start.facemoods.com/?a=ppcb4&s={searchTerms}&f=4
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: IMVU Inc Toolbar: {90b49673-5506-483e-b92b-ca0265bd9ca8} - c:\program files\imvu_inc\tbIMVU.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi3712~1\toolbar\searchqudtx.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [AMSG] c:\progra~1\thinkv~2\amsg\Amsg.exe /startup
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [LenovoAutoScrollUtility] c:\program files\lenovo\virtscrl\virtscrl.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [LPMailChecker] c:\progra~1\thinkv~2\prdctr\LPMLCHK.exe
mRun: [<NO NAME>]
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [TPFanControl] c:\program files\tpfancontrol\TPFanControl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [CorelDRAW Graphics Suite 11b] c:\program files\corel\corel graphics 11\register\registration.exe /title="CorelDRAW Graphics Suite 11" /date=062611 serial=DR11CRD-0044977-NMV
mRun: [DATAMNGR] c:\progra~1\wi3712~1\datamngr\DATAMN~1.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\openURL.vbs
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Search - http://tbedits.smileycentral.com/on...549E-3BDE-4680-807B-772223E02256&n=2011011321
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\alex\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1276268207234
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1287407776625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A7772497-ECCC-469E-888B-29D1FAC53D9A} : DhcpNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
AppInit_DLLs: c:\progra~1\wi3712~1\datamngr\datamngr.dll c:\progra~1\wi3712~1\datamngr\IEBHO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ACGina c:\program files\thinkvantage fingerprint software\psqlpwd.dll ACGina
Hosts: 184.95.59.211 www.google.com
Hosts: 184.95.59.212 search.yahoo.com
Hosts: 184.95.59.212 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\2i5fcpny.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=406&q=
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\smileycentral_1v\bar\1.bin\NP1vStub.dll
.
============= SERVICES / DRIVERS ===============
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-10-18 25968]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2010-6-16 20592]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2010-10-18 13680]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-10-18 292200]
R2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\thinkpad\utilities\PWMEWSVC.exe [2011-6-18 148840]
R2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\thinkvantage fingerprint software\smihlp.sys [2009-3-13 12560]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\lenovo\hotkey\tphkload.exe [2011-6-18 99328]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2010-10-18 64440]
R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2010-12-26 6609920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-26 136176]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2010-10-18 45496]
S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-10-18 69632]
S2 SmileyCentral_1vService;SmileyCentral Service;c:\progra~1\smiley~2\bar\1.bin\1vbarsvc.exe [2011-1-13 28766]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\coh_mon.sys --> c:\windows\system32\drivers\COH_Mon.sys [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 gkmixern;gkmixern;\??\c:\docume~1\alex\locals~1\temp\gkmixern.sys --> c:\docume~1\alex\locals~1\temp\gkmixern.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-26 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [1980-1-1 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
exefile="c:\documents and settings\networkservice\local settings\application data\rax.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-06-18 18:43:07 -------- d-----w- c:\documents and settings\administrator\application data\PCDr
2011-06-18 18:42:17 120104 ----a-w- c:\windows\system32\SynTPCo9.dll
2011-06-18 18:29:27 -------- d-----w- c:\program files\common files\Lenovo
2011-06-18 15:04:51 54016 ----a-w- c:\windows\system32\drivers\qgfsyq.sys
2011-06-18 13:38:27 -------- d-s---w- C:\ComboFix
2011-06-17 06:29:02 -------- d-----w- c:\program files\AVAST Software
2011-06-17 05:56:34 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-06-17 05:56:34 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
2011-06-17 05:55:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-16 03:26:13 233472 --sha-r- c:\windows\system32\rwinstau.dll
2011-06-16 03:26:13 233472 --sha-r- c:\windows\system32\dsoundv.dll
2011-06-05 04:49:46 -------- d-----w- c:\documents and settings\all users\application data\Skype Extras
2011-06-05 04:47:09 -------- d-----r- c:\program files\Skype
2011-05-23 14:12:28 -------- d-----w- c:\program files\Pearl Harbor
2011-05-21 04:12:21 -------- d-----w- C:\ini
2011-05-21 04:04:44 -------- d-----w- C:\cfg
2011-05-20 23:25:06 56832 ------w- c:\windows\system32\iyvu9_32.dll
2011-05-20 23:25:05 143872 ------w- c:\windows\system32\iacenc.dll
2011-05-20 23:25:01 1622016 ------w- c:\program files\microsoft games\age of empires\EMPIRES.EXE
2011-05-20 23:25:00 1513984 ------w- c:\program files\microsoft games\age of empires\EMPIRESX.EXE
2011-05-20 23:24:58 319553 ------w- c:\program files\microsoft games\age of empires\Uninstal.Exe
2011-05-20 23:24:57 2744320 ------w- c:\program files\microsoft games\age of empires\SETUPENU.DLL
2011-05-20 23:24:52 174080 ------w- c:\program files\microsoft games\age of empires\language.dll
2011-05-20 23:24:52 160256 ------w- c:\program files\microsoft games\age of empires\languagex.dll
2011-05-20 23:24:38 29184 ------w- c:\program files\microsoft games\age of empires\data2\closedpw.exe
2011-05-20 23:24:16 29184 ------w- c:\program files\microsoft games\age of empires\data\closedpw.exe
2011-05-20 23:23:04 32768 ------w- c:\program files\microsoft games\age of empires\AoEHlp.dll
2011-05-20 23:23:04 32768 ------w- c:\program files\microsoft games\age of empires\aelaunch.dll
2011-05-20 23:22:59 -------- d-----w- c:\program files\Microsoft Games
.
==================== Find3M ====================
.
2011-06-18 03:55:53 118784 ----a-w- c:\windows\DUMPc8fd.tmp
2011-06-17 11:53:36 118784 ----a-w- c:\windows\DUMPbe6e.tmp
2011-06-17 06:40:04 118784 ----a-w- c:\windows\DUMPc330.tmp
2011-06-16 13:04:49 118784 ----a-w- c:\windows\DUMPbc7a.tmp
2011-05-29 14:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-10 06:39:00 292200 ------w- c:\windows\system32\PWMCPl.cpl
2011-05-10 06:39:00 25968 ------w- c:\windows\system32\drivers\DOZEHDD.SYS
2011-05-10 06:39:00 12144 ------w- c:\windows\system32\drivers\TPPWRIF.SYS
2011-05-06 01:33:00 1344560 ----a-w- c:\windows\system32\drivers\SynTP.sys
2011-05-06 01:31:56 173352 ----a-w- c:\windows\system32\SynTPAPI.dll
2011-05-06 01:31:52 222504 ----a-w- c:\windows\system32\SynCtrl.dll
2011-05-06 01:31:52 177448 ----a-w- c:\windows\system32\SynCOM.dll
2011-04-12 20:09:49 23 ----a-w- C:\NUKEM2.BAT
2011-04-08 22:27:40 292152 ----a-w- c:\windows\system32\tvt_gina_api.dll
2011-04-08 22:27:32 582968 ----a-w- c:\windows\system32\tvt_gina.dll
2011-04-08 22:24:24 4224 ----a-w- c:\windows\system32\drivers\IBMBLDID.sys
2011-04-08 22:23:02 11520 ----a-w- c:\windows\system32\drivers\ANC.sys
2011-03-23 02:10:24 139080 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-03-23 02:10:18 270240 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-03-23 02:10:18 270240 ----a-w- c:\windows\system32\PnkBstrB.exe
.
============= FINISH: 14:22:30.40 ===============

**************
attach.txt
**************
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-12.02)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/11/2010 9:48:18 AM
System Uptime: 6/18/2011 1:48:57 PM (1 hours ago)
.
Motherboard: LENOVO | | 2613EKU
Processor: Genuine Intel(R) CPU T2500 @ 2.00GHz | None | 997/167mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 70 GiB total, 9.669 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
µTorrent
Access Help
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader X (10.0.1)
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
Ask Toolbar
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
Audacity 1.2.6
Battlefield Heroes
Bing Bar
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Dutch
CCC Help English
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Portuguese
CCC Help Spanish
CCC Help Swedish
CCleaner
Combat Arms
Conduit Engine
Corel Graphics Suite 11
CorelDRAW Graphics Suite 11
Deer Hunter - The 2005 Season
Desktop iPhone
Diskeeper Lite
EA Download Manager
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Help Center
Heroes Of Hellas
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB971276-v3)
Hotfix for Windows XP (KB981793)
IBM 32-bit Runtime Environment for Java 2, v1.4.2
IMVU Inc Toolbar
Intel PROSet Wireless
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless WiFi Software
InterVideo WinDVD
IrfanView (remove only)
Japanese Language Support
Java Auto Updater
Java(TM) 6 Update 16
Java(TM) 6 Update 22
Java(TM) 6 Update 23
jZip
LAME v3.98.2 for Audacity
Lenovo Auto Scroll Utility
Lenovo System Interface Driver
Lenovo ThinkVantage Toolbox
Magic Encyclopedia. First Story
Maintenance Manager
Malwarebytes' Anti-Malware version 1.51.0.1200
MATonline2.1.6.325
Message Center
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Age of Empires Gold
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft WSE 3.0 Runtime
Mozilla Firefox 4.0.1 (x86 en-US)
Mozilla Thunderbird (3.1.7)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MuseScore 0.9.6 MuseScore score typesetter
Mytheon
Natalie Brooks - Secrets of Treasure House
Nexon Game Manager
On Screen Display
OpenOffice.org 3.3
Opera 11.11
Pando Media Booster
Pearl Harbor
PerfectDisk 11 Professional
Picasa 2
Presentation Director
Productivity Center Supplement for ThinkPad
Project Blackout
Project64 1.6
PunkBuster Services
QuickTime
Raptr
RecordNow Audio
RecordNow Copy
RecordNow Data
Remove Multimedia Center
Safari
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Skins
Skype Toolbars
Skype™ 5.3
SmileyCentral
Software Installer
Sonic DLA
Sonic Express Labeler
Sonic Update Manager
SoundMAX
Spelling Dictionaries Support For Adobe Reader 9
Splinter Cell Pandora Tomorrow
Sprill - The Mystery of The Bermuda Triangle
SUPERAntiSpyware
System Migration Assistant
System Requirements Lab CYRI
System Update
Temple of Elemental Evil
The Lord of the Rings Online™ v03.02.05.8032
ThinkPad Configuration
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Integration Setup
ThinkPad Hotkey Features Setup
ThinkPad Keyboard Customizer Utility
ThinkPad Modem
ThinkPad PC Card Power Policy
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad UltraNav Driver
ThinkPad UltraNav Utility
ThinkPad UltraNav Wizard
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Fingerprint Software
ThinkVantage Productivity Center
ThinkVantage Technologies Welcome Message
TPFanControl v0.62
TrackPoint Accessibility Features
Turtix
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
uTorrentBar Toolbar
Wallpapers
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows ilivid Toolbar
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinZip 12.0
XP Themes
XPS Essentials Pack
XPS Essentials Pack 1.0
.
==== End Of File ===========================

ST Dog, Jun 18, 2011

#1
Bobbye Helper on the Fringe

Are we working on 2 separate systems> Your 'T61 and your son's? If yes, you have set the threads up correctly. If not, the threads will have to be merged.
(http://www.techspot.com/vb/topic166708.html)

Let me know.'

Bobbye, Jun 18, 2011

#2
ST Dog Newcomer, in training

Yes, two seperate systems.
His is a T60. The titles were to help me keep them straight

ST Dog, Jun 18, 2011

#3
Bobbye Helper on the Fringe
Thank you. There are numerous entries that brought malware with them and we will remove them with script after Combofix has been run.
======================================
This program must be removed: (See list below for related entries to remove.)
S2 SmileyCentral_1vService;SmileyCentral Service;c:\progra~1\smiley~2\bar\1.bin\1vbarsvc.exe [2011-1-13 28766]
And the Service Disabled:
Start> Run> type in services.msc> enter> Double click on SmileyCentral_1vService to open> Change Startup Type to Disabled> Stop the Service.

I'm guessing that much of the malware you have seen came from MyWebSearch, Hotbar and a few related processes. This Services is described as:

This entry is classified as malware, spyware, adware, or other potentially unwanted software.

Much comes from the Fun Web Products and associated sites: Remove any on the system.

Fun Web Products suite of utilities such as Smiley Central, Cursor Mania, My Mail Stationary, My Mail Signature, PopSwatter, Popular Screensavers, Webfetti, and the My Way website portal.

Those smiling faces, 3D cursors, screensavers, wallpaper, et all are not free! They come with a price!
=======================================

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESETOnlineScan

For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
[o] Double click on the on your desktop.

Check 'Yes I accept terms of use.'

Click Start button

Accept any security warnings from your browser.

Uncheck 'Remove found threats'

Check 'Scan archives/

Leave remaining settings as is.

Press the Start button.

ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.

When the scan completes, press List of found threats

Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.

Push the Back button

Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=======================================
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HERE and save to the desktop

Double click combofix.exe & follow the prompts.

ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

.Close any open browsers.

.Double click combofix.exe & follow the prompts to run.

When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
Bobbye, Jun 20, 2011

#4
ST Dog Newcomer, in training

Bobbye said: ↑

Thank you. There are numerous entries that brought malware with them and we will remove them with script after Combofix has been run.
======================================
This program must be removed: (See list below for related entries to remove.)
S2 SmileyCentral_1vService;SmileyCentral Service;c:\progra~1\smiley~2\bar\1.bin\1vbarsvc.exe [2011-1-13 28766]
And the Service Disabled:
Start> Run> type in services.msc> enter> Double click on SmileyCentral_1vService to open> Change Startup Type to Disabled> Stop the Service.

I'm guessing that much of the malware you have seen came from MyWebSearch, Hotbar and a few related processes. This Services is described as:

Much comes from the Fun Web Products and associated sites: Remove any on the system.

Those smiling faces, 3D cursors, screensavers, wallpaper, et all are not free! They come with a price!

Good to know the source. He's been told about down.loading/installing random stuff, but you cannt tell a teen much. They have to learn the hard way.

And of course "all" his friends are running the same things "without problems"

Guess I have a busy evening.

ST Dog, Jun 20, 2011

#5
Bobbye Helper on the Fringe

What to tell a teen:

1. If he doesn't practice Safe Surfing, you won't help him clean the system.
2. His friends have malware also- they just haven't found it yet!
4. If the system gets overwhelmed with malware infections- and the FunWeb Products can do it, his system will become unbootable and he won't be able to use it at all.
5. "Guess I have a busy evening. " Tell him you love him lots, but have other thing to do.

But you're right- you can't tell a teen much- so let him have the experience of learning what to do.:rolleyes:

Will review logs when ready.

Bobbye, Jun 20, 2011

#6
ST Dog Newcomer, in training

Interesting. I got home and went to run the scans and noticed no IE.

iexplore.exe is missing form Program Files.

Tried Microsoft update and it loaded IE8, but didn't bring up the MS site.
Tried to log in at TechSpot and the submit button didn't work.
FF is working though. I guess one more item to correct.

ST Dog, Jun 20, 2011

#7
ST Dog Newcomer, in training

**********
ESET.txt
***********

C:\Documents and Settings\Alex\Local Settings\Temp\Gvb.exe a variant of Win32/Kryptik.NQS trojan
C:\Documents and Settings\Alex\Local Settings\Temp\Gvc.exe a variant of Win32/Kryptik.NQS trojan
C:\Documents and Settings\Alex\Local Settings\Temp\FacemoodsReinstal\GameBario_fmds4.exe probably a variant of Win32/SweetIM.A application
C:\WINDOWS\Temp\jdpf\setup.exe Win32/Clemag.NAD trojan

****************
ComboFix.txt
****************
ComboFix 11-06-19.0r1 - Administrator 06/20/2011 23:27:03.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1250 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\MalwareStuff\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Sun\mnj.dat
c:\documents and settings\Alex\WINDOWS
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\09ce0ed7-58db-4be9-b311-80b4fd9fd9bc.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\0bd031fd-3064-40a9-a3a3-7379b9bd4435.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\0e53a45b-5a41-43e5-96ab-776b00e48a6e.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\1330efea-5af3-4b2b-984a-ddf5bed068a9.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\283cdc40-c633-4749-b3ad-8eb5e8b11b5c.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\434b795d-fe06-4495-801e-fa92d93babbc.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\4506fabd-988f-4627-a1de-44b2f1093b08.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\54874b0a-fb04-44ef-ad2b-c957aafea033.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\562ad818-216b-4d77-8b40-834630104d2c.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\60e1ddc2-8de1-4bd0-8e65-4c3d56791c8e.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\6a673ee4-43f7-4820-9e11-38692474f211.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\746b3523-df66-4ed9-beaa-88464b84933f.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\83db0f34-4452-4946-92c2-31dcd99767dd.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\90110d4d-0aa3-42f8-b48a-92aebd9d59f3.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\9ad80016-92d9-41a4-9436-c44907366397.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\aaafe845-287d-4966-bd17-65877f9d0d2e.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\b34a10f6-a592-424f-af97-b051783f9dd2.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\b52e5bed-821a-41fc-9d4b-24d443ee0ad9.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\bead45d2-b2dc-44e3-94f8-c7de6979be60.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\c4f7c843-a9b2-44f7-8e17-7891e2fe36ec.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\d580236a-e7d8-408d-9250-dfc70ec5d5e3.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\d754c4cc-ae68-4d17-afb7-55002296e1e2.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\ec6735a3-9204-4734-bb0f-5859e58b13b2.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\f1d18230-9731-47f0-b9f4-b537abcbb39c.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\f45a4f6c-32c1-48c0-9ee9-e840f397e395.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\f64109b2-74cc-4638-ae17-228b7886774b.dll
c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\fd85aea7-408e-4ff8-bdca-73b1320e8b27.dll
c:\documents and settings\SchoolandCompetition\Application Data\facemoods.com
c:\program files\Internet Explorer\SET459.tmp
c:\program files\Internet Explorer\SET45E.tmp
c:\program files\Mozilla Firefox\searchplugins\SearchquWebSearch.xml
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-05-21 to 2011-06-21 )))))))))))))))))))))))))))))))
.
.
2011-06-21 04:34 . 2011-06-21 04:34 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-06-21 04:34 . 2011-06-21 04:34 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-06-21 04:34 . 2011-06-21 04:34 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-06-21 04:34 . 2011-06-21 04:34 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-06-21 04:34 . 2011-06-21 04:34 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2011-06-21 04:34 . 2011-06-21 04:34 5927 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2011-06-21 04:34 . 2011-06-21 04:34 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2011-06-21 04:34 . 2011-06-21 04:34 1651 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2011-06-21 04:34 . 2011-06-21 04:34 8288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2011-06-21 04:34 . 2011-06-21 04:34 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2011-06-21 04:34 . 2011-06-21 04:34 6208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2011-06-21 04:34 . 2011-06-21 04:34 18541 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2011-06-21 04:33 . 2011-06-21 04:33 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-06-21 04:33 . 2011-06-21 04:33 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-06-21 04:33 . 2011-06-21 04:33 51852 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2011-06-21 04:33 . 2011-06-21 04:33 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-06-21 04:33 . 2011-06-21 04:33 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-06-21 01:34 . 2011-06-21 01:34 -------- d-----w- c:\program files\ESET
2011-06-18 20:15 . 2011-06-18 20:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-18 20:09 . 2011-06-18 20:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\PwrMgr
2011-06-18 20:01 . 2011-06-18 20:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\WinBatch
2011-06-18 19:37 . 2011-06-18 19:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\DeviceDoctorSoftware
2011-06-18 19:29 . 2011-06-18 19:29 -------- d-----w- c:\program files\Common Files\Adobe
2011-06-18 18:43 . 2011-06-19 19:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\PCDr
2011-06-18 18:42 . 2011-05-06 01:31 120104 ----a-w- c:\windows\system32\SynTPCo9.dll
2011-06-18 18:29 . 2011-06-18 18:29 -------- d-----w- c:\program files\Common Files\Lenovo
2011-06-18 15:04 . 2011-06-18 15:04 54016 ----a-w- c:\windows\system32\drivers\qgfsyq.sys
2011-06-17 06:29 . 2011-06-17 06:29 -------- d-----w- c:\program files\AVAST Software
2011-06-17 05:56 . 2011-06-17 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-17 05:56 . 2011-06-17 05:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-06-17 05:55 . 2011-06-18 20:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-16 08:33 . 2011-06-16 08:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-06-16 07:50 . 2011-06-16 07:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-06-16 03:26 . 2011-06-16 03:26 233472 --sha-r- c:\windows\system32\rwinstau.dll
2011-06-16 03:26 . 2011-06-16 03:26 233472 --sha-r- c:\windows\system32\dsoundv.dll
2011-06-06 17:55 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-06 17:55 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-06-05 04:49 . 2011-06-05 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras
2011-06-05 04:47 . 2011-06-05 04:47 -------- d-----w- c:\program files\Common Files\Skype
2011-06-05 04:47 . 2011-06-05 04:48 -------- d-----r- c:\program files\Skype
2011-06-05 04:46 . 2011-06-05 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-05-27 03:33 . 2011-05-27 03:33 -------- d-----w- c:\program files\Opera
2011-05-23 14:12 . 2011-05-23 14:12 -------- d-----w- c:\program files\Pearl Harbor
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-18 03:55 . 2010-06-11 13:31 118784 ----a-w- c:\windows\DUMPc8fd.tmp
2011-06-17 11:53 . 2010-06-11 13:31 118784 ----a-w- c:\windows\DUMPbe6e.tmp
2011-06-17 06:40 . 2010-06-11 13:31 118784 ----a-w- c:\windows\DUMPc330.tmp
2011-06-16 13:04 . 2010-06-11 13:31 118784 ----a-w- c:\windows\DUMPbc7a.tmp
2011-05-29 14:11 . 2010-06-11 18:19 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11 . 2010-06-11 18:19 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-10 06:39 . 2010-10-18 15:40 292200 ------w- c:\windows\system32\PWMCPl.cpl
2011-05-10 06:39 . 2010-10-18 15:40 25968 ------w- c:\windows\system32\drivers\DOZEHDD.SYS
2011-05-10 06:39 . 2010-06-11 14:14 12144 ------w- c:\windows\system32\drivers\TPPWRIF.SYS
2011-05-06 01:33 . 1980-01-01 07:00 1344560 ----a-w- c:\windows\system32\drivers\SynTP.sys
2011-05-06 01:31 . 1980-01-01 07:00 173352 ----a-w- c:\windows\system32\SynTPAPI.dll
2011-05-06 01:31 . 1980-01-01 07:00 222504 ----a-w- c:\windows\system32\SynCtrl.dll
2011-05-06 01:31 . 1980-01-01 07:00 177448 ----a-w- c:\windows\system32\SynCOM.dll
2011-04-12 20:09 . 2011-04-12 20:09 23 ----a-w- C:\NUKEM2.BAT
2011-04-08 22:27 . 2005-12-22 00:19 292152 ----a-w- c:\windows\system32\tvt_gina_api.dll
2011-04-08 22:27 . 2005-12-22 00:19 582968 ----a-w- c:\windows\system32\tvt_gina.dll
2011-04-08 22:24 . 2010-06-11 14:14 4224 ----a-w- c:\windows\system32\drivers\IBMBLDID.sys
2011-04-08 22:23 . 2010-06-11 14:14 11520 ----a-w- c:\windows\system32\drivers\ANC.sys
2011-04-30 04:15 . 2011-04-22 01:18 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2011-05-06 132392]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-05-06 2262312]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"TpShocks"="TpShocks.exe" [2010-07-02 337256]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2009-07-23 185688]
"AMSG"="c:\progra~1\THINKV~2\AMSG\Amsg.exe" [2009-09-03 436800]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2005-10-28 335872]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2011-04-14 431464]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2011-05-10 759144]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2011-05-10 208896]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LenovoAutoScrollUtility"="c:\program files\Lenovo\VIRTSCRL\virtscrl.exe" [2010-04-01 43960]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2010-03-26 62312]
"LPMailChecker"="c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2009-07-23 124248]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-08 91688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-29 61440]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2010-10-19 1400832]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-10-19 1206544]
"TPFanControl"="c:\program files\TPFanControl\TPFanControl.exe" [2010-04-23 154112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"CorelDRAW Graphics Suite 11b"="c:\program files\Corel\Corel Graphics 11\Register\registration.exe" [2005-02-17 315392]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-10-18 50688]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2009-12-01 18:41 100104 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\SG Interactive\\Project Blackout\\PBlackout.exe"=
"c:\\Program Files\\TrueGames\\Mytheon\\launcher.ui.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows ilivid Toolbar\\ToolBar\\dtUser.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Raptr\\raptr.exe"=
"c:\\Program Files\\Raptr\\raptr_im.exe"=
"c:\\Nexon\\Combat Arms\\Engine.exe"=
"c:\\Nexon\\Combat Arms\\CombatArms.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
"56693:TCP"= 56693:TCPando Media Booster
"56693:UDP"= 56693:UDPando Media Booster
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [10/18/2010 10:40 AM 25968]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [6/16/2010 1:44 PM 20592]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [10/18/2010 10:38 AM 13680]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [10/18/2010 10:40 AM 292200]
R2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\ThinkPad\Utilities\PWMEWSVC.exe [6/18/2011 1:40 PM 148840]
R2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [3/13/2009 1:47 PM 12560]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\Lenovo\HOTKEY\tphkload.exe [6/18/2011 1:39 PM 99328]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [10/18/2010 10:38 AM 64440]
R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [12/26/2010 10:59 AM 6609920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/26/2010 2:08 PM 136176]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [10/18/2010 10:38 AM 45496]
S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [10/18/2010 10:40 AM 69632]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys --> c:\windows\system32\Drivers\COH_Mon.sys [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 gkmixern;gkmixern;\??\c:\docume~1\Alex\LOCALS~1\Temp\gkmixern.sys --> c:\docume~1\Alex\LOCALS~1\Temp\gkmixern.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/26/2010 2:08 PM 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [1/1/1980 2:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2011-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-26 19:08]
.
2011-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-26 19:08]
.
2011-06-18 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 22:04]
.
2011-06-21 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-06-11 06:39]
.
2011-06-21 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-05-17 18:29]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Alex\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2i5fcpny.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=406&q=
.
.
------- File Associations -------
.
exefile="c:\documents and settings\NetworkService\Local Settings\Application Data\rax.exe" -a "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{90b49673-5506-483e-b92b-ca0265bd9ca8} - c:\program files\IMVU_Inc\tbIMVU.dll
Toolbar-10 - (no file)
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
Notify-ACNotify - ACNotify.dll
Notify-NavLogon - (no file)
AddRemove-IMVU_Inc Toolbar - c:\progra~1\IMVU_Inc\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-20 23:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1011569218-1715225952-1085146821-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,37,a7,b3,e4,7d,08,cf,42,95,2f,89,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,37,a7,b3,e4,7d,08,cf,42,95,2f,89,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\vrlogon.dll
c:\windows\system32\iwpdgina.dll
c:\program files\Intel\WiFi\bin\LangResources\ENU\SsoGnENU.dll
c:\windows\system32\tvt_gina.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\windows\system32\WININET.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\ACNewBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\program files\ThinkPad\ConnectUtilities\AcWrpc.dll
c:\program files\ThinkPad\ConnectUtilities\Res\US\ACGinaRes.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
.
- - - - - - - > 'lsass.exe'(1016)
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
.
- - - - - - - > 'explorer.exe'(3332)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\PC-Doctor\ATLPcdToolbar580224.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\lenovo\system update\suservice.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\SearchProtocolHost.exe
c:\program files\LENOVO\HOTKEY\tposdsvc.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\progra~1\ThinkPad\UTILIT~1\SCHTASK.exe
c:\progra~1\WI3712~1\Datamngr\DATAMN~1.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2011-06-20 23:42:35 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-21 04:42
.
Pre-Run: 14,599,626,752 bytes free
Post-Run: 14,626,267,136 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - FFE2DF1A67A09EC44D1BDC2AD7FC43C9

ST Dog, Jun 21, 2011

#8
ST Dog Newcomer, in training

Still no IE icon, but update loaded.

When ComboFix finished, the update notifier said updates were ready.
I checked and it shows 15 high priority updates. Should I install them now, or wait?

Also, the middle button is bringing up a magnifier, and it's annoying as hell as I use the middle button foe scrolling.

Edit, fixed the magnifier. Some setting got reset to a default value.

ST Dog, Jun 21, 2011

#9
Bobbye Helper on the Fringe

Sorry for delay. I updated Firefox and it trashed my computer. First time that's happened. Worked last night and 3 hours this AM- Still haven't gotten screens right.

For the mouse problem: Check first in the Control Panel> Mouse> Buttons> Make sure middle button is set for scrolling.

Go ahead with the updates.
As for the settings, it is not unusual for malware to mess with settings. There is also the possibility that some were changed by Combofix. (There's a note stating this)

I'm going to check the Combofix log now- bear with me as I have a 'mini' display to read from!

Bobbye, Jun 23, 2011

#10
Bobbye Helper on the Fringe
For Eset entries:

Please download OTMovit by Old Timer and save to your desktop.

Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Files C:\Documents and Settings\Alex\Local Settings\Temp\Gvb.exe C:\Documents and Settings\Alex\Local Settings\Temp\Gvc.exe C:\Documents and Settings\Alex\Local Settings\Temp\FacemoodsReinstal\GameBario_fmds4.exe C:\WINDOWS\Temp\jdpf\setup.exe :Commands [purity] [emptytemp] [start explorer] [Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.

Click the red Moveit! button.

A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
================================
Please run this Security Check

Download Security Check by screen317 from HERE or HERE .

Save it to your Desktop.

Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Bobbye, Jun 23, 2011

#11
ST Dog Newcomer, in training

Bobbye said: ↑

Sorry for delay. I updated Firefox and it trashed my computer. First time that's happened. Worked last night and 3 hours this AM- Still haven't gotten screens right.

No problem. I know the feeling all too well.
That was me the other day when the boy first brought me this machine.
I was just about to use a rescue CD just to boot the thing when I finally got into safe mode to start cleaning it up.

Any idea how to get IE repaired?
No desktop icon, no start menu entry, no exe in Program Files

ST Dog, Jun 23, 2011

#12
Bobbye Helper on the Fringe
Try running this:
Download Unhide.exe and save to the desktop.

Double-click on Unhide.exe icon to run the program.

This program will remove the +H, or hidden, attribute from all the files on your hard drives.

============================================
If this does not restore the IE entries, you are going to need to reinstall it. You can try going to Add/Remove Programs> Windows Components> Fine Internet Explorer and check-or uncheck it> the opposite of how you find it. See if this will restore IE6. You can update from that. Since there is no executable for it, you can't even create a new shortcut.
===================================================
Bobbye, Jun 23, 2011

#13
ST Dog Newcomer, in training

Didn't need unhide. That got me thinking and I remembered that the default folder options were on earlier (like hide known extensions and don't show hidden files). I had reset them to show stuff (long time Unix user and I like to see the details) so I went back and saw the executable.

It wasn't set as hidden or system, so I don't know what brought it back

Logs follow.

*********
OTM log
*********
All processes killed
========== FILES ==========
C:\Documents and Settings\Alex\Local Settings\Temp\Gvb.exe moved successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\Gvc.exe moved successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\FacemoodsReinstal\GameBario_fmds4.exe moved successfully.
File/Folder C:\WINDOWS\Temp\jdpf\setup.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1860516 bytes
->FireFox cache emptied: 70788779 bytes
->Flash cache emptied: 470 bytes

User: Alex
->Temp folder emptied: 1310774029 bytes
->Temporary Internet Files folder emptied: 1240440899 bytes
->Java cache emptied: 25955601 bytes
->FireFox cache emptied: 119177453 bytes
->Apple Safari cache emptied: 91489280 bytes
->Opera cache emptied: 16029871 bytes
->Flash cache emptied: 1808306 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32969 bytes
->Flash cache emptied: 56466 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 12650 bytes

User: SchoolandCompetition
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 34882738 bytes
->Flash cache emptied: 657 bytes

User: User-1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 494705 bytes
%systemroot%\System32 .tmp files removed: 29335892 bytes
%systemroot%\System32\dllcache .tmp files removed: 66560 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 645624 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2,808.00 mb

OTM by OldTimer - Version 3.1.18.0 log created on 06232011_181603

Files moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_c74.dat moved successfully.

Registry entries deleted on Reboot...

********
checkup.txt
********
Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
MuseScore 0.9.6 MuseScore score typesetter
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
IBM 32-bit Runtime Environment for Java 2, v1.4.2
Java(TM) 6 Update 16
Java(TM) 6 Update 22
Java(TM) 6 Update 23
IBM 32-bit Runtime Environment for Java 2, v1.4.2
Out of date Java installed!
Adobe Flash Player 10.3.181.26
Adobe Reader X (10.1.0)
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
Mozilla Thunderbird (3.1.7)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Administrator Desktop MalwareStuff SecurityCheck.exe
``````````End of Log````````````

**************
Firefox is not out of date, as it just updated to 5.0 a day or two back.

I'm going to remove/install Java and the Microsoft updates.

ST Dog, Jun 23, 2011

#14
Bobbye Helper on the Fringe
Firefox v5 is not an update. It is an upgrade There is a big difference. Considering it was only set for release on June 21st, 2011, I strongly recommend that you take it off of automatic updating and wait for new upgrade problems to be resolved.

FYI: I did a FF upgrade and it totaled my system! Removed all of my display settings, trashed my network. I finally ended up uninstalling it and going back the the previous earlier version. Keep in mind: New does not always mean better!
========================================
Regarding this:

I remembered that the default folder options were on earlier (like hide known extensions and don't show hidden files). I had reset them to show stuff (long time Unix user and I like to see the details) so I went back and saw the executable. It wasn't set as hidden or system, so I don't know what brought it back

I wish it was that easy to restore the files and programs that these malware programs hide! It isn't- the malware puts the attribute in for 'hide' and changing the View in Folder Options doesn't help. And as word> the files and folders are not hidden so you don't see them. It's not a conspiracy by MS! They are hidden to keep you from accidentally deleting processes that are needed.
======================================
The outdated Java programs are vulnerabilities to your system as long as they are on it. Suggest you run the following to remove all old Java entries then install the current version:You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

Please download JavaRa and unzip it to your desktop.

Important!***Please close any instances of Internet Explorer before continuing!***

Double-click on JavaRa.exe to start the program.

From the drop-down menu, choose English and click on Select.

JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.

Click Yes when prompted. When JavaRa is done, a notice will appear that
a logfile has been produced. Click OK. I do not need or want this log!

A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.

Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
===========================================
Bobbye, Jun 24, 2011

#15
ST Dog Newcomer, in training

Bobbye said: ↑

Firefox v5 is not an update. It is an upgrade There is a big difference. Considering it was only set for release on June 21st, 2011, I strongly recommend that you take it off of automatic updating and wait for new upgrade problems to be resolved.

FYI: I did a FF upgrade and it totaled my system! Removed all of my display settings, trashed my network. I finally ended up uninstalling it and going back the the previous earlier version. Keep in mind: New does not always mean better!

Interesting. I had no issues with the upgrade on the 3 systems I installed it on (the two Thinkpads and a desktop)

I've never had problems with any FF (or Mozilla) updates/upgrades going all the way back to the pre-1.0 days on Windows (and the earlier milestone releases in Unix)

I wish it was that easy to restore the files and programs that these malware programs hide! It isn't- the malware puts the attribute in for 'hide' and changing the View in Folder Options doesn't help. And as word> the files and folders are not hidden so you don't see them. It's not a conspiracy by MS! They are hidden to keep you from accidentally deleting processes that are needed.

Like I said I don't know what brought iexplore.exe back. It wasn't set to system or hidden. My point was I remembered I had changed that setting, and decided to look.

Agree it's not a conspiracy, it's just Microsoft doing their "we know better than you" routine. It fine to mark things read only to prevent accidental deletion, but hiding them? And how about that nice warning when you go to \Windows or \Program Files.

And while hide part of the file name? Think of the attacks that let too.
Of course relying on a 3 letter extensions to identify file type was pretty dumb anyway. Far better to use the data headers in the file to identify it.

Please download JavaRa and unzip it to your desktop.

I uninstalled everything in the "Add/Remove Programs" list.
Is it likely that some installations might be missed that way?
Would the above tool remove more?

ST Dog, Jun 24, 2011

#16
Bobbye Helper on the Fringe
Of course, you are free to configure your computer however you want.

As for the FF update/upgrade. I also have used FF since Day 1- without problems. But I've had to stay with the 3.5 or earlier updates for v3.6 because one of my addoms will not work with the later versions. And I have FF on 3 compouters. The updae was v3.6.18 or 19. I've been updating regularly since it was released. My system is clean and well maintained- I don't have a clue what went wrong.

Is it likely that some installations might be missed that way?Yes
Would the above tool remove more?Yes

Perhaps you can observe this first hand by looking at the Java Ra log. Please keep in mind that I do not want this log.

Add/Remove Programs does not always remove all of the associated files. If it did I would have just had you uninstall in Add/Remove Programs.

Again, I mention the OTM results: Total Files Cleaned = 2,808.00 mb
Suggest you set a schedule for doing the maintenance and clean up on thep system.
=======================================
I'd like for you to submit this for identification as follows:

Please go to VirSCAN.org FREE on-line scan service:

[1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

Code:

c:\windows\system32\drivers\qgfsyq.sys

[2]. At the upload site, click once inside the window next to Browse.
[3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
[4]. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
Important: Wait for all of the scanning engines to complete.
[5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
[6]. Paste the contents of the Clipboard in your next reply.

Are there any problems remaining from the malware?
Bobbye, Jun 24, 2011

#17
ST Dog Newcomer, in training

Bobbye said: ↑

Is it likely that some installations might be missed that way?Yes
Would the above tool remove more?Yes

Perhaps you can observe this first hand by looking at the Java Ra log. Please keep in mind that I do not want this log.

Add/Remove Programs does not always remove all of the associated files. If it did I would have just had you uninstall in Add/Remove Programs.

OK. I asked because that is what you said do in my other thread.
http://www.techspot.com/vb/topic166708.html#post1054730

Again, I mention the OTM results: Total Files Cleaned = 2,808.00 mb
Suggest you set a schedule for doing the maintenance and clean up on thep system.

That certainly got my attention. What would be the maintenance/clean up steps you suggest? I've got other systems that likely need similar clean up.
Using OTM? Some portion of the script above?

I'd like for you to submit this for identification as follows:

After work today.

Are there any problems remaining from the malware?

After fixing the exe registry keys for the other user (I've been using the Admin account as it's "cleaner") is seams OK so far. Really haven't tested it much yet though.

Wanted to get it clean first, then get AV tools re-installed before he did anything with it. Mainly he uses it for games, email, and facebook, with occasional school work.

ST Dog, Jun 24, 2011

#18
Bobbye Helper on the Fringe

If you look at the OTM log, you will see the command to [EMPTYTEMP] and it does this for each system account.

"User Alex" has the most files. There are 7 other 'users' with varying numbers of temporary internet files and flash cache.

Maintenance for the Computer System

1. Error Checking (CHKDSK) This checks your hard drive for errors. With Windows XP, you will need to restart your computer after selecting this task for it to run.

2. Disk defrag, This takes all of the bits of data on your hard drive and puts them in order. If you use your computer a lot, you can have data scattered all over your hard drive. It makes you computer run slower when it is looking for this information.

3. Deleting temporary internet files, Each time you go to a site, a temporary file is placed on you computer's hard drive. These can add up to a lot of space if not deleted regularly.

4. Deleting cookies, These are small files web site put on your hard drive to identify you and track your surfing habits. If you have a password save for a certain web site, deleting your cookies will delete that as well. Over the years there have been some lively debates about how often to do this. I don't very often, others do it daily. It is really up to each person.
5. Delete History- This is similar to temporary internet files. But when you delete History, it deletes the URLs in the Address box drop-down menu.

6.. Checking for security and critical updates, This requires you to go to Microsoft.com and do an Windows update scan. Often there are security problems or hackers have found a vulnerable spot in Windows that needs to be fixed. I do this once a week. The updates are not that frequent but, while online, I'll just check and see if there are any.

And of course, regular scans with the security programs.

Bobbye, Jun 24, 2011

#19
ST Dog Newcomer, in training

Bobbye said: ↑

[5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
[6]. Paste the contents of the Clipboard in your next reply.

Are there any problems remaining from the malware?

I'll let the boy back on the machine tonight and let you know how it does.

Report below.

VirSCAN.org Scanned Report :
Scanned time : 2011/06/25 07:47:41 (CST)
Scanner results: 3% Scanner(s) (1/37) found malware!
File Name : qgfsyq.sys
File Size : 54016 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : e6d35f3aa51a65eb35c1f2340154a25e
SHA1 : aabbd57e20d2e7041f9e7abce6cfd8a53c366537
Online report : http://file.virscan.org/report/91c19be6e4c02b2c706ec6ffd43df138.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.2 20110624151216 2011-06-24 5.54 -
AhnLab V3 2011.06.24.01 2011.06.24 2011-06-24 1.65 -
AntiVir 8.2.5.24 7.11.10.104 2011-06-24 0.27 -
Antiy 2.0.18 20110205.7694535 2011-02-05 0.02 -
Arcavir 2011 201105080215 2011-05-08 0.03 -
Authentium 5.1.1 201106241321 2011-06-24 2.00 -
AVAST! 4.7.4 110624-1 2011-06-24 0.01 -
AVG 8.5.850 271.1.1/3724 2011-06-25 0.25 -
BitDefender 7.90123.7406640 7.37559 2011-05-24 0.00 -
ClamAV 0.96.5 13236 2011-06-24 0.02 BC.Heuristics.Rootkit.B-11.MV
Comodo 4.0 9180 2011-06-24 1.80 -
CP Secure 1.3.0.5 2011.06.24 2011-06-24 0.05 -
Dr.Web 5.0.2.3300 2011.06.25 2011-06-25 13.19 -
F-Prot 4.4.4.56 20110624 2011-06-24 1.97 -
F-Secure 7.02.73807 2011.06.24.03 2011-06-24 0.18 -
Fortinet 4.2.257 13.359 2011-06-24 0.23 -
GData 22.709/22.183 20110624 2011-06-24 9.11 -
ViRobot 20110624 2011.06.24 2011-06-24 0.36 -
Ikarus T3.1.32.20.0 2011.06.24.78674 2011-06-24 4.70 -
JiangMin 13.0.900 2011.06.24 2011-06-24 1.57 -
Kaspersky 5.5.10 2011.06.24 2011-06-24 0.10 -
KingSoft 2009.2.5.15 2011.6.24.18 2011-06-24 0.85 -
McAfee 5400.1158 6387 2011-06-24 11.39 -
Microsoft 1.7000 2011.06.24 2011-06-24 3.43 -
NOD32 3.0.21 6228 2011-06-22 0.02 -
Norman 6.07.10 6.07.00 2011-06-24 14.02 -
Panda 9.05.01 2011.06.24 2011-06-24 2.06 -
Trend Micro 9.200-1012 8.246.17 2011-06-24 0.03 -
Quick Heal 11.00 2011.06.23 2011-06-23 1.18 -
Rising 20.0 23.63.04.01 2011-06-24 2.19 -
Sophos 3.20.2 4.66 2011-06-25 3.74 -
Sunbelt 3.9.2496.2 9682 2011-06-24 0.75 -
Symantec 1.3.0.24 20110624.002 2011-06-24 0.19 -
nProtect 20110601.01 3460661 2011-06-01 6.36 -
The Hacker 6.7.0.1 v00176 2011-04-18 0.60 -
VBA32 3.12.16.3 20110624.1226 2011-06-24 4.29 -
VirusBuster 5.3.0.4 14.0.94.0/5468796 2011-06-24 0.00 -

ST Dog, Jun 24, 2011

#20

(You must log in or sign up to reply here.)

Page 1 of 2

Thread Status:: Not open for further replies.

TechSpot | Technology News and Analysis
Copyright © 1998-2012, TechSpot, Inc.
Forum software by XenForo™
TechSpot is a registered trademark
All Rights Reserved